Concept for Employer monitoring of hybrid or home workers - what is acceptable?

Nearly three years after many office-based workers first went home to work as part of the Covid-19 response, employers and employees have learnt a great deal about effective hybrid or home working.

However, pandemic lockdowns undoubtedly resulted in some concerning employee monitoring practices, largely perpetuated by the growing market of monitoring software (where demand is up 58% for the period March 2020 to September 2022 compared to 2019).

The trade union Prospect – which represents 150,000 workers in science, engineering, technology and other specialist roles – ran a survey in October 2021 which concluded:

  • 32% of home workers were being electronically monitored – up from 24% in April 2021. That rate was highest – at 48% – among people aged 18-to-34.
  • The proportion of people being monitored at home by camera had more than doubled – from 5% to 13% – since April 2021.
  • Some practices reported included:
    o ‘Live’ viewing (and screenshots) of employee desktops
    o Webcams watching employees at their home desks (Prospect have called for this to be made illegal, except during calls and meetings)
    o Movement sensors
    o Keyboard strokes and mouse movements recorded

Prospect has since called for stronger regulation of employers’ use of technology to monitor employees.

What is the current legal position for hybrid or home workers?

Employees are data subjects under the UK data protection regime (comprised of multiple pieces of legislation, but primarily UK GDPR and the Data Protection Act 2018). This means that monitoring processes must follow the seven data processing principles, as well as other statutory requirements. Article 8 of the European Convention on Human Rights, as incorporated into UK law by the Human Rights Act 1998, also provides individuals with the right to respect for private and family life and correspondence, including within the workplace.

In recognition of our new way of working, the ICO has published new draft guidance to assist organisations in meeting their legal duties and responsibilities when monitoring staff. Formal adoption of the guidance is anticipated later this year but organisations are advised to take steps towards compliance sooner rather than later.

While the law and the new ICO guidance do not prevent monitoring, they do set minimum standards in respect of such practices. As monitoring is simply an umbrella term for a variety of practices, an organisation’s legal responsibilities will entirely depend on the activity itself.

Can monitoring practices assist organisations with disciplinary processes?

Data gathered through monitoring may assist you in your disciplinary processes, but we urge organisations to approach with caution. You will need to ensure that the information gathered through such activities has been lawfully/fairly obtained.

Unlawful or unfair monitoring practices is one of most common complaints raised by employees against their employers. Getting it wrong can expose the employer to liability under private data protection claims, employment related claims and regulatory enforcement action against the organisation (including significant monetary fines).

Key practical steps

We have compiled the following list of practical steps for organisations to consider when implementing or assessing their monitoring activities.

  1. Lawfulness: assess whether you have met legal requirements in respect of the activity. These include:
    o Have you identified an article 6 UK GDPR lawful basis for processing? If special category data will be gathered through the monitoring activity, you will also need to meet additional conditions under law. Spoiler alert, consent is not likely to be a suitable ground.
    o Is there a reasonable expectation of privacy by the employee, such as private communications between staff using organisations software or systems?
    o Could the monitoring activity constitute a breach of the implied duty of trust and confidence?
    o Could you be accused of discriminating behaviour such as specifically targeting an individual through the activity?
  2. Fairness: fairness is a well-established concept under both data protection law and employment law. You must balance the fairness of each monitoring activity against the rights of the employee. For example, covert monitoring is often considered unfair unless there are exceptional circumstances justifying the conduct such as suspected criminal activity. Even where covert practices may be justifiable, the ICO imposes strict expectations on organisations in this regard (these are summarised in the new guidance).
  3. Data Minimisation: ask yourself whether there is a less intrusive method of obtaining the performance data and/or achieving the same outcome. Effective organisations and good managers measure output and productivity of staff, and provide them with the tools to do the job, rather than surveilling their people constantly.
  4. Transparency: ensure staff are aware of any form of monitoring at work (the nature, extent and reasons) whether they are at home or in the office, before the monitoring activity starts. This is commonly achieved through the circulation of employee-specific policies such as privacy notices and/or IT and Communications Policies.
  5. Purpose Limitation: You must be explicit on the purpose for any monitoring, for example via a privacy notice, and not use any information collected for a new purpose (unless the new purpose is compatible with the original purpose, you have the person’s consent or there is a clear provision in law requiring or allowing processing in the public interest).
  6. Accountability: If any monitoring to be carried out is likely to result in a high risk to the rights and freedoms of the employee, a Data Protection Impact Assessment (DPIA) must be undertaken and kept under review. DPIAs are very valuable compliance tool when introducing a new system, software or technology. It will be one of the first documents requested by the regulator if an employee were to make a formal complaint about your monitoring practices.
  7. Security: adopt appropriate security measures to ensure the safety of the data gathered through the monitoring process. For example, limit access to monitoring systems to senior staff and ensure those senior members of staff are adequately trained on how to deal with such data, including but not limited to duties of confidentiality.

Article co-written by Mark Roby and Leanne Yendell.

This can be a complex and costly area to manage for organisations. We recommend early discussions with our Data Protection and Employment specialists if you have any questions regarding your monitoring practices.