The ICO exists to empower you through information.

These checklists provide an overview and quick guide to help you think about what you need to consider whenever you want to monitor your workers. Read the guidance if you want a fuller explanation and understanding of the issues.

These checklists are concerned with your data protection considerations only. They don’t cover other separate legal obligations you may have as an employer, such as health and safety. You will need to obtain separate legal advice for any other such legal obligations.

Please note that these checklists are the same as the checklists at the bottom of each page of this guidance. We have presented them here to allow you to download them together.

Data protection and monitoring workers

☐ We have checked that the monitoring of workers is necessary for the purpose we have identified. We are satisfied there is no other reasonable and less intrusive way to achieve that purpose.

☐ We have considered whether we need to do a DPIA and either completed one or documented the reason we considered one wasn’t required. -

☐ When making our DPIA decision, we have considered seeking the views of workers and representatives and either done this or documented our decision not to.

☐ We have identified a lawful basis for monitoring workers.

☐ Where required, we have identified an appropriate special category condition for monitoring workers if we’re likely to capture any special category data as part of our monitoring.

☐ We have documented what personal information we are processing when we monitor workers.

☐ Where required, we have an appropriate policy document in place.

☐ We have included specific information about monitoring workers in our privacy information so that workers are aware of any monitoring taking place. We have made sure that this information is readily accessible to workers.

☐ We have considered whether the risks associated with monitoring workers affects our other obligations around data minimisation, security, and appointing Data Protection Officers (DPOs) and representatives.

☐ We have considered data protection issues as part of the design and implementation of monitoring systems and practices, including where we use external suppliers for monitoring technology, and where we use the functionalities built into communication and collaboration work tools.

☐ Where necessary, we have considered the rules for international transfers.

What do we need to do if we use monitoring tools that use solely automated processes?

☐ If we use the personal information from monitoring workers for automated decision making (including profiling), we have checked that we comply with Article 22.

☐ We offer alternatives to workers who ask for human intervention in decision making.

☐ We do not disadvantage workers who ask for human intervention in decision making, compared to those who are subject to automated decision making.

☐ Where we use automation with human involvement, we ensure the involvement is meaningful.

☐ We carry out regular checks to make sure the systems are working as intended.

Specific data protection considerations for different ways or methods of monitoring workers

☐ We are clear about our purpose and collect no more personal information than we need to achieve it.

☐ We have carried out a DPIA that fully addresses our monitoring of emails and messages. It fully explores any impact on the rights and freedoms of workers and other individuals whose personal information may be captured by the monitoring.

☐ We distinguish between network data and content. We only access content in exceptional circumstances and we notify workers in advance.

☐ We have identified a lawful basis and a special category condition where appropriate.

☐ Where required, we have an Appropriate Policy Document in place.

☐ We have an acceptable usage policy in place, and we regularly bring this to workers’ attention.

☐ We have informed workers of the nature, extent, and justification for any monitoring.

☐ We have a retention policy in place. We regularly bring this to the attention of workers, who know what to do with messages that need to be retained for business reasons.

Can we use biometric data for time and access control and monitoring?

☐ We have documented our evidence base for relying on biometric data, including our consideration of why we are not using less intrusive means.

☐ We have identified a lawful basis and a special category condition where necessary.

☐ We have carried out a DPIA.

☐ We have discussed the proposed monitoring with workers during our DPIA.

☐  Where consent is relied on, we have put in place alternative methods for authentication or identification for workers who have not given their consent to the processing of their personal information.

☐ We have made manual reviews available for any workers having issues with access denial due to automatic errors.

☐ We have considered whether further security measures are required when processing biometric data. 

☐ We have considered accuracy and fairness. We have mitigated any identified risks.

☐ We have considered the rights of individuals relating to automated decision-making.

☐ We have informed workers about the use of their biometric data for access control.

☐ We have considered workers’ rights to object to the use of biometric data for access control.

☐ We have ensured there are appropriate organisational and technological measures to protect the security of any biometric data we process.