Compliant with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), the document outlines legal requirements relating to employee monitoring as well as actions deemed good practice.
Legal requirements include employers’ duty to make workers aware of the nature, extent and reasons for monitoring, and clearly define the purpose for doing so.
It also outlines the terms on which employers have a lawful basis for processing workers’ data.
Melissa Mathieson, director of regulatory policy projects at the ICO, said the body recognises that appropriate monitoring can benefit organisations, however data protection must be considered in every part of the process.
Speaking to HR magazine, Mathieson said: “Those working in HR should consult our new guidance, as it will help them to understand the law in this area.
“Depending on the nature of the monitoring, HR teams may well play a vital role in helping to ensure that employees get the information and protections they need.
“As well as explaining the legal requirements, the guidance also includes good practice advice to help HR professionals build trust with their workforce and create a positive working environment where privacy is respected.”
ICO research has found almost one in five (19%) employees believe that they have been monitored by an employer.
A majority (70%) of those surveyed by body also said they would find monitoring in the workplace intrusive.
Separate data from the Trades Union Congress (TUC) published in 2022 also found there had been a rise in workplace monitoring since the outbreak of Covid-19.
Natalie Ellis, founder of HR consultancy Rebox HR, said the popularity hybrid working has made conversations about monitoring more common among employers.
Google, for example, announced that it would be monitoring the number of days employees are in the office as part of a bid to bring them back to the office.
Among the clients she works with, Ellis said four-day-week trials, timed projects and productivity concerns have been among the reasons employers were considering it.
“Monitoring is becoming more of a common practice for many businesses, and I can honestly see this increasing over the next few years,” Ellis told HR magazine.
“From an HR perspective, we need to approach this practice thoughtfully, considering both legal requirements and employee perceptions so that data is monitored appropriately and not just targeted at certain employees.”
Ella Bond, senior employment solicitor at Harper James, said clarity and balance are vital to a lawful approach to employee monitoring.
She said: “Workers have a legitimate expectation of privacy, even in the course of carrying out their duties.
“Balancing the need for productivity and quality control with respecting the privacy rights of staff members is a delicate task, but it can be achieved through clear communication, transparency, and a commitment to respecting the rights of workers.”
After reviewing the guidance, Ellis recommended HR leaders regard the following points:
- Transparency: HR should make employees aware of the nature, extent, and most importantly, the reasons for monitoring. We all know that transparency is essential to maintain trust between employees and the business. If the reasons are unclear, this can damage the relationship with employees, so HR need to know and understand why the business is looking to monitor its employees and clearly communicate how the information obtained will be used.
- Purpose and intrusiveness: HR should have a clearly defined purpose for monitoring and use the least intrusive means to achieve it. This ensures that monitoring is necessary and not overly invasive.
- Lawful basis: There must be a lawful basis for processing employee data, such as obtaining consent or fulfilling a legal obligation. Compliance with the data protection.
- Clear communication: HR should communicate information about monitoring in a way that is easy for workers to understand. Clarity in communication helps employees know what to expect and relevant policies should be introduced or updated to reflect any changes as and when they happen.
- Relevance: Only relevant information should be collected through monitoring which should be declared within the employer’s privacy notice document.
- Data protection impact assessment: For monitoring activities likely to result in a high risk to the rights of employees, HR should carry out a Data Protection Impact Assessment (DPIA). This ensures that risks are identified and mitigated.
- Subject access requests (SARs): Workers should be informed that they can make SARs to access personal information collected through monitoring.
The ICO’s full Employment practices and data protection − Monitoring workers document can be found here.