ICO issues Employee Guidance: Why both EU and US Employers should Care

ICO issues draft guidance on employee monitoring. Below are key takeaways and why they matter for your #CPRA employee compliance and compliance with US State monitoring laws.

How to lawfully monitor employees

• You can monitor workers if you do it in a way which is consistent with data protection legislation (e.g proportionality, legal basis, special category condition (if applicable)) as well as with other relevant laws.
• You need a special category condition even if the monitoring captures special category data only incidentally. For example: to monitor all email traffic you need a legal basis and a special category condition because monitoring all email traffic could detect special category data, such as emails sent to union representatives or to occupational health personnel. [Note: re the collection of sensitive data under CPRA]
• You must only keep the information which is relevant to your purpose for monitoring. Regularly review the information you are collecting and destroy what is not necessary [Note: same purpose specification and retention limitation applies to employee data under CPRA]

Special Category Data (aka CPRA "sensitive information")

• Explicit consent only works if workers must have a genuine option, with no negative impact (either actual or perceived) for withholding explicit consent. This is unlikely in most employment circumstances. Example: rolling out a biometric sign on for access control but offering employees who do not consent an alternative.
• Reasons of substantial public interest can be used as a legal basis for using CCTV to detect and prevent crime (with the public interest legal basis).

Fairness

• You should only monitor workers in ways they would reasonably expect and not in ways that cause unjustified adverse effects on them. [Same requirement for reasonable expectation as part of the data minimization requirement under CPRA] .
• Example 1: CCTV of changing rooms to investigate reported theft is excessive but CCTV of the changing room door, with notice by signage, with the camera only there for the duration of the investigation and not retaining any information relevant to the investigation - if appropriate.
• Example 2: Using a a software tool to monitor how long workers spend using a case management system is only OK if the employer takes into account the work done outside the system (e.g. for reasonable adjustments)

Transparency

• Apart from in very exceptional circumstances where covert monitoring is justified, you must inform workers about any monitoring [Same under CPRA]
• You must make sure workers understand what data is being processed during monitoring. [Same under CPRA]
• You could set up a system to ensure workers remain aware that monitoring is being conducted. For example, via an intranet, or through signage in areas subject to video monitoring. You could seek assurance by collecting documentary proof when a worker has read any notices.

ICO adds: If you are planning to introduce monitoring, you should seek and document the views of workers or their representatives unless there is a good reason not to. Involving workers during the planning stages provides an opportunity to consider concerns early.

Covert monitoring:

• There may be exceptional circumstances where you would consider this. An example is where covert monitoring is necessary to enable the prevention or detection of suspected criminal activity or gross misconduct
• Covert monitoring requires a DPIA; must be strictly targeted at obtaining evidence within a set timeframe which should be limited to the shortest time possible; you must only use information gathering through covert monitoring for the purpose intended.[in line with CPRA data minimization/retention limitation obigations]
• You must not use covert audio or video monitoring in areas where workers would reasonably expect to be private, such as toilets or changing rooms. [same under US laws (CCTV and privacy)]
• You must not use covert monitoring to capture communications that workers would reasonably expect to be private, such as personal emails. [case law in the US to this affect as well]

Employee DSARs:

If a worker submits an access request, you may have to disclose the monitoring information. There are some exemptions, but these are not blanket. [same under CPRA]

Purpose limitation:

• If the monitoring is to enforce your organisation’s policies, make sure these are clearly set out. You should regularly bring the policies to the attention of workers You should consider that workers base their expectations of privacy not only on policy but also on practice. Excessive monitoring set out in a policy does not make it lawful, just because it is documented.
• Example: An employer has a policy which imposes a ban on personal calls, but in practice, they overlook a limited number of personal calls. The employer cannot rely on the policy to justify carrying out monitoring.

Data minimization:

• You should not collect more data than you need to achieve your purpose [This is also a requirement under CPRA]
• Example: An employer collects office ethernet connection data to monitor the use of workspace and ensure there is sufficient capacity for workers. They should not re-use this information for performance management purposes without identifying a new lawful basis and establishing the necessity and proportionality of this new purpose.

Accuracy:

• You should take all reasonable steps to ensure the personal data you gather through monitoring workers is not incorrect or misleading as to any matter of fact; [same under CPRA]
• You should provide workers with the opportunity to comment on the accuracy of any data gathered through monitoring [same under CPRA]
• Ensure that within or alongside disciplinary or grievance procedures and performance reviews or appraisals workers can see and, if necessary, explain or challenge the results of any monitoring

Retention Limitation:

• You should not keep monitoring data for any longer than you need it. You should not keep any data gathered from monitoring workers for longer than is necessary for your particular purpose or purposes [same under CPRA]
• You must base any retention period you set on business need. You should review it regularly, and take into account any professional guidelines or legal obligations [same under CPRA]
• You should not retain monitoring data just in case you find a purpose for it in the future. [same under CPRA]
• You should ensure you have a retention schedule in place and delete any monitoring data in line with your schedule. [same under CPRA]

Using a third party for employee monitoring:

• You need to assess whether your provider is a processor or controller and need to put a data sharing agreement in place. [same under CPRA re: service providers and third parties]
• You are responsible for data protection compliance if you are using a monitoring software package or gathering data from communication and collaboration tools or using an analytics application to conduct monitoring or to process data from monitoring workers. [There is US case law to this effect in the context of, for example BIPA biometrics lawsuits]

Automated processes in monitoring tools:

