OVERVIEW

On the 3rd of October 2023, the Information Commissioner's Office (ICO) introduced new guidance aimed at employers. The new guidance (known as the "Employment Practices and Data Protection - Monitoring Workers" guidance) discusses the circumstances in which employers can fairly monitor their employees and highlights the various steps and considerations that employers need to adopt in order to ensure that they do not fall foul of the UK GDPR and data protection legislation.

AN INCREASE IN EMPLOYEE MONITORING

The ICO's latest guidance acknowledges that the increase in remote working together with technological advances means that employee monitoring is becoming easier and more commonplace. It’s vital that UK based employers understand whether their proposed monitoring of employees is lawful.

A BALANCING ACT

The new ICO guidance states that employers need to appreciate and understand employee related privacy rights and expectations before embarking on monitoring activities within the workplace and further that employers should avoid the blanket monitoring of employees simply because they have the technological ability to do so.

Compliance with Data Protection Laws

The new ICO guidance highlights the key aspects of the UK GDPR and the Data Protection Act 2018 in the context of employee monitoring. It outlines the relevant legal framework but also helpfully provides practical advice and checklists to demonstrate the circumstances in which employee monitoring will and won’t be justified.

ADOPTING AN “EMPLOYEE Centric” Approach

Unsurprisingly, the new ICO guidance emphasises the need for adopting an employee-centric approach. The guidance confirms that employers looking to implement any form of monitoring, will need to be able to demonstrate that they have considered, documented and implemented the following steps:

• Transparency: Employers must make their employees aware of the nature, extent, and reasons behind monitoring.

• Minimising Intrusiveness: Employers should always look to achieve their monitoring goals via the least intrusive means possible.

• Legal Basis: Employers need to establish a lawful UK GDPR basis for processing employees' personal data in the context of monitoring.

• Clear Communication: Any information related to monitoring should be conveyed to employees in an easily understandable manner (this will frequently but not always be achieved via a well drafted and well worded Employee Privacy Notice).

• Relevance: Employers should only retain information that is directly relevant to the specified monitoring purpose.

• Risk Assessment: For any monitoring activities that carry a significant risk to employees rights, organisations should first conduct a Data Protection Impact Assessment (DPIA).

Please contact Nathan Combes if you’d like more information about the issues raised in this update and/or or to find out more about data protection related services, documents and support that we’re able to provide.

Disclaimer: the information set out above does not constitute legal advice and it is provided for general information purposes only. No warranty, whether express or implied is given and neither the author or Harrington Law shall be liable for any technical, editorial, typographical or other errors or omissions within the information provided.