Data Protection Considerations for Monitoring Employees

With increased remote working and use of mobile devices, what do we need to consider when monitoring employees?

Martin Brazier
|
Senior Consultant at URM
|
PUBLISHED on
27 Sep
2024

Ensuring staff are conformant to company policy and compliant with the law is of paramount importance to all organisations.  And, with an increasingly mobile workforce, hybrid and home working becoming the norm and a blinding array of new technology available, many organisations are considering how they can ‘keep an eye’ on their employees.  But, at the same time, organisations need to be vigilant about failing to adhere to data protection regulations and guidelines.

What is the background?

The ICO issued guidance on employee monitoring in October 2023 at a time when an increasing number of people work from home, at least for part of their working week, and the increasing gig economy means that many employees work irregular hours, which needs to be monitored.  The Office of National Statistics (ONS) reported that over the period September 2022 to January 2023, 44% of workers declared hybrid or home working.  A Forbes survey in 2024 suggested that 63% of workers worked from home at least some of the time.  A larger number of staff are also using mobile devices, some as part of ‘bring your own device’ (BYOD) policies.  In some cases, employee monitoring is mandatory, such as in financial trading organisations.

Workers expect some level of monitoring as part of employment.  They understand that their employer wants to be sure they are at work, being productive, working their contracted hours, not abusing their employer’s assets and not committing theft or fraud.  However, as the potential for monitoring becomes ever more sophisticated, concerns have been raised.  The BBC has reported that increased employee monitoring is fuelling employee distrust.  Parliament has reported on the impact of home and hybrid working, including impacts on workers.  And the Trade Union Congress (TUC) has issued guidance for monitoring and offers help for workers who feel unfairly monitored.

What exactly is workplace monitoring?

The ICO defines ‘monitoring employees’ as any form of monitoring of people who carry out work on an organisation’s behalf.  This not only includes direct employees but also any person who performs work for an organisation, regardless of the nature of their contract.  

Over recent years, advances in technology have resulted in more sophisticated ways by which employers can see what their employees are doing – or not doing.  Monitoring can include scrutiny of telephone calls, emails and messages, video and audio surveillance, recording device activity and the tracking of vehicles and dashcam footage.  But this can go further.  Mobile phone apps can be used for workers to clock on and off when on site, but they can only do so if the GPS on their phone confirms they are where they claim to be.  Some services include psychosocial risk detection and management, whereby various psychological and physiological reactions of the monitored employee are measured which are said to be indicative of changes in their perceptions.  This, it is claimed, can help reduce fraud, data loss and bribery, and can alert an employer to employees who are struggling with wellbeing or mental health.

How do we establish whether monitoring is lawful?

The United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA2018) set out the requirements for processing personal data.  The first data protection principle of the UK GDPR requires that processing must be fair and lawful.  The first step for persons processing personal data is to determine the lawful basis for their processing under Article 6 of UK GDPR.  It is important to get the lawful basis right first time, as there may be difficulties in changing it later.  Often the only potential basis would be ‘legitimate interests’, and in that case an employer should carry out a legitimate interest assessment (LIA) to balance their interests with their employees’ interests, rights and freedoms.  To learn more about LIAs and how to conduct them, read our blog on How to Conduct a Legitimate Interest Assessment (LIA).  

If an employer decides to use consent as its lawful basis, this brings in the administration of obtaining and recording consent, and the reaction if an employee decides not to give consent.  The employer / employee relationship is an imbalanced one, and employees shouldn’t be put in a situation where they have no real option but to consent.  A word which crops up frequently in the Article 6 lawful bases is ‘necessary’, so you need to ensure that the data you collect and process is necessary for the purpose you have identified.  If it isn’t, processing it is unlikely to be lawful.

Monitoring workers often includes processing special category data, and in that case an employer would need to identify an additional lawful basis under Article 9.  All biometrics – such as fingerprints, iris scanning, facial recognition and voice recognition - are special category data if used for the purpose of identifying a particular individual and, therefore, require enhanced levels of justification and protection.

An employer should also ensure that monitoring is lawful in a general, not just data protection sense, making sure that it complies with all other relevant legislation – e.g., the Human Rights Act 2000 and the Regulation of Investigatory Powers Acts 2000 and 2016.

How do we establish whether monitoring is fair?

