Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

UK ICO Issues Draft Guidance on Monitoring at Work

By Gareth Kristensen, Melissa Reid, Hakki Can Yildiz, Ashley Moss & Wei Sheng Lee on October 26, 2022
Email this postTweet this postLike this postShare this post on LinkedIn

The Information Commissioner’s Office (“ICO”) has opened a consultation on new draft guidance on monitoring at work (the “Draft Guidance”).  The Draft Guidance applies in both the private and public sectors in respect of any worker, a term which is used to include employees as well as non-employee workers, independent contractors and volunteers.

The Draft Guidance was published on 12 October 2022. Once finalised, it will provide a welcome update to the ICO’s existing guidance on monitoring, which is contained in part 3 of the Employment Practices Code published in 2011 and has not been updated since the coming into force of the Data Protection Act 2018, the UK’s implementation of the EU General Data Protection Regulation.

The Draft Guidance covers both systematic monitoring as a matter of course, as well as occasional monitoring for a specific need.  It is intended to cover a wide range of monitoring technologies, including those which track internet activity and monitor keystrokes, timekeeping and access control, camera surveillance, webcams and screenshots.

The Draft Guidance helpfully addresses a number of scenarios that are likely to arise in the workplace, including the use of commercially available monitoring tools, the monitoring of emails, messages, telephone calls and device activity, and the use of audio and video recordings.

In most scenarios, the Draft Guidance recommends that employers undertake a data protection impact assessment alongside taking targeted, practical measures to ensure compliance with their data protection obligations. Certain measures highlighted in the Draft Guidance include:

  • employers should put in place an acceptable usage policy for their systems and bring it to workers’ attention regularly;
  • employers must ensure workers understand what data is being processed during monitoring and ensure they remain aware that monitoring is being conducted. Covert monitoring should be reserved for exceptional circumstances, such as where there are grounds for suspecting criminal activity;
  • employers should seek and document the views of workers or their representatives in advance of monitoring, unless there are good reasons for not doing so. Where employers decide not to do so, they should record this decision with a clear explanation;
  • when monitoring phone calls, employers should distinguish between network data and content and access content only in exceptional circumstances;
  • where monitoring employees to prevent data loss or detect malicious traffic on employers’ systems, as good practice, employers should consider:
    • offering unmonitored access for workers, for example, free Wi-Fi, or standalone devices (with confidentiality safeguards) to facilitate some private usage;
    • putting measures in place to minimise interception, which risks disproportionate intrusion (for example, visits to health-related websites); and
    • documenting the monitoring in a policy which explains when and by whom information about suspicious activity can be accessed;
  • where capturing computer or device activity, employers should fully document their justification for carrying out monitoring, including what consideration was given to using less intrusive means;
  • where monitoring workers remotely, employers should keep in mind that workers’ expectations of privacy are likely to be higher at home than in the workplace. The risks of capturing family and private life information are higher, so employers should factor this risk into their planning; and
  • before undertaking any monitoring which uses information from an outside source, employers should make sure that their purpose (for example, suspicion of criminal activity) justifies the potential adverse impact – they should not search external sources for information about a worker without good reason.

The Draft Guidance also takes account of recent developments in technology and changes in workplace practices. For example, it covers sections on monitoring while working remotely and on the use of biometric data.

The Draft Guidance is open for consultation until 11 January 2023 and can be found here.  In the meantime, employers are advised to review their privacy notices, policies and procedures and start to identify where changes may need to be made.

Photo of Gareth Kristensen Gareth Kristensen

Gareth Kristensen’s practice focuses on intellectual property, technology, and data matters in the context of corporate and commercial transactions.

Read more about Gareth KristensenEmail
Hakki Can Yildiz

Hakki Can Yildiz focuses his practice on data protection, cyber security, digital markets regulatory, and technology matters.

Read more about Hakki Can YildizEmail
  • Posted in:
    Privacy & Data Security
  • Blog:
    Cleary Cybersecurity and Privacy Watch
  • Organization:
    Cleary Gottlieb Steen & Hamilton LLP
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Stoel Rives Environmental Law
  • Troutman Pepper Financial Services
  • The EX-Files
  • Construction & Infrastructure Law Blog
  • Venture Law Blog
Copyright © 2023, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo