The UK’s Information Commissioner’s Office (ICO) recently released guidance discussing the privacy implications of workplace monitoring. The guidance largely mirrors the EU’s approach to monitoring, but provides some useful context on remote monitoring and worker communications. Key takeaways from the ICO’s guidance and similarities and differences to existing EU guidance follow:
Similar: Consent is usually not an appropriate legal basis. The UK guidance, like existing EU guidance from the EDPB and Article 29 Working Party, reiterates that workers have inherently less power compared to their employers. Thus, worker consent is likely not a lawful basis for monitoring. This is familiar, given prior guidance from both the UK and EU stating that employees may be considered vulnerable data subjects.
Different: Monitoring workers in their homes is higher risk. The ICO guidance states that workers have a higher expectation of privacy at home versus in the office and monitoring employees working from home involves higher risk, such as inadvertent collection of family and private life information. While EU guidance does not address this issue in the same way (e.g., focusing instead on personal use of devices or applications, or disproportionate processing), this remote worker guidance should be considered for monitoring in the EU too.
Similar: Sensitive data requires a special category condition (i.e., exception), in addition to a lawful basis. Even if a company’s planned monitoring only incidentally collects special category data (e.g., race, sexual orientation, health, religion, and union membership, among others), it must satisfy an exception—which the ICO calls a “special category condition”–before processing. This extra requirement for special category data applies both in the UK and the EU (GDPR Art. 9(2)). Examples of situations where the condition may be satisfied include carrying out regulatory obligations to workers, ensuring worker health or safety, assessing an employee’s working capacity, or defending against legal claims by workers. In a workplace monitoring context, this is particularly relevant when monitoring worker communications (as discussed below) because they may incidentally include special category information like union membership, health information, and the like.
Different: Email and message monitoring poses particular risk. The ICO guidance addresses workplace email and messaging content monitoring in depth. While past EU (Article 29 Working Party) guidance said monitoring communications was traditionally considered the main threat to employee privacy, regulator guidance and GDPR enforcement decisions have not focused as much on the risk inherent to monitoring particular workplace channels of communication. While neither the UK GDPR nor the EU GDPR Article 9 explicitly categorizes email or message content itself as special category data, the ICO guidance notes that email and message monitoring poses “a high risk to workers’ data protection rights and freedoms and is likely to capture special category data.” Therefore, according to the ICO guidance, even if employers do not intentionally collect special category data, if the very nature of monitoring worker emails or messages makes collection of special category data likely (e.g., a worker might email their healthcare provider or trade union representative), then the employer must identify a special category condition for processing.
Similar: A DPIA is needed for high-risk processing. Due to the high risk involved in monitoring workers’ email and message content, the ICO states a data protection impact assessment (DPIA) is necessary prior to monitoring. This is similar to past EU (Article 29 Working Party) guidance that stated that monitoring employee activities, including internet activity, requires a DPIA. As part of the DPIA, companies should consider mitigations or less privacy-invasive tactics, like monitoring network data traffic in lieu of monitoring the content of emails. The ICO guidance provides that a DPIA is also required for other high-risk examples like video or audio monitoring or facial recognition. A DPIA is also likely required for device activity monitoring, such as the use of data loss prevention (DLP) solutions.
Similar: Avoid solely automated decision-making. Both the ICO guidance and existing EU guidance address protections for data subjects from solely automated decision-making that results in significant effects. The ICO guidance addresses the increasing use of tools with automated processes for managing performance and monitoring attendance. Automated decisions that have significant effects on workers (like increasing pay or dismissing workers based on performance) require employers to provide meaningful information about the automated system’s logic in determining the decision, including when the worker submits an access request, and a right to human intervention. One option to avoid triggering the general prohibition on solely automated decision-making with significant effects under the UK GDPR and EU GDPR is to ensure human involvement at the outset. Like EU guidance, the ICO states that such human involvement should be meaningful and carried out by someone who has the authority and competence to change the decision. Both current and prior guidance refer to weighing and interpreting recommendations (e.g., through a process to review the outcome considering all available information and additional factors), rather than merely rubber-stamping the automated recommendations.
While the ICO’s guidance applies only to workplace monitoring subject to the ICO’s jurisdiction, the guidance is instructive for monitoring outside the UK and for areas of similarities between the EU and UK, while existing EU guidance is similarly instructive for workplace monitoring in the UK.