The ICO has offered practical advice for employers on navigating modern workplace practices; the guidance was drafted after the ICO consultation which sought feedback from relevant stakeholders from a period between August and October 2021.
Understanding of the guidance will help provide greater regulatory certainly and protect workers’ data protection rights, as well as helping employers to build trust with workers, customers and service users with access to business data and IT systems.
Groups that partook in the ICO consultation included: employers; professional associations; employee representatives, recruitment agencies; workers, volunteers, employees and tech solution providers.
It is for every employer to ensure employees’ data rights are respected and a culture of surveillance does not creep into standard monitoring of technology. The related laws on data privacy – GDPR and the DPA 2018 – do not prevent an employer from digitally monitoring workers as there may be a variety of legitimate reasons why this is necessary to conduct quality and quantity checks, supervise safety and uphold rules over how employees use the internet.
Any monitoring in the workplace must be undertaken in a way which is compliant with data protection legislation.
With workplace environments increasingly being remote, more workers and public users than ever before have had unsupervised physical access to critical IT infrastructure, company data and systems. They may be tracked electronically to monitor what time they begin working, check inboxes, or be hyper-sensitive to what access to data they have.
The borderline between anti-privacy practices can become blurred and as Emily Keaney, Deputy Commissioner of Regulatory Policy, at the ICO commented, “nobody wants to feel like their privacy is at risk, especially in their own home”.
The necessity only to collect important personal and monitoring data is advised in the report which should be retained for a certain purpose or otherwise destroyed. Having a clear purpose for data should be married with obtaining it through less intrusive means and allowing information collected about employees readily available through subject access requests.
Highly personal and sensitive data, akin to special category data – for example, pertaining to race, ethnicity, sexual or gender orientation, disability or trade union membership – is required by law and instructed by the ICO to be identified as a special category processing condition.
In monitoring processes that omit human due diligence on the way data is handled, instead opting for automated processes, Article 22 of the UK General Data Protection Regulation (GDPR) is reminded to organisations that prevents automated or machine-learning decision-making if contrary to the law or posing “significant risks on people’s lives”.
There is a boom of modern technologies and surveillance software in today’s market created by vendors, which the report says has led to 1 in 5 workers feeling they are subject to invasive digital monitoring at work.
While technology can transform functions and capabilities of businesses, performance, and create better jobs and higher levels of productivity, the downside is the compromise on transparency, abusing people’s privacy right and trust.
Lastly, in August 2023, a Parliamentary Select Committee agreed with the ICO and said workplace surveillance should only be accepted with the consent and knowledge of those workers being monitored and more common surveillance and connected technologies should be investigated. To determine the scale of automated data capture systems deployed in workplaces and what solutions vendors are elevating to the marketplace, change is needed.