Almost four years after the onset of the COVID-19 pandemic, home and hybrid working are here to stay.
While many hybrid workers report improved work-life balance, hybrid working poses challenges to employers in maintaining a workplace culture, communication between staff and reviewing performance. Many employers have moved to electronically monitor the activities of staff working from home, including:
- live viewing and screengrabs of employee desktops;
- webcams watching employees at their home desks;
- installing movement sensors under desks and
- recording keystrokes and mouse movements.
However, there is a balancing act between the employee's rights to privacy and the employer's rights to manage the employment relationship. Such monitoring would also involve processing data where individuals can be identified.
The ICO has now published guidance 'Employment practices and data protection – Monitoring workers' to set out best practices and practical advice to ensure that any systematic monitoring complies with the requirements of the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.
The guidance is a strong reminder that for any personal data processing, there must be an identified lawful reason for that processing. The six lawful reasons are:
- the informed consent of the employee;
- for the purpose of performing a contract;
- for compliance with a legal obligation;
- vital interests (where necessary to protect someone's life);
- where it constitutes a legitimate interest; or
- is necessary to perform a public function (for public sector organisations).
Whichever lawful reason the employer seeks to use, it will still be subject to scrutiny. For example, it is unlikely that making a screen grab of an employee's desktop to monitor remote attendance would be proportionate if there is a less intrusive way of achieving the same aim.
Likewise, covert monitoring would likely breach the requirement to be transparent with employees about personal data processing.
Any employee monitoring of this type would need to be included in any existing privacy notice and explicitly drawn to employee's attention. Only highly exceptional circumstances justify covert monitoring.
Monitoring employees working from home means there is a greater risk of inadvertently breaching data protection by processing special category personal data about them. Special category personal data includes information about:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where used for identification or authentication purposes);
- health or disability;
- sex life; or
- sexual orientation.
Any monitoring activity must be limited to the lawful reason for processing, and employers should only collect what is needed. There is greater potential to infringe privacy where recording calls and using cameras may risk including information about the employee's home life and family.
These actions may also infringe other legislation, including the Human Rights Act 1998 and laws surrounding the use of telecommunications and investigatory powers.
Processing of special category data also requires an additional condition for processing to be identified together with the lawful reason.
Organisations must also carry out a data protection impact assessment of any high-risk processing, particularly where new technologies are implemented.
In short, any implementation of monitoring of employees at home needs to be justified, proportionate and transparent.