• There are limitations when carrying out automated decision-making that has legal or similarly significant effects on employees [same under CPRA and under specific AI employment laws in NY and IL]
• Example 1: An organisation pays workers based entirely on automated monitoring of their productivity. This decision is solely automated and has a significant effect, since it affects how much a worker is paid. Therefore, the additional rules apply.
• Example 2: If you use an automated vehicle tracking device to determine if its workers are making deliveries on time and to the correct address. If a warning was based on complaints received from customers about not receiving their orders - this is not fully automated processing.
• You must tell workers whose data you are processing that you are doing so for automated decision-making. You must give them “meaningful information about the logic involved, as well as the significance and the envisaged consequences” of the processing for them. [similar obligation under CPRA]

Recording calls:

• A recorded message is best practice for informing the callers of the fact of the recording. Where this is not possible, instruct workers to inform callers that calls may be recorded and to explain the reason why. You may provide the rest of the privacy information (retention periods, individual rights available, any data sharing) by other means – for example, emailing the caller a copy of your privacy notice or providing a link to it on your website.
• Any information collected is likely to be personal data and could be subject to external access requests, make sure workers know call recordings may be released to members of the public if requested.

Monitoring emails and instant messages:

• You must be clear about your purpose for monitoring emails and messages and make sure any monitoring is necessary and proportionate to your purpose. Make sure you inform workers of any monitoring.
• If you are considering monitoring emails and messages, you should complete a DPIA as this poses a high risk to workers’ data protection rights and freedoms and is likely to capture special category data
• It would be difficult to justify monitoring the content of emails and messages where monitoring network data would meet your purpose.
• Accessing content will not be appropriate unless there is a clear policy in place explaining the circumstances where such monitoring may take place.

Providing a monitoring service:

Monitoring your own workers (e.g. their computer activity) cannot be justified solely because your customer makes it a condition of business. The customer would need to justify why this level of monitoring is necessary and consider lower risk alternatives such as aggregated reports where individual workers are not identifiable.

Audio or Video monitoring:

• Audio recording is highly intrusive and unlikely to be justifiable in most circumstances. You should switch off by default any capability to record audio. You should only use it in exceptional circumstances, for example by a trigger switch.
• Any monitoring should be targeted at areas of particular risk and confined to areas where expectations of privacy are low. Continuous video or audio monitoring of workers is only likely to be justified in rare circumstances
• You need a DPIA, notice to the employees, notice to any non employees impacted; and to include this in DSARs.

Monitoring work vehicles:

• When the private use of a work vehicle is allowed, monitoring during private use will rarely be justified. Enable the ability to turn the monitoring off during off hours.
• You must ensure workers and passengers are informed of any vehicle monitoring.
• Driver monitoring which is more intrusive than gathering data on time, speed, and distance, for example, monitoring driver behaviour, or the use of cameras or audio are harder to justify due to the higher risk to worker’s privacy and the rights of any passengers. You should carry out a DPIA to assess the risks.
• If you are considering the use of any monitoring tool which uses analytics to make inferences, predictions, or decisions about drivers, you must carry out a DPIA. It is unlikely that the use of such technologies would be justifiable or proportionate.

Dashcams:

• Dashcams may be intrusive and can impact on the data protection rights and freedoms of workers and other individuals, especially when used in places that people would not reasonably expect
• Audio is higher risk, you should switch off any capability to record audio by default, it should only be triggered in exceptional circumstances.

Information from third party sources:

• You need to take special care when considering making use of information about workers from third party sources such as credit reference information or social media sites.
• Make sure your purpose (for example, suspicion of criminal activity) justifies the potential adverse impact.
• Provide workers with privacy information so they can understand what sources are to be used and why.
• Take particular care with information about workers that you have because of a non-employment relationship with them. For example because they are or have been your customers, clients, or suppliers

Attendance and time information:

• You must be clear about your purpose for recording access and time information.
• You must not use the information for a different purpose unless it is compatible with your original purpose
• Example - you can't use information from a swipe card to enter a server room to infer employees access and exist time for performance evaluation.

Monitoring to prevent data loss or detect malicious traffic:

• You must consider the least invasive means possible when selecting solutions to protect against data loss or external threats.
• You should complete a data protection impact assessment (DPIA).
• If you carry out analysis of the data to make inferences about workers may be high risk

Device monitoring:

• Device activity monitoring is likely to capture excessive amounts of worker information and special category data, such as emails about health conditions and emails to union representatives. Capturing webcam shots or footage are particularly unlikely to be justifiable.
• If you are monitoring workers remotely, keep in mind that workers’ expectations of privacy are likely to be higher at home than in the workplace. The risks of capturing family and private life information are higher, so you should factor this risk into your planning

Biometric data for time and attendance:

• You should document the evidential basis for choosing to rely on biometric data, including any consideration of other less intrusive means and why they are inadequate
• Yes, you must carry out a DPIA whenever you process biometric data to uniquely identify an individual.
• If you are relying on facial recognition for workspace access, you would need an alternative for those who have not consented which does not involve the processing of their biometric data. This should not disadvantage workers. For example, if those who choose not to use biometric data option need to walk further.
• You are also responsible that the technology you chose (including if from a third party) is reliable with a decent "match rate" and low false negatives. - Manual reviews must be available where an automatic process has resulted in a possible false negative. The request for manual reviews should not be to the detriment of workers.
• Example: An employer rolls out new laptops to all workers. The devices have the option of facial recognition sign in. Workers who agree to using facial recognition provide consent on the understanding that the image created is only held on the device provided to them and is not stored elsewhere or used for any other purpose than device access. Workers who do not wish to use facial recognition to log on may use a password or a PIN instead. The facial recognition process does not initiate on the laptops of workers who have not given consent.
• Make sure workers understand how the system works and what personal data is collected along with the nature and purposes of the monitoring.