Thu 12 Oct 2023

New ICO guidance on monitoring workers

The move to remote and hybrid working has prompted the Information Commissioner’s Office (ICO) to release new guidance, Employment practices and data protection − Monitoring workers.

The scope of the guidance covers:

  • workers defined as anyone who works for an employer, including gig workers;
  • any form of monitoring by an employer or on their behalf; and
  • monitoring within or out with work hours.

While employee monitoring is not new, the increased availability of technology has led to increased unease and privacy concerns. As well as the likes of monitoring e-mails, monitoring can include the use of webcam footage, audio recordings, the taking of screenshots and tracking calls, messages and keystrokes. The guidance applies to all types of technology, including to any advancements or new technology.

Monitoring employees is not prohibited but employers should be mindful of their obligations under the UK GDPR and the Data Protection Act when considering and implementing monitoring of employees. The guidance confirms that any data gathered during monitoring would need to be disclosed during a subject access request (SAR), unless an exemption applies (please refer to our previous article on SARs).

Following the guidance, employers conducting monitoring should ensure:

  • they have a legitimate purpose for the monitoring;
  • monitoring and data gathering is limited to the legitimate purpose; and
  • the means to achieve the monitoring is the least intrusive method.

Workers should also be made aware of the nature, extent and reasons for monitoring in a manner that is easy to understand. Monitoring that presents a high risk to workers’ rights requires a data protection impact assessment (DPIA), and special category conditions must apply for monitoring of special category data.

Covert monitoring is possible in some cases e.g. suspicion of criminal activity. However, there are stricter requirements in place. This type of monitoring will require sign-off by a senior manager or equivalent following a data protection impact assessment, and any monitoring and data gathering should be limited, including by the data type and time-frame. Workers should also be informed, through relevant policies, of the types of behaviour which will not be tolerated and the circumstances in which covert monitoring may occur. 

The ICO has provided helpful checklists for employers to use, which are available here.

How can we help?

Should you require any assistance with issues associated with the monitoring of workers, please contact a member of our Data Protection and Cyber Security team.

This article was co-written by Helen McBrierty, Trainee Solicitor.

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice