The move to remote and hybrid working has prompted the Information Commissioner's Office (ICO) to release new guidance on 'Employment practices and data protection – Monitoring workers'.

The move to remote and hybrid working has prompted the Information Commissioner's Office (ICO) to release new guidance, Employment practices and data protection − Monitoring workers.

The scope of the guidance covers:

  • workers defined as anyone who works for an employer, including gig workers;
  • any form of monitoring by an employer or on their behalf; and
  • monitoring within or out with work hours.

While employee monitoring is not new, the increased availability of technology has led to increased unease and privacy concerns. As well as the likes of monitoring e-mails, monitoring can include the use of webcam footage, audio recordings, the taking of screenshots and tracking calls, messages and keystrokes. The guidance applies to all types of technology, including to any advancements or new technology.

Monitoring employees is not prohibited but employers should be mindful of their obligations under the UK GDPR and the Data Protection Act when considering and implementing monitoring of employees. The guidance confirms that any data gathered during monitoring would need to be disclosed during a subject access request (SAR), unless an exemption applies (please refer to our previous article on SARs).

Following the guidance, employers conducting monitoring should ensure:

  • they have a legitimate purpose for the monitoring;
  • monitoring and data gathering is limited to the legitimate purpose; and
  • the means to achieve the monitoring is the least intrusive method.

Workers should also be made aware of the nature, extent and reasons for monitoring in a manner that is easy to understand. Monitoring that presents a high risk to workers' rights requires a data protection impact assessment (DPIA), and special category conditions must apply for monitoring of special category data.

Covert monitoring is possible in some cases e.g. suspicion of criminal activity. However, there are stricter requirements in place. This type of monitoring will require sign-off by a senior manager or equivalent following a data protection impact assessment, and any monitoring and data gathering should be limited, including by the data type and time-frame. Workers should also be informed, through relevant policies, of the types of behaviour which will not be tolerated and the circumstances in which covert monitoring may occur.

The ICO has provided helpful checklists for employers to use, which are available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.