Monitoring employees is often necessary to maintain a safe working environment, but in recent years the extent of monitoring and technologies available for monitoring employees in the workplace allow employers to monitor beyond what is strictly necessary for safety purposes.
Employers also have interests in measuring productivity, maintaining security of their systems and checking occupancy levels of offices compared to remote working – and the solutions available to employers to monitor employees for these purposes are increasingly sophisticated.
Many workplace monitoring activities will involve processing of personal data, so while employers may in some circumstances be compelled to conduct a certain level of workplace monitoring, they need to be aware of their data protection obligations when doing so.
Tip 1 – Identify your monitoring activities
The first step to making sure any workplace monitoring is compliant with data protection laws is to identify all of your monitoring activities. This may include traditional surveillance systems such as CCTV networks, but this will also include dashcam and vehicle telematics systems on company vehicles, monitoring entry/exit systems (including biometric systems) and IT monitoring systems which may monitor when workers are online or offline, keystroke monitoring and access controls.
Where an employer has occupational health obligations to ensure that workers undertaking any work which poses a health and safety risk are kept safe, health monitoring activities should also be taken into account, as should regular monitoring of disclosure or DBS checks for fraud prevention purposes.
Tip 2 – Lawful basis for processing
Processing of personal data must be lawful, which means that it must have a lawful basis under Article 6 of the UK GDPR. In addition, if monitoring involves the processing of special category personal data or criminal conviction data, then employers must consider their lawful basis under Articles 9 and 10 of the UK GDPR as well (see Tip 4 for further details).
While some processing of personal data for monitoring purposes will be necessary to comply with legal obligations (for example, to maintain a safe working environment), other monitoring will be conducted for the interests of the employer (for example, to measure productivity or investigate grievances). In these circumstances, the employer will likely need to rely on the legitimate interests processing ground under Article 6 of the UK GDPR as their lawful basis for processing personal data.
It will only be in rare circumstances that employers will need to obtain consent to monitoring, but this may be appropriate for certain health checks. Employers will need to assess whether or not they can obtain valid consent in the circumstances, bearing in mind that consents to processing of personal data must be freely given and easy to withdraw, which may not always be appropriate in the context of an employment relationship.
Tip 3 – Legitimate interests assessments
In order to rely on legitimate interests as a lawful basis for processing personal data, employers should document a legitimate interest assessment, covering three tests:
- the purpose test – identifying the interests in carrying out the monitoring and the purpose that will be achieved from the monitoring;
- the necessity test – evaluating how necessary it is to process personal data to achieve the interests identified in the purpose test; and
- the balancing test – considering how the monitoring might impact on the rights and freedoms of employees and how this balances compared to the employer’s interests to conduct the monitoring and the need for the monitoring to involve the processing of personal data.
Tip 4 – Special category and criminal conviction data
Special category personal data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, as well as genetic data, biometric data (where used for identification purposes), health data and data concerning a person’s sex life. This and criminal conviction data (including information concerning allegations of offences) are afforded extra protection under data protection laws, which means that they can only be processed lawfully in limited circumstances.
There is scope for employee and workplace monitoring to involve processing of special category personal data (for example, monitoring of equal opportunities, or health monitoring). Where this is the case, employers will not be able to rely on legitimate interests as their lawful basis for processing, and must instead assess whether monitoring is necessary to comply with other statutory or regulatory obligations, or whether it is possible in the circumstances to obtain valid consent.
Tip 5 – Data protection impact assessments
Workplace monitoring often triggers the requirements for conducting a mandatory data protection impact assessment (or “DPIA”). DPIAs are necessary where employers are using technologies in a manner which may be high risk to employees, and in particular are mandatory where employers are conducting any profiling or automated decision-making, processing of special category personal data on a large scale, or systematically monitoring a publicly accessible area on a large scale (including operation of surveillance systems).
Even when a DPIA is not strictly mandatory, employers may wish to still conduct a DPIA before carrying out a new monitoring activity, as this can be a useful process for identifying data protection risks and addressing them upfront, instead of having to backtrack after issues come to light.
Tip 6 – Be transparent!
Often, one of the main risks that comes to light when conducting a DPIA for workplace monitoring is a potential lack of transparency. In limited circumstances it may be necessary for monitoring to take place covertly (i.e., without the employee being aware of the monitoring), however in most other circumstances, employers should be open and transparent with employees about the monitoring that is taking place.
Employers should check that their employee privacy notices include information about workplace monitoring, and should consider implementing additional signage for CCTV, dashcam and telematics systems.
Tip 7 – Retention periods
Monitoring activities can result in gathering of large volumes of personal data, which employers should only retain for “as long as necessary”. Where monitoring is based on legitimate interests, it is worth considering the point at which those interests are achieved and the data can therefore be deleted.
Many surveillance systems are set up to only retain data for a short period of time (e.g. a CCTV system may hold data for 28 days to 1 month before this is overwritten or deleted), however for other monitoring activities employers may need to put appropriate retention periods in place and ensure data is routinely deleted in accordance with those retention periods.
Tip 8 – Security measures
As with any system, it is imperative that systems used for employee and workplace monitoring are subject to appropriate technical and organisational security measures to limit the risk of any loss or unauthorised access to the data gathered from the monitoring activity.
Depending on the circumstances, it may be appropriate to apply encryption to monitoring data, and to ensure that only certain individuals within the organisation who have a need to access monitoring systems are able to do so.
Tip 9 – Managing requests
It is important to remember that personal data gathered from monitoring activities can be subject to data subject rights requests from employees. This means that employees can exercise their rights to access a copy of this data, or to have this data erased (unless there is a specific need or legal requirement for the data to be retained).
There can be issues in disclosing monitoring data in the context of an access request, particularly if third party personal data is involved, or if technical logs need to be converted into a readable format. These practicalities should be considered as part of a DPIA to ensure monitoring systems are set up in a manner that can support rights requests.
Tip 10 – AI complications
As it would be remiss not to mention AI, employers will need to remember the additional risk factors that can apply when using monitoring systems which use AI, or where monitoring data is being used to train AI models.
Employers will need to be mindful of specific restrictions which apply when employers are using automated decision-making processes to make legal or significant decisions about their employees or potential employees. If employers intend to use monitoring data to train AI models, then the impact on this will need to be assessed in a DPIA and additional transparency steps may need to be taken to explain to employees how their data may be used for AI training purposes.
Employers with operations in the EU will also need to be mindful of the requirements of the EU AI Act, in case their AI systems fall within scope of the prohibited and high-risk classifications under the EU AI Act.
If you require any support with ensuring the data protection compliance of your employee and workplace monitoring systems, please contact Jo McLean.
Written by
Related News, Insights & Events
A closer look at MacLennan v British Psychological Society – Redefining whistleblowing rights for charity trustees
In the recent Employment Appeal Tribunal case, MacLennan v British Psychological Society, important legal questions emerged about the rights of charity trustees in bringing whistleblowing claims.
Christmas is coming… and the cyber threat is heightened
The increased cyber risks around the Christmas and New Year period.
Top tips for employers on monitoring employees in the workplace: Data protection considerations
Jo McLean provides her top tips for monitoring employees in the workplace.