The guidelines to establish fairness are: whether the employees would reasonably expect the monitoring to take place, and that it is not being conducted in ways that cause unjustified adverse effects on them.  It must be proportionate.  This can be context-specific, because some workplaces, industries and professions have different expectations than others.

In some circumstances, you must perform a data protection impact assessment (DPIA) before carrying out monitoring.  Even if a DPIA is not mandatory, it is highly recommended that one is undertaken anyway.  A DPIA will help you consider whether the planned use of monitoring is fair and lawful and provides a methodical approach to assessing risks.  It will also record your thought processes and decisions about whether the monitoring you propose is necessary and proportionate, and measures to mitigate the privacy risks involved, to help demonstrate compliance.

A key question to ask is whether there is a less intrusive means of achieving the purpose and if there are any lines of communication that should be exempt from monitoring, such as communications to trade union representatives or calls to workplace health and wellbeing services.

It is always useful to engage with your workforce to gauge their views before proceeding.

How can we be transparent about what we are doing?

Transparency is about being clear with people about how and why you process their information, and it is fundamentally linked to fairness.  Fairness and trust start with transparency, and performing monitoring covertly (more of which later) or without prior notification is almost always unfair and could negatively impact trust.  Workers have the right to be informed about the collection and use of their information, and the information must be provided in a way that is readily available, accessible and easy to understand.  

It is important to remember that you will need to identify the purpose for monitoring and comply with the purpose limitation principle of the UK GDPR.  If, for example, an employer has given workers an access card to enter their premises for the purposes of security and crime prevention and has included that purpose in the information provided to them, that would be fair.  However, the purpose limitation principle prevents you from then using that information for another purpose, such as determining if somebody was late for work.  To also use the information for monitoring timekeeping, you must say so up front.

Can workers object to monitoring?

In short, yes.  Employees can object to you collecting and processing their personal information from monitoring in certain circumstances.  Specifically, a worker can object where the lawful basis is public task (for the performance of a task carried out in the public interest or for the exercise of official authority vested in the employer) or legitimate interests.  The objection must identify specific reasons why they are objecting to monitoring, and these reasons should be based on the employee’s particular situation.  However, the right to object isn’t an absolute right, and the objection can be refused if it can be demonstrated that compelling legitimate interests for the processing overrides the interests, rights and freedoms of the worker.

Other employee rights would include the right to make a data subject access request (DSAR), where the employer must provide the personal information they hold about them, including any monitoring, unless an exemption applies.  It may be challenging to respond to a DSAR if the monitoring system collects large amounts of information or it is mixed with the personal information of third parties.  This is especially the case if the systems used do not store information in a way that makes personal information readily retrievable.

What if monitoring involves automated decision making?

Tools for monitoring workers have become increasingly sophisticated, with automated processes (sometimes known as people analytics) used for security purposes, managing performance, and monitoring sickness and attendance.  Such systems are used to improve organisational efficiency and policy conformance.  These tools can process large amounts of data in real time, which they use to make predictions, inferences and decisions about employees on both an individual and a collective level.  The UK GDPR has provisions on solely automated decision-making with legal or similarly significant effects, including profiling.

The legislation defines solely automated decision-making as a decision made by automated means without any meaningful human involvement.  It can also involve profiling, where employers use information from a number of sources to make inferences about future behaviour or make personal evaluations of employees.

UK GDPR Article 22 restricts employers from carrying out solely automated decision-making that has legal or ‘similarly significant effects’ on employees, such as something that affects legal rights (e.g., a right to work). Similarly significant effects are more difficult to define, but are likely to include decisions that significantly affect someone’s financial circumstances (e.g., changes to a worker’s pay) or affect a worker’s employment (e.g., dismissal).  It is also unfair to disadvantage workers who ask for human intervention in decision-making.

And, of course, employers must be transparent about automated decision-making and include it in their information to employees up front.

Can we carry out covert monitoring?

Covert monitoring means carrying out monitoring in a way that is designed to ensure workers are unaware of it taking place, and it is unlikely that covert monitoring can be justified in most circumstances.  But there may be exceptional circumstances, such as preventing or detecting suspected criminal activity or gross misconduct.

For transparency, employers should outline in their policies the types of behaviours that are not acceptable and the circumstances in which covert monitoring might occur.  Covert monitoring should only be authorised by senior management, and it is essential to carry out a DPIA first.  There needs to be sufficient grounds for suspecting criminal activity or gross misconduct and that informing workers about the monitoring would prejudice its prevention or detection.

