New workplace monitoring guidelines from UK ICO spell out the responsibilities that companies have under data protection law, with the general theme of worker privacy taking precedence over business interests.
Among other things the guidelines specify that workplace monitoring must be disclosed to employees (along with its “clearly defined” purpose), the “least intrusive” method must be used to accomplish the stated purpose, a lawful basis for processing any collected personal data must be cited, and that workers must be able to file a Subject Access Request (SAR) to view any data collected about them. The guidelines also call for a Data Protection Impact Assessment in any case where monitoring may pose a “high risk” to worker rights.
UK ICO guidelines stem from existing legal obligations
Though the UK ICO guidelines are themselves not new regulations, they serve as a reminder of existing legal obligations under data protection law. UK law allows for a variety of monitoring methods in the workplace: keystroke logging, desktop screenshots, and interception of calls and messages are all potentially fair game. However, the UK’s GDPR-aligned data privacy law also puts an assortment of restrictions and requirements on these methods.
The two regulations with terms applicable to workplace monitoring are the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The UK ICO also notes that the Human Rights Act 1998 Article 8 also guarantees the right to respect for a private and family life. Everything begins with declaring a lawful basis for implementing monitoring, of which there are only six: free consent from workers to serve a specific purpose, to uphold lawful contractual terms, to meet an obligation under other UK laws, protection of someone’s life, performance of a lawful task by a public authority, or a legitimate business interest that does not infringe on worker rights.
The “legitimate interest” declaration is the most broad, but also the one under which employers must be careful not to violate other labor and privacy laws. The UK ICO guidelines give the example of a miner being required to wear a tracking device while working deep in a mine, in the interest of safety, as a legitimate claim. The organization suggests that a three-pronged test (purpose, necessity and rights balancing) be applied before this is chosen as a legal basis.
Workplace monitoring is also complicated if “special category” data can reasonably be expected to be captured during its course. These are sensitive demographic categories, such as politics and religion, as well as health or biometric information, information pertaining to sexual activity, or trade union membership. The presence of these information categories does not legally rule out workplace monitoring, but the UK ICO guidance advises that the legal basis chosen for processing must be selected very carefully and compliance with the law must be documented and clear. Information of this nature also can only be kept if it is directly relevant to the declared purpose for monitoring, and must be destroyed as soon as it is no longer needed. Schedule 1 of the DPA 2018 lays out the conditions for processing this type of data.
A a data protection impact assessment (DPIA) is also required in any situation where workplace monitoring is likely to cause high risk to workers, or to other people visiting the workplace. The UK ICO offers a screening checklist to help determine what constitutes “high risk,” but two things that are guaranteed to trigger this requirement are the use of keystroke monitoring software or the collection of biometric information. Having a data protection officer (DPO) is not necessarily required to perform a DPIA, but if one is on staff their advice must be added to the process before final decisions are made.
Workplace monitoring thought to be intrusive by majority of employees, older workers more resistant
The UK ICO guidelines also come packed with the results of a brief survey taken of over 1,000 working adults in the country. 70% said that they would find any workplace monitoring intrusive, with 83% saying that monitoring of personal devices is off the table. There is similarly high resistance to the use of any audio or video recordings or desktop monitoring that takes screenshots or clips webcam video (77-78%). Monitoring of timekeeping and access is considered the least intrusive, with only 47% expressing sentiment against it.
Though the majority of all age groups find any workplace monitoring intrusive, there is something of an age skew in acceptance. 76% of workers over 55 are against all forms of it, compared to 60% of those age 18 to 24. An increase in pay also tracks with an increase in resistance to being monitored.
19% of the public believe they have been monitored at a current or former job, with 25% of those believing that communications were monitored in some way. 57% said that they would be uncomfortable taking a new job if they knew that workplace monitoring was going on, and only 19% said that they were fully comfortable with the idea.