What businesses should consider before implementing monitoring

What businesses should consider before implementing monitoring

This article was first published in People Management on 29th April 2024.

In light of two recent ICO enforcement cases, Anita Bapat, Nadia Ahmed, Grace Tang and Chenelle Olaiya explain the host of legal factors to take into account when tracking employees.

The recent enforcement action in February 2024 given to Serco highlights the dangers of implementing employee monitoring unlawfully. In Serco’s case, the use of facial recognition technology and fingerprint scanning for monitoring attendance of more than 2,000 employees was found to be done in breach of data protection laws (notably as less intrusive tools could have been used for the same purpose).

When an employer carries out any form of monitoring, they will most certainly be processing employee personal data and monitoring must be compliant with data protection laws. This will be the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Businesses must have a clearly defined purpose for monitoring employees and rely on a lawful basis such as contract performance, legal obligations or legitimate business interests. The monitoring of staff may inadvertently collect special category data (eg, biometric data from attendance fingerprint scans), which are subject to extra protection under the GDPR that requires additional justification. Consent is unlikely to be useful here because of the power imbalance in the employer-employee relationship and employers will need to undertake additional compliance steps.

The monitoring must also comply with the data protection principles, which include:

  • To demonstrate accountability, a data protection impact assessment should be undertaken to mitigate the risks involved given the monitoring is likely to result in a high risk to employees.
  • To be transparent, employers must make sure employees are aware of the nature, extent and reasons for monitoring in a way that they would understand.
  • To limit the use of the monitoring data to a particular purpose, that data should not be used for any other purposes; eg, data collected for attendance monitoring shouldn’t be used for diversity statistics.

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has produced guidance on employee monitoring, with and some key points for employers conducting monitoring including:

  • Consult employees before implementing and use the least intrusive method.
  • Working from home has a higher expectation of privacy.
  • Automated decision making is a warning area, with human oversight especially important.
  • Covert monitoring is only justifiable in exceptional circumstances.

Companies should also carry out due diligence of any third-party service provider that is used to conduct the employee monitoring on its behalf and assess their compliance with the UK GDPR. This includes making sure the contract with the service provider has the required data protection clauses such as confidentiality, mechanisms to deal with sub-processors and appropriate technical and organisational measures.

Organisations should be cautious when transferring employee personal data outside of the UK, which is restricted under the UK GDPR unless an employer safeguards the personal data with a mechanism such as an adequacy decision, the UK international data transfer agreement or standard contractual clauses.

Recent enforcement action makes clear that breaches of data protection laws for collecting and processing employee personal data can be just as severe as customer data. As well as the Serco decision, in 2022, the ICO fined Interserve £4.4m for failing to secure personal data leading to a cyber attack, which affected the personal data of up to 113,000 Interserve employees.

As technology permits greater employee monitoring tools to be used in the workplace, such as for better productivity, security and compliance, the use of such tools must be undertaken with care. Proper consideration of the privacy impact to employees and compliance with data protection laws should be considered at the outset. With proper planning and compliance steps, the benefits of such tools can be fully recognised.

Recent posts

Previous
Next
AI Report
Read more
Baby Reindeer, internet sleuths and the perils of jigsaw identification
Read more
'Consent or pay’: the EDPB’s two cents on the right model
Read more
Take note: new guidance on the ICO’s penalties and fines
Read more
Labour’s proposed secondary ticketing reforms
Read more
The abolition of non-domicile in the Spring Budget
Read more
Content moderation: the ICO's guide
Read more
The Government moves to address unlawful immigration exemption under the Data Protection Act 2018
Read more
How can I get probate to sell my property?
Read more
Your reputation and AI
Read more

More from this author

Previous
Next
'Consent or pay’: the EDPB’s two cents on the right model
Read more
Take note: new guidance on the ICO’s penalties and fines
Read more
Content moderation: the ICO's guide
Read more
The Government moves to address unlawful immigration exemption under the Data Protection Act 2018
Read more
Byte by Byte: The progress of the UK Data Protection and Digital Information Bill
Read more
The Strike is Over! But What Does the Deal Say?
Read more
The UK Government bridges the gap for UK-US personal data transfers
Read more
The Culture, Media and Sport Committee’s recommendations on monitoring employees
Read more
DATA DEFENCE IN THE METAVERSE: IT'S NOT A GAME
Read more
The Government’s attempts to safeguard the immigration exemption under the Data Protection Act fails in the High Court
Read more
Navigating the grey areas of AI ethics: ICO's updated guidance provides clarity on utilising AI
Read more
EDPB releases lukewarm opinion on the EU-US Data Privacy Framework
Read more
European Parliament issues negative opinion on the EU-US data transfer arrangement
Read more
ICO focusses on child protection in latest guidance to the games industry
Read more
Government to replace the UK GDPR
Read more

Share this page