Earlier this month, the Information Commissioner’s Office (“ICO”) released new guidance for employers, on how compliance with data protection legislation can be sought when monitoring workers, including remote workers.
The overarching principle is that employers are able to monitor workers under the UK GDPR and the Data Protection Act 2018. However, the monitoring must be done in compliance with data protection requirements and must be done fairly. Employers must be clear about the reasons why such monitoring is to take place and undertake any monitoring in the least intrusive way possible.
‘Monitoring’ covers a variety of matters such as monitoring for health and safety purposes, monitoring in a workplace or remote working, and monitoring during work hours or outside of work hours.
The guidance also provides some helpful explanations relating to the following monitoring categories:
In order to monitor workers, employers must identify one of the six lawful options for doing so. There can be more than one option for undertaking monitoring of a worker, but there must be at least one option before proceeding with any monitoring of workers. The six lawful bases for monitoring workers are described below.
This is the most flexible basis and may apply in several scenarios. In order to rely on the ‘legitimate interests’ basis, an employer should carry out a legitimate interests assessment. If an employer considers that the monitoring it wishes to undertake would not be reasonably expected by its workers, then the ‘legitimate interests’ basis may not be the most suitable basis to cite as a reason for the desired monitoring of workers.
This basis requires a worker to give consent, freely and unambiguously, to the employer, for their personal data to be processed for a specific purpose. Employers must think about whether the worker has had a genuine choice in providing their consent, in order for the desired monitoring to be undertaken.
This is where monitoring is necessary to be able to perform a task in the public interest or for the employer’s official functions. This would be of most relevance to public authorities.
An employer would rely on this basis if the monitoring must be undertaken to comply with the relevant law. An employer must be able to cite the specific legal provision that would allow them to use the ‘legal obligation’ basis.
This basis is for emergencies and is much more limited in its scope. Employers would use this for matters of life and death, in order to protect a worker’s life.
This should be relied upon where an employer, in circumstances where it is necessary for its side of a contract, must perform some monitoring of a worker. This basis may prove to be less suitable than other basis for monitoring, as there may be less intrusive ways to justify monitoring workers than it being necessary for an employer to fulfil its side of a contract.
If an employer is going to use special category data such as sexual orientation or political opinions in order to perform its monitoring, there are additional conditions that must be met. These include obtaining explicit consent from a worker and to comply with employment law, amongst other conditions.
For further information on lawful monitoring in the workplace, read the ICO guidelines here.
Please contact our commercial team for further information.
