Who's watching you? Data protection issues regarding monitoring of workers

February 6, 2023
5 minutes

Undoubtedly, the coronavirus pandemic revolutionised working life for a large proportion of the workforce worldwide, with millions of workers being instructed to work from home, almost overnight.  In many cases this situation continued for many months and, in some instances, years.  

The long-term impacts of COVID-19 on the global workforce have been considerable in many ways.  One particularly significant change, however, has been the increased use of monitoring technologies to observe and keep track of workers, especially remote workers, which was accelerated by the pandemic. 

Employee surveillance techniques are often seen by employers as useful tools, for example, to help ensure that the productivity levels of workers are maintained. However, there is evidence that use of employee monitoring technologies can, in fact, be counterproductive, resulting in increased levels of resentment, less cooperation, stress and anxiety amongst workers, particularly remote workers.  In addition, employee monitoring raises a number of data protection issues that employers should consider carefully. 

In the UK, employers wishing to monitor their workers must comply with the UK General Data Protection Regulation, (UK GDPR) and the Data Protection Act 2018.  The UK Information Commissioner (ICO) is also in the process of finalising the new “Employment practices: monitoring at work draft guidance” following a recent consultation.  This aims to provide practical guidance for employers regarding the monitoring of workers in accordance with applicable data protection legislation and to promote good practice. 

There are many different ways of monitoring workers.  For example, using software which, variously, enables remote access to employees’ systems, records calls or meetings, or tracks computer activity or keystrokes; using productivity tools; accessing the webcams of employees’ computers or taking screenshots; camera surveillance; hidden audio recording; and device monitoring, to name a few.

The draft guidance considers how UK-based organisations can monitor their workers lawfully and highlights a number of specific issues.  For example, the requirement to identify a specific lawful basis for processing any relevant personal data captured during monitoring and additional processing conditions in respect of any relevant special categories of personal data or criminal offence data. 

The principle of fairness is also highlighted, meaning that employers can only monitor workers in ways that they would reasonably expect and not in ways that result in unjustified adverse effects on them.  Transparency is also stressed.  Employers must inform workers about monitoring in accessible and readily understandable ways and must also tell them about the collection and use of their information in connection with monitoring (other than in very limited situations when covert monitoring can be justified, such as where this is necessary to detect or prevent gross misconduct or crime).

Employers must be able to demonstrate their compliance with the UK GDPR in the context of worker surveillance to comply with the accountability principle.  Data protection impact assessments (DPIAs) in respect of employee monitoring are noted as useful in demonstrating accountability and can involve helpful worker consultations.  These will be compulsory if the proposed monitoring involves any personal data processing likely to result in high risks to the interests of workers’ and other third parties’ (such as other household members or customers).

The purpose limitation principle is also noted.  Employers must be clear about the purposes of employee monitoring and must limit those purposes.  The purpose for the monitoring can only be changed in very limited circumstances and any new purpose must not be incompatible with the original purpose.  Any relevant policies and procedures should clearly state the nature and purpose of any monitoring and should be drawn to workers’ attention regularly.

The data minimisation principle means that employers should not collect more personal data than is necessary to achieve their stated purposes, despite many monitoring technologies being able to collect large amounts of different information.  Employers should also try to ensure that any monitoring data is not inaccurate or misleading and allow workers to comment on data accuracy, particularly if the data will be used to make adverse decisions about them, such as in the context of performance reviews. 

The draft guidance also stresses that monitoring data should not be kept for longer than necessary for the purposes it was collected for and that employers should also implement appropriate technical and organisational security measures to protect personal data collected through monitoring (and ensure that any relevant processors used do the same). 

Employees’ data protection-related rights are also discussed, for example, personal data collected through monitoring must be provided to employees if they make a subject access request (subject to any applicable exemptions).  Employees can also object to being monitored in certain circumstances.

Employers must ensure that any third-party service providers that they involve in monitoring are able to comply with the UK GDPR and must enter into appropriate contracts with any data processors.  Similarly, employers must ensure that any monitoring tools used comply with applicable data protection requirements.

The draft guidance also observes that if employers make any restricted transfers outside the UK of personal data obtained through employee monitoring, then they must ensure that either adequacy regulations or appropriate safeguards are in place to adequately protect the relevant personal data or ensure that the transfer is covered by an exemption.

The use of monitoring tools which use automated processes or “people analytics” for various purposes, such as monitoring absence or managing performance, is also considered.  If monitoring tools make automated decisions that have legal or similarly significant effects for workers, or involve profiling, employers must ensure that they comply with rules set out in the UK GDPR, inform workers that their personal data is being monitored for the purposes of automated decision-making and provide them with certain additional information.

Helpfully, the draft guidance highlights various specific types of worker monitoring and suggests how to ensure data protection compliance.  Types of monitoring considered include: monitoring through commercially available monitoring tools; monitoring of telephone calls, emails and messages; audio recording; video monitoring (including through cameras which use facial recognition technology and involve the processing of biometric data or which can perform analytics); monitoring of work vehicles and dashcams; monitoring worker information obtained from third party sources (such as social media sites); monitoring of time and attendance information; and monitoring of device activity. 

The increased use of monitoring technologies to analyse and predict certain aspects of workers’ behaviour is likely to be here to stay.  UK-based employers should take care to ensure that any worker surveillance that they engage in is reasonable and proportionate and takes account of and complies with all applicable data protection requirements.  It will be interesting to review the final version of the ICO’s guidance on monitoring at work once this has been updated to reflect the recent consultation and doubtless this will prove helpful to UK organisations considering workforce monitoring.