In October 2022 we launched a public consultation seeking views on draft guidance on monitoring workers, in accordance with data protection legislation.
The consultation ran until 20 January 2023. This document summarises the key themes emerging from the responses.
We received 38 responses to the public consultation. We thank everyone who took the time to comment and share their views.
About the consultation
We received a range of responses from different sized organisations and individuals, all with an interest in the monitoring of workers. The breakdown of respondents was as follows:
|An organisation or person employing workers||14 respondents|
|A representative of a professional, industry or trade association||1 respondent|
|An organisation representing the interests of employees, workers, self-employed (eg charity, employment advocacy organisation)||3 respondents|
|An employment rights professional body or advice service||1 respondent|
|A trade union||1 respondent|
|A person acting in a professional capacity||9 respondents|
|A person acting in a private capacity (eg someone providing their views as a member of the public)||5 respondents|
|An employment rights professional body or advice service||2 respondents|
In general, the responses were positive. Most respondents said the draft guidance was clear and easy to understand, and that it was easy to find information within the guidance.
A number of respondents said it would help them comply with their data protection obligations, and covered a good range of the relevant areas of interest. Respondents also noted that the checklists are a valuable tool.
Just under half the respondents felt the guidance didn’t cover all the relevant issues about monitoring at work. Many suggested a range of additional examples and issues to include within the guidance.
In analysing these responses we identified several key themes. We’ve summarised these themes below, and set out how we responded to this feedback.
The growth in remote working has meant that employers are increasingly keen to secure their systems, and remotely manage their workers. This has increased the monitoring of workers in hybrid working situations.
The guidance sets out what should be considered if employers plan to monitor workers’ devices in hybrid working situations.
Respondents asked for more content on:
- differentiating between monitoring on the employer’s premises and within the home;
- monitoring information outside of working hours;
- the appropriate lawful basis for monitoring home-working staff; and
- the tracking of corporate devices.
Respondents also requested more content on the monitoring of workers who are using their own devices for work purposes. They also asked whether we will update the DPA98 Bring Your Own Device (BYOD) guidance, and if further examples could be provided to this draft guidance regarding BYOD and the latest technologies.
Any organisation must consider their obligations under the UK GDPR when considering using any monitoring technology in the workplace. We have been able to make changes and strengthen the guidance on the basis of the feedback that we have received.
The guidance has specific content on homeworking, and also clarifies that it also applies to monitoring outside work hours – and that the same data protection obligations apply.
It also has specific content on the most appropriate lawful bases for the monitoring of workers. The guidance also covers tracking work vehicles, or vehicles provided to workers by their employer. There is a section dedicated to monitoring device activity, such as monitoring workers’ personal devices that they may use for work.
We have also included checklists at the end of each section.
Privacy and home working
Workers’ expectations of privacy are likely to be higher at home than within the workplace, as the risks of capturing family and private life information are higher.
Respondents requested more detail on balancing employee monitoring with the right to private life, particularly in reference to Article 8 of the European Convention on Human Rights.
They also asked for more practical guidance around the implications of monitoring at home. In particular they asked for more detail on:
- identifying the difference between ‘work’ and ‘personal’ content in communications; and
- how monitoring workers at home could challenge privacy. In particular they questioned whether it made a difference to the impact on privacy if a worker was being monitored at home whilst working, rather than being in a traditional work place.
While there may be some perceived differences between home and office-based working, there should be no differences in how employers approach any personal information that is processed.
The guidance reflects this, and focuses on the principles and other data protection obligations.
The section “Specific data protection considerations for different types of workplace monitoring” has content on the use of commercially available tools (such as various monitoring software).
Workers working from home expect a higher level of privacy when being monitored. One of the risks of monitoring workers at home is the accidental capture of information relating to their private and family life. These issues are addressed by reminding employers of their DPIA (Data Protection Impact Assessment) obligations. We have also included content that deals with the accidental capture of special category information.
The roles and rights of workers: consulting on monitoring
If an employer is planning to introduce monitoring, the guidance recommends that they should consult with their workers first, and involve them in producing a DPIA.
