As part of its topic-specific guidance on employment practices and data protection, the ICO has released its draft guidance for monitoring employees at work for consultation. This blog sets out our initial thoughts on the guidance.

At a glance

The previous version of the guidance was first published over a decade ago when the technology and working practices of today were non-existent. Helpfully for employers, the draft has been updated to include the monitoring of remote and home workers and new technologies such as biometric data.

The overall approach is much the same, bringing colour to principles with examples. As with most employment laws and practices, fairness is a key data protection concept. For employees, this means that nothing should come as a surprise. It is closely linked to transparency where the “how” and “why” of processing is crystal clear.

There are a few points of difference, which may mean that employers will want to rethink or refresh their data protection policies, including:

Biometric data

In recognition of the universal trend to use technologies to enhance HR processes, the ICO has incorporated a section on biometric data (fingerprints, face and voice recognition). In a workplace context, this might be used, for example, for processes such as monitoring access to buildings or restricted areas – an issue which has taken on greater significance with hybrid working and the need to know who is working where. If going down this route, the ICO warns that the processing of biometrics requires careful consideration. Challenges include:

The requirement to provide an alternative may be problematic in this context. For example, it could mean that an employer who introduces biometric access to laptops and other devices, to enhance security, would still be required to offer an alternative. Simply offering an alternative of a strong password may well defeat the purposes of introducing biometric access (i.e. to offer stronger protection against the risk of compromised passwords), so other solutions would need to be considered (e.g. multi-factor authentication).

Key takeaways

Next Steps

Discuss with relevant stakeholders whether there are any recent working practices, e.g. in relation to hybrid working or monitoring the presence of workers in the workplace, that need to be incorporated into data protection polices and communicated to workers.

Consider whether to respond to the consultation, particularly in respect of those areas of your business which you feel are not clearly or adequately covered. If you would like to submit responses, you can do so by completing the survey for the draft guidance and/or the survey for the draft impact scoping document. Alternatively, you can download the survey for the draft guidance and/or the survey for the draft impact scoping document and email them to employmentguidance@ico.org.uk. The consultation remains open until 11 January 2023 for comments.