In light of two recent ICO enforcement cases, Anita Bapat, Nadia Ahmed, Grace Tang and Chenelle Olaiya explain the host of legal factors to take into account when tracking employees.

The recent enforcement action in February 2024 given to Serco highlights the dangers of implementing employee monitoring unlawfully. In Serco’s case, the use of facial recognition technology and fingerprint scanning for monitoring attendance of more than 2,000 employees was found to be done in breach of data protection laws (notably as less intrusive tools could have been used for the same purpose).

When an employer carries out any form of monitoring, they will most certainly be processing employee personal data and monitoring must be compliant with data protection laws. This will be the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Businesses must have a clearly defined purpose for monitoring employees and rely on a lawful basis such as contract performance, legal obligations or legitimate business interests. The monitoring of staff may inadvertently collect special category data (eg, biometric data from attendance fingerprint scans), which are subject to extra protection under the GDPR that requires additional justification. Consent is unlikely to be useful here because of the power imbalance in the employer-employee relationship and employers will need to undertake additional compliance steps.

The monitoring must also comply with the data protection principles, which include:

• To demonstrate accountability, a data protection impact assessment should be undertaken to mitigate the risks involved given the monitoring is likely to result in a high risk to employees.
• To be transparent, employers must make sure employees are aware of the nature, extent and reasons for monitoring in a way that they would understand.
• To limit the use of the monitoring data to a particular purpose, that data should not be used for any other purposes; eg, data collected for attendance monitoring shouldn’t be used for diversity statistics.

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has produced guidance on employee monitoring, with and some key points for employers conducting monitoring including:

• Consult employees before implementing and use the least intrusive method.
• Working from home has a higher expectation of privacy.
• Automated decision making is a warning area, with human oversight especially important.
• Covert monitoring is only justifiable in exceptional circumstances.

Companies should also carry out due diligence of any third-party service provider that is used to conduct the employee monitoring on its behalf and assess their compliance with the UK GDPR. This includes making sure the contract with the service provider has the required data protection clauses such as confidentiality, mechanisms to deal with sub-processors and appropriate technical and organisational measures.

Organisations should be cautious when transferring employee personal data outside of the UK, which is restricted under the UK GDPR unless an employer safeguards the personal data with a mechanism such as an adequacy decision, the UK international data transfer agreement or standard contractual clauses.

Recent enforcement action makes clear that breaches of data protection laws for collecting and processing employee personal data can be just as severe as customer data. As well as the Serco decision, in 2022, the ICO fined Interserve £4.4m for failing to secure personal data leading to a cyber attack, which affected the personal data of up to 113,000 Interserve employees.

As technology permits greater employee monitoring tools to be used in the workplace, such as for better productivity, security and compliance, the use of such tools must be undertaken with care. Proper consideration of the privacy impact to employees and compliance with data protection laws should be considered at the outset. With proper planning and compliance steps, the benefits of such tools can be fully recognised.