Covert monitoring should be targeted to obtain specific evidence within a set timeframe, limited to the shortest time possible.  Covert audio or video monitoring should not be carried out in areas where workers would reasonably expect privacy, such as toilets or changing rooms, or to capture communications that workers would reasonably expect to be private, such as personal emails or phone calls.

Getting the balance right

If an employer is considering the implementation of workplace monitoring, it is essential to obtain specialist advice to help with data protection compliance, including conducting a DPIA, because it may involve areas of compliance and technologies with which they are not familiar.

As with all personal data processing, monitoring employees must be both necessary and proportionate. However, there is more than data protection compliance at stake.  Monitoring employees can jeopardise the delicate balance of trust between employer and employee.  There are some types of routine monitoring with which employees are perfectly happy, because workers understand their purpose and do not feel that they are intrusive.  But when monitoring is not transparent or when complex and opaque new technology is implemented, the risk is always there that precious trust will be eroded.

There is a view among some data protection commentators that if it is lawful, then it is ethical.  However, perhaps a more prudent approach with employee monitoring should be that just because we can do something, it doesn’t mean we should…

Handy guide to different types of monitoring

Type of monitoring

Guidance

Telephone calls

ICO guidance says that monitoring or recording all calls is not usually proportionate. Business calls can be monitored for evidence of transactions, training or quality control. Privacy policies, employee handbooks and training should all identify that it is taking place. External callers calling in must be informed of any recording and why it is happening.

Emails and messages

This can be considered for protecting intellectual property or for data security, but in either case the purpose should be made clear to employees. ICO guidance says a DPIA is essential because this type of monitoring poses a high risk to employee rights. Having a policy on monitoring workplace communications is crucial, and it should be clear whether employees can use emails for personal purposes and whether the system enables them to mark emails as personal or private.

Video and audio recording

CCTV has been common in organisations for many years, but the quality and possibilities afforded by the technology have improved over time. It is possible to capture special category data through CCTV enabled with facial recognition capability, or, if used in conjunction with AI, to assess productivity or undertake emotional analysis of the people being recorded. Again, a DPIA is essential, especially where facial recognition or AI is involved. If installing CCTV for building security, it is good practice to monitor all entry and exit points of the building, but greater support will be received from employees if you avoid recording them at their desk or at rest, such as in staff restaurants. In other words, confine it to areas where expectations of privacy are low.

Device activity

This could include monitoring web browsing and the use of applications and is likely to capture a large amount of personal data. Software to block certain types of website and to monitor internet usage are now commonplace and most computer-based workers would expect it. It is important to make a distinction between personal and work devices where BYOD policies are in place and not to capture private use of a personal device. In all cases, it should be clear in policies what is and is not acceptable use. Interestingly, the ICO regards keystroke monitoring as behavioural biometric data where a worker is identifiable because of their unique manner and rhythm of typing. Making analytics reports aggregated, and therefore anonymous rather than personal, is a good practical solution which can identify trends without identifying individuals.

Monitoring data loss and malicious traffic

These can include solutions such as firewalls to monitor and prevent external threats, as well as internal monitoring, such as data loss prevention solutions. The least invasive means possible should be selected and it is essential to complete a DPIA. This will help you to assess the risk and identify if less intrusive methods might achieve your purpose. Monitoring network traffic may be high risk, particularly if you carry out analysis of the data to make inferences about individual workers.

Monitoring time and restricting access

Many employers have measures in place to record and restrict access to work premises and equipment, which could include controlling access to buildings or areas of buildings (e.g., server rooms). They may also record who is on site for fire safety purposes or record attendance for payroll purposes. These measures can form an important part of security measures and provide an audit trail. However, they may also pose a risk to employees’ data protection rights and freedoms because of the level of knowledge and control they give employers over workers’ activities and movements. You must be clear about your purpose and provide transparent information.

Monitoring work vehicles

You can monitor the use of work vehicles, but if you allow workers to use the work vehicle for private use, you will rarely be able to justify monitoring during private use. Some employers are obligated to use tachographs, and others use tracking devices to locate a vehicle in the event it is stolen. If this type of data is to be used to discipline a driver for misuse of their work vehicle, the policy and privacy notice should state that purpose. Other systems monitor vehicle attributes, such as location and speed, and driving characteristics such as heavy braking or excessive acceleration, and these are designed to encourage better driving and reduce incidents. Difficulties can arise where more than one person could drive a vehicle, but some tracker systems include a key fob with which the driver logs onto the vehicle so that any subsequent data is correctly attributed. Again, transparency, training and policy are keys to any system’s success.