Some respondents requested more detail on:
- a recommended sample size for consulting workers;
- an outline of what level of detail is required in consulting with unions; and
- greater clarity on whether it is a legal requirement to consult workers regarding monitoring plans.
Some suggested that the guidance should emphasise the importance of:
- involving workers (and their representatives) in DPIAs;
- helping workers understand the processes involved in monitoring (particularly in automated decision making); and
- telling workers about the monitoring before it begins.
One respondent stated that the burden of consulting workers may prevent monitoring. They suggested that being transparent and carrying out a DPIA should be sufficient. They also questioned how employers could realistically meet the transparency requirements, and what to do if there were any objections.
A lot of the feedback around consulting workers focused on the interpretation of the phrase ‘consulting’. We intended the guidance on this topic to mean that any monitoring should be discussed with workers, and they should be made aware of what is planned.
We have reworded the guidance to reflect this. The guidance states that in most cases, workers must be made aware of monitoring before it takes place.
We have also emphasised the importance of discussing any planned monitoring with workers before it goes ahead.
The roles and rights of workers: objecting to monitoring
The guidance explains that employers cannot rely on the legitimate interests lawful basis if the monitoring obtains personal information, and uses it in ways that workers will:
- not understand or reasonably expect, or
- be likely to object to (under Article 21 of the UK GDPR), if it was explained to them.
Some respondents felt this didn’t properly reflect the Article 21 right to object. They argued that the guidance should be clearer that an objection under Article 21 should be reasonable and substantiated, and can be refused in certain circumstances.
Respondents also asked for more information on what they should tell workers about their right to complain to the ICO or the courts, if their objections are refused.
We have made some small amendments to clarify this section of the guidance. We have also added links to our more detailed guidance on the right to object.
We also have guidance for the public on the right to object available on our website.
The roles and rights of workers: Worker relationships
Some respondents suggested that the guidance should clarify the relationship between data protection and the duty of confidence owed to workers.
One respondent called for a broader definition of a 'worker'. Some commented that excessive and intrusive monitoring could cause feelings of unfairness and injustice, damaging workers’ wellbeing. They suggested that the guidance should emphasise the role of the UK GDPR in ensuring monitoring is proportionate.
We accept that excessive and intrusive monitoring can have a negative effect on workers. The guidance highlights the role that data protection law plays in worker wellbeing. It also stresses that monitoring should be proportionate, and limited to what is necessary.
The definition of ‘worker’ has been slightly amended to make the definition broader and more robust. This is included in the introduction to the guidance.
Types of monitoring
The guidance differentiates between systematic monitoring (where an employer continually monitors all workers), and occasional monitoring.
Some respondents suggested that the guidance should differentiate between more types of monitoring – including situations where monitoring occurs in a systematic form, but is only accessed occasionally (in relation to certain circumstances).
One respondent asked for more clarity on continuous video monitoring. In particular, they requested more detail on when CCTV could be used for continuous monitoring.
We have included some wording around systematic and occasional monitoring in the introduction section, by way of clarification.
We have added links to existing ICO guidance on the use of dashcams and surveillance equipment in vehicles. We've also added some additional content on the continuous use of CCTV systems.
Repurposing monitoring information
The guidance explains that personal information obtained by monitoring must not be used for a different purpose that is incompatible with the original purpose for obtaining it. For example, repurposing access and exit information for performance management purposes.
One respondent argued that this approach is too restrictive, and doesn’t reflect the UK GDPR’s rules on repurposing (Article 6(4)).
Respondents asked for more content on when and how monitoring information could be used for a new purpose.
Individual respondents also suggested that the guidance should:
- include an example of when the employer changes the purpose for monitoring, in light of new circumstances that they can’t reasonably ignore; and
- describe the employer’s responsibility to review the capabilities of information functions, and consult with workers on any changes to these as they occur.
The guidance is clear that monitoring methods should not be repurposed without prior notice to workers.
