Download PDF version Contact company

Undoubtedly, the coronavirus pandemic revolutionised working life for a large proportion of the workforce worldwide, with millions of workers being instructed to work from home, almost overnight. In many cases, this situation continued for many months and, in some instances, years. 

The long-term impacts of COVID-19 on the global workforce have been considered in many ways. One particularly significant change, however, has been the increased use of monitoring technologies to observe and keep track of workers, especially remote workers, which was accelerated by the pandemic.

Employee surveillance techniques

Employee surveillance techniques are often seen by employers as useful tools, for example, to help ensure that the productivity levels of workers are maintained.

However, there is evidence that the use of employee monitoring technologies can be counterproductive, resulting in increased levels of resentment, less cooperation, stress, and anxiety among workers, particularly remote workers.  In addition, employee monitoring raises several data protection issues that employers should consider carefully.

Employment practices

In the UK, employers wishing to monitor their workers must comply with the UK GDPR and the Data Protection Act 2018

In the UK, employers wishing to monitor their workers must comply with the UK General Data Protection Regulation, (UK GDPR) and the Data Protection Act 2018.  The UK Information Commissioner (ICO) is also in the process of finalising the new “Employment practices: monitoring at work draft guidance” following a recent consultation.

This aims to provide practical guidance for employers regarding the monitoring of workers by applicable data protection legislation and to promote good practice.

Monitoring and drafting guidance

There are many different ways of monitoring workers. For example, using software that, variously, enables remote access to employees’ systems, records calls or meetings, or tracks computer activity or keystrokes; using productivity tools; accessing the webcams of employees’ computers or taking screenshots; camera surveillance; hidden audio recording; and device monitoring, to name a few.

The draft guidance considers how UK-based organisations can monitor their workers lawfully and highlight several specific issues. For example, the requirement to identify a specific lawful basis for processing any relevant personal data captured during monitoring and additional processing conditions in respect of any relevant special categories of personal data or criminal offence data.

Monitoring in accessible ways

The principle of fairness is also highlighted, meaning that employers can only monitor workers in ways that they would reasonably expect and not in ways that result in unjustified adverse effects on them. Transparency is also stressed. 

Employers must inform workers about monitoring in accessible and readily understandable ways and must also tell them about the collection and use of their information in connection with monitoring (other than in very limited situations when covert monitoring can be justified, such as where this is necessary to detect or prevent gross misconduct or crime).

UK GDPR compliance

DPIAs in respect of employee monitoring is useful in demonstrating accountability

Employers must be able to demonstrate their compliance with the UK GDPR in the context of worker surveillance to comply with the accountability principle. Data protection impact assessments (DPIAs) in respect of employee monitoring are noted as useful in demonstrating accountability and can involve helpful worker consultations.

These will be compulsory if the proposed monitoring involves any personal data processing likely to result in high risks to the interests of workers and other third parties (such as other household members or customers).

Purpose limitation principle

The purpose limitation principle is also noted.  Employers must be clear about the purposes of employee monitoring and must limit those purposes. The purpose for the monitoring can only be changed in very limited circumstances and any new purpose must not be incompatible with the original purpose.

Any relevant policies and procedures should clearly state the nature and purpose of any monitoring and should be drawn to workers’ attention regularly.

Data minimisation principle

The data minimisation principle means that employers should not collect more personal data than is necessary to achieve their stated purposes, despite many monitoring technologies being able to collect large amounts of different information.

Employers should also try to ensure that any monitoring data is not inaccurate or misleading and allow workers to comment on data accuracy, particularly if the data will be used to make adverse decisions about them, such as in the context of performance reviews.

Data protection-related rights

Personal data collected through monitoring must be provided to employees if they make a subject access request

The draft guidance also stresses that monitoring data should not be kept for longer than necessary for the purposes it was collected for and that employers should also implement appropriate technical and organisational security measures to protect personal data collected through monitoring (and ensure that any relevant processors used do the same).

Employees’ data protection-related rights are also discussed, for example, personal data collected through monitoring must be provided to employees if they make a subject access request (subject to any applicable exemptions). Employees can also object to being monitored in certain circumstances.

Third-party service providers' compliance

Employers must ensure that any third-party service providers that they involve in monitoring can comply with the UK GDPR and must enter into appropriate contracts with any data processors. Similarly, employers must ensure that any monitoring tools used comply with applicable data protection requirements.

The draft guidance also observes that if employers make any restricted transfers outside the UK of personal data obtained through employee monitoring, then they must ensure that either adequacy regulations or appropriate safeguards are in place to adequately protect the relevant personal data or ensure that the transfer is covered by an exemption.

Monitoring tools

The use of monitoring tools that use automated processes or “people analytics” for various purposes, such as monitoring absence or managing performance, is also considered.

If monitoring tools make automated decisions that have legal or similarly significant effects on workers or involve profiling, employers must ensure that they comply with rules set out in the UK GDPR, inform workers that their data is being monitored for automated decision-making, and provide them with certain additional information.

Types of monitoring

The draft guidance highlights types of worker monitoring and suggests how to ensure data protection compliance

Helpfully, the draft guidance highlights various specific types of worker monitoring and suggests how to ensure data protection compliance.

Types of monitoring considered include monitoring through commercially available monitoring tools; monitoring of telephone calls, emails, and messages; audio recording; video monitoring (including through cameras that use facial recognition technology and involve the processing of biometric data or which can perform analytics); monitoring of work vehicles and dashcams; monitoring worker information obtained from third party sources (such as social media sites); monitoring of time and attendance information; and monitoring of device activity.

Monitoring technologies

The increased use of monitoring technologies to analyse and predict certain aspects of workers’ behaviour is likely to be here to stay. UK-based employers should take care to ensure that any worker surveillance that they engage in is reasonable and proportionate and takes account of and complies with all applicable data protection requirements.

It will be interesting to review the final version of the ICO’s guidance on monitoring at work once this has been updated to reflect the recent consultation and doubtless this will prove helpful to UK organisations considering workforce monitoring.

Download PDF version Download PDF version

In case you missed it

Bosch sells security unit to Triton for growth
Bosch sells security unit to Triton for growth

Bosch is selling its Building Technologies division’s product business for security and communications technology to the European investment firm Triton. The transaction enc...

In age of misinformation, SWEAR embeds proof of authenticity into video data
In age of misinformation, SWEAR embeds proof of authenticity into video data

The information age is changing. Today, we are at the center of addressing one of the most critical issues in the digital age: the misinformation age. While most awareness of thi...

Marin Hospital enhances security with eCLIQ access control
Marin Hospital enhances security with eCLIQ access control

The Marin Hospital of Hendaye in the French Basque Country faced common challenges posed by mechanical access control. Challenges faced Relying on mechanical lock-and-key technol...

Quick poll
What is the most significant challenge facing smart building security today?