Dashcams

Dashcams and other cameras can be an efficient way to protect drivers and vehicles and can reduce insurance costs. However, images captured of any identifiable person is personal information and is therefore subject to data protection law and could pose an administrative burden. Dashcams may be intrusive and can impact on the data protection rights and freedoms of employees and other people, especially if you use them in places where people would not reasonably expect their images to be recorded. Outward facing cameras or dashcams can capture recordings of other motorists or pedestrians outside of the vehicle. Inward facing systems can capture the driver and any passengers within a vehicle. Dashcams with audio recording capabilities present even higher risk, and any capability to record audio by default should be switched off, only using it in exceptional circumstances.

How URM can Help

Performing workplace monitoring that balances the needs of your organisation, the maintenance of trust with its employees, and GDPR compliance can be difficult to navigate without assistance and, in many cases, will be almost impossible to achieve without support.  Drawing upon nearly 2 decades of experience helping organisations to comply with DP legislation, URM can offer you a range of GDPR consultancy services to help ensure any workplace monitoring you perform, and your processing practices in general, are fully adherent to the regulatory requirements.  For example, our large team of GDPR consultants can conduct a gap analysis of your existing processing against the requirements of the Regulation, and help you establish and implement a prioritised remediation plan.  For ongoing GDPR consultancy support, our fully flexible virtual data protection officer (DPO) service will enable you to access an entire team of data protection practitioners, each with their own specialist area of expertise.

URM can also support you in completion of more specific compliance activities, such as helping you to produce a record of processing activities (ROPA), and perform data transfer impact assessments (DTIAs) and DPIAs. Meanwhile, if your organisation receives data subject access requests (DSARs), we can help you compliantly respond by providing our GDPR DSAR redaction service.

To enhance your own understanding of the GDPR and UK data protection regime in general, URM regularly delivers a range of data protection-related training courses, all of which are led by an experienced data protection practitioner.  Our courses on conducting DTIAs, DPIAs, and on responding to DSAR requests, will teach you how to perform these key compliance activities, thereby expanding your professional skillset and enabling you to significantly contribute to your organisation’s maintenance of data protection compliance.  To gain an industry-recognised DP qualification, we also regularly deliver a BCS Foundation Certificate in Data Protection (CDP) course, which will fully prepare you to take the BCS invigilated exam.

Martin Brazier
Senior Consultant at URM
Martin is a highly experienced and knowledgeable GRC consultant at URM specialising in data protection. He holds BCS Certificates in Data Protection and Freedom of Information and achieved Certified Information Privacy Professional (Europe) (CIPP/E). He also holds BCS Certificates in Information Security Management Principles, Business Continuity Management and Information Risk Management.
Read more

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Data Protection
Published on
19/1/2024
Analysis of Fines Imposed by the Information Commissioner’s Office in 2023

URM’s blog breaks down the fines issued by the ICO in 2023 for data protection breaches, highlighting emerging trends in their approach to enforcing compliance.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
22/7/2022
Data Protection and Management System Standards – Which is Best for Me?

Is there a catch-all international standard that effectively proves external verification of data protection compliance?

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
In-house Resource vs Virtual DPO

This blog takes a look at DPOs and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.

Read more
We used URM as we had a large amount of information to redact for a Court of Protection case and neither had the time nor the knowledge to be able to complete this appropriately. URM were suggested to us and we made contact. They responded very quickly and were able to explain their role, estimated timescales & costings. During the initial consultation, they were very professional and approachable, and certainly had the skills we required. URM’s consultant provided us with details of the work they had completed before & we felt confident to pursue the work with them. We were on a tight deadline for court and URM were confident that they could provide the services we required in a timely manner. The logistics of sending a large amount of confidential documents were easy to navigate and straightforward. We were unable to very accurately gauge how much work was required, however URM’s Team supported us with this and maintained regular contact regarding their progress and addressed any concerns they had. When we needed to contact them, they were prompt with their responses. The work did take longer that envisaged, however that was due to the amount of work that we, as clients, were unable to accurately identify would be required. We did, however, meet the deadline for court. I would certainly use the services of URM again & if possible would work with same team. The services are not cheap, however redacting sensitive information is a skilled task and, therefore, having a professional complete this work is priceless.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.