The section on determining purposes for monitoring has been expanded to include some basic examples of monitoring purposes and set out clear boundaries of when an employer can change purposes, for example where there is a clear obligation in law to do so.
Following the consultation, the wording has been amended to reflect our ‘Must Should Could’ guidance – which we’ve explained at the beginning of the guidance. This is intended to give greater clarity on what is a legal requirement, and what is good practice.
Inadvertent information collection
The guidance recognises that some forms of monitoring, such as CCTV and monitoring the content of emails, are likely to capture excessive amounts of worker information. This makes it more likely that the employer will capture special category information, which will require a special category (Article 9) condition.
Some respondents challenged this approach. In particular they:
- pointed out that this doesn’t follow other ICO guidance – which takes into account the intent of the controller (when they obtain the information) in considering whether it needs a special category condition;
- questioned how a special category condition could be identified for the processing of inadvertently collected information;
- suggested that identifying a special category condition for potentially capturing special category data would make monitoring unworkable; and
- suggested that a controller should indicate it is not their intent to use such information, and take steps to limit the risk of this.
Respondents called for greater clarity on this topic.
Whilst we understand some of these concerns, we still consider that this is the correct approach to the accidental capture of special category information. Throughout the guidance we stress the themes of necessity and proportionality, balancing the legitimate reasons why monitoring might take place with the rights of individual workers.
In this instance, the guidance stresses that where the nature of the monitoring means it's likely that it will capture special category information, the organisation will need to identify a special category condition.
The guidance explains that employers must carry out a DPIA for any monitoring that is likely to result in a high risk to the rights of workers and other people captured in the monitoring. This will include instances where it's likely to capture special category information.
We have also amended the text to clarify what it is a legal requirement, and what represents good practice.
AI and automated decisions
Respondents asked for more content on the rules on automated decision making – as set out in Article 22 of the UK GDPR. In particular, they asked for:
- additional content on the use of artificial intelligence (AI) in monitoring;
- more detailed definitions of AI and automated processing;
- a clear definition of both the range of “solely automated processing” and the extent to which human interventions should occur;
- more clarity on to what extent AI constitutes non-automated decision making and how profiling relates to such processing;
- greater emphasis that Article 22 relates to decisions that have legal or significant effects – and more clarity on the definition of legal and significant effects;
- clarification about what forms of automated processing could be considered necessary for the performance of a contract; and
- better practical examples relating to the limitations around automated decision making.
We have published detailed guidance on AI and automated decision making. This guidance is more in-depth on the topic and answers some of the questions that were raised in the consultation, including providing definitions of the requested terms. We have added links to this guidance.
The separate AI guidance covers Article 22. However, we have added examples to this guidance to show how it applies in the context of monitoring workers.
Some respondents asked for further guidance around biometric information. Specifically they asked for more content on:
- the use of facial recognition, particularly regarding accuracy and fairness;
- the difference between an underlying biometric image and a biometric template;
- the risks of using biometrics in employee monitoring;
- why biometric information is considered to be highly sensitive; and
- which special category conditions could be relied on (in the employment context) for the use of biometric information.
They also asked for more examples – including one when the use of biometric information in monitoring is justified.
We are currently developing new guidance on biometric data. This should provide greater clarity on these questions on this topic.
The questions around accuracy and fairness are mainly covered by article 22. This is covered in the AI section of the guidance, as well as the separate AI guidance, which we have linked to.
New and emerging technology
Respondents asked for more guidance on the use of emerging technology, or technology where use has become more prominent, such as:
- video calls and video or screen recording;
- tracking of calls and emails;
- location tracking or monitoring; and
- social media monitoring.
Some asked for additional content on the use of emerging technology in recruitment assessment and performance management. It was suggested this could include how information is used to analyse customer sentiment and emotion when engaging with specific workers or the uses of gamified assessment and AI decision making.
The guidance focuses on the data protection principles, and how these should be applied to any technology used to monitor workers. It avoids focusing too much on specific technologies, as this can make it too narrow and date it quickly.
We are currently developing new detailed guidance on recruitment and selection, and will publicly consult on that draft guidance in due course.