UK Information Commissioner Publishes New Staff Monitoring Guidance
Towards the end of last year, the ICO finally published its guidance document on monitoring workers under UK GDPR.
The guidance was long awaited, as the GDPR originally came into force in May 2018 but until last year the ICO had not actually published any substantive guidance document on how to ensure that monitoring of workers (e.g. CCTV and monitoring staff email/internet usage) was compliant with data protection law post-Data Protection Act 1998. Rather, for the first half a decade of the GDPR’s existence, employers still had to use the ICO’s old ‘Employment Practices Code’ in November 2011 and do their best to estimate how the ICO would interpret it under UK GDPR and the Data Protection Act 2018. This was not ideal, and therefore the belated introduction of the ICO’s new guidance is welcome overall.
Thankfully, in many respects the new guidance is consistent with the older Employment Practices Code and many of differences are updates to the related terminology. For example, (i) monitoring must still be proportionate having regard to the purpose and related intrusion into workers’ private lives, (ii) workers must generally be told in advance that monitoring may occur and the reasons why (albeit in a more GDPR-transparent way than before) and (iii) covert monitoring is generally a ‘no go’ except for in extremely limited circumstances (i.e. there are reasonable grounds for suspecting criminal activity or equivalent malpractice and detecting it would be prejudiced by notifying individuals of the monitoring).
A more notable update however is the ICO’s stated position on having a valid lawful basis for processing special category data when using CCTV and monitoring staff emails. Under the old guidance, it was effectively only necessary to have a valid legal basis for processing such sensitive personal data if the monitoring would actually involve the collection of such sensitive data, and as such historically many employers have justified the use of CCTV and email monitoring simply on the basis that it is necessary for their legitimate interests in site security and ensuring compliance with IT policies and procedures (without also citing a separate lawful basis for processing special category data).
Under the new guidance however, the ICO specifically states the ICO’s view that any email monitoring is “likely to capture special category data” and therefore a separate lawful basis for processing such sensitive data must be identified in order to conduct email monitoring. The ICO also notes that it is possible that CCTV will “accidentally capture special category data”. As such, based on the ICO’s guidance it will be necessary to identify a valid lawful basis under article 9 for processing special category data for such monitoring. This is likely to be easier for CCTV than staff email monitoring assuming that the principal reason for staff email monitoring is compliance with internal procedures. As such, it would be sensible for all providers to review their email monitoring arrangements to identify if any additional steps can be taken to ensure that it is “not likely” that special category data will be captured as part of their email monitoring.