ICO Guidance on Employee Monitoring a consultation | Allen & Overy LLP – JDSupra
As part of its topic-specific guidance on employment practices and data protection, the ICO has released its draft guidance for monitoring employees at work for consultation. It will remain open until 11 January 2023 for comments.
At a glance
The previous version of the guidance was first published over a decade ago when the technology and working practices of today were non-existent. Helpfully for employers, the draft has been updated to include the monitoring of remote and home workers and new technologies such as biometric data.
The overall approach is much the same, bringing colour to principles with examples. As with most employment laws and practices, fairness is a key data protection concept. For employees, this means that nothing should come as a surprise. It is closely linked to transparency where the “how” and “why” of processing is crystal clear.
There are a few points of difference, which may mean that employers will want to rethink or refresh their data protection policies, including:
The draft guidance
The ICO’s draft guidance covers the monitoring of employees at work and the related data protection considerations under the UK General Data Protection Regulation and the Data Protection Act 2018. With this draft guidance, the ICO states that it aims to:
The draft guidance is aimed at any public or private organisation that has employees, workers (including gig workers), contractors or volunteers, who are all referred to as “workers”.
What does the ICO mean by “monitoring at work”?
The ICO acknowledges “monitoring at work” to be a broad term which includes the use of the following:
Potential rationales for this monitoring include:
The draft guidance summarises the position under UK law on monitoring at work as follows:
In recognition of the universal trend to use technologies to enhance HR processes, the ICO has incorporated a section on biometric data (finger prints, face and voice recognition). In a workplace context, this might be used, for example, for processes such as monitoring access to buildings or restricted areas – an issue which has taken on greater significance with hybrid working and the need to know who is working where. If going down this route, the ICO warns that the processing of biometrics requires careful consideration. Challenges include:
The requirement to provide an alternative may be problematic in this context. For example, it could mean that an employer who introduces biometric access to laptops and other devices, to enhance security, would still be required to offer an alternative. Simply offering an alternative of a strong password may well defeat the purposes of introducing biometric access (i.e. to offer stronger protection against the risk of compromised passwords), so other solutions would need to be considered (e.g. multi-factor authentication).
This content was originally published here.