by Sarah Pearce and Olivia Lee
On October 3, 2023, the UK Information Commissioner’s Office (“ICO”) published new Guidance on lawful monitoring in the workplace, designed to help employees comply with their obligations under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”).
The Guidance aims to provide greater regulatory certainty, protect workers’ data protection rights, and help employers build trust with workers, customers and service users. The Guidance addresses monitoring that takes place both on and off premises and within and outside of work hours. Notably, the Guidance addresses remote workers, and highlights that those working from home likely have a higher expectation of privacy.
The Guidance emphasizes that employers must comply with the data protection principles of the UK GDPR, regardless of the monitoring technology being used, and select the least intrusive means to achieve the purposes of their monitoring. The Guidance also highlights that if workplace monitoring results in the processing of special category data, even if incidentally, employers must identify a permitted purpose for which the data is processed, as set forth in Article 9 of the UK GDPR.
The Guidance encourages employers to monitor workers in ways they reasonably would expect, and to avoid monitoring that could create unjustified adverse effects for workers. The ICO also recommends that employers complete data protection impact assessments (“DPIAs”) with respect to workplace monitoring activities, even when not specifically required under the UK GDPR. The ICO warns against “function creep” with respect to monitoring technologies, emphasizing that employers should not collect more information than is necessary through the use of employee monitoring.
The Guidance further advises employers to seek the views of workers or their representatives when considering the use of monitoring technologies, and involve workers during the early planning stages. The Guidance indicates that covert monitoring (i.e., where employees are unaware of the monitoring taking place) is unlikely to be justifiable in normal circumstances, and generally will only be appropriate in cases of criminal activity, gross misconduct or similar circumstances.
Read the full Guidance here.
Sarah Pearce, is a Partner and Olivia Lee is an Associate at Hunton Andrews Kurth LLP. This post was originally published on the firm’s blog.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).