Employee monitoring - do you monitor your workers?

The last few months have seen a surge in regulatory action around employee monitoring. Whilst employee monitoring can be beneficial for organisations, recent enforcement decisions reflect the challenges that organisations face when it comes to implementing these practices.

Workplace monitoring is prevalent across all industries and sectors and is by no means a new concept. However, methods used by employers are becoming increasingly sophisticated, particularly due to the emergence of AI-based monitoring tools and the shift to flexible and remote working. It is therefore unsurprising that regulators across the UK and EU are interested in how organisations monitor their employees which, as we will see below, is a particularly tricky area to regulate.

The EU approach

In December 2023, the French Data Protection Authority (CNIL) fined Amazon France Logistique (AFL) a whopping €32 million for its excessive monitoring practices. AFL captured data from scanners used by its employees and produced statistics and performance indicators from that dataset. The CNIL deemed that AFL’s monitoring practices were “excessive” for the following reasons:

• Tracking inactivity time: the granularity with which AFL scanners recorded work interruptions was illegal and could result in employees needing to justify every break.
• Measuring scanning speed: measuring the speed at which items were scanned and having tight constraints around these was excessive
• Retention: AFL retained all data collected by the system (including statistical indicators) for all workers for a period of 31 days.

Although this is a decision by the French regulator, organisations with employees based in the UK and EU should take note of this decision and remind themselves of local data protection guidance.

Employee monitoring in the UK

We are seeing similar concerns around employee monitoring in the UK. The Information Commissioner’s Office (ICO) conducted a study in October last year which reflected that 70% of the public would find it intrusive to be monitored by their employer. In response to these concerns, the ICO issued guidance on employee monitoring, making it clear that this must be done in a lawful and fair way. The guidance aims not only to protect workers’ data protection rights but also to build trust among the workforce.

More recently, we have seen the ICO taking a particularly strict approach to regulating employee monitoring which involves biometric data. The ICO issued an enforcement notice to Serco Leisure last month for its use of facial recognition technologies to monitor employee attendance. The ICO’s decision highlighted that organisations must evidence the necessity of the proposed monitoring (including by clearly demonstrating why other, less intrusive mechanisms are not appropriate) and ensure that appropriate policy documentation is in place. For a comprehensive summary of the ICO’s decision, please see our recent Insight.

Whilst the ICO’s approach does not prohibit or hinder the deployment of employee monitoring technologies, the recent action and guidance from the regulator highlights the importance of ensuring that organisations identify the risks and sufficiently mitigate these. The timely publication of the ICO’s guidance on biometric data, released the same day as the Serco enforcement notice, reflects the regulator’s intention to provide organisations with adequate guidance on how to protect individuals’ personal data.

Our key recommendations

Employee monitoring is undoubtedly a valuable tool for business. However, to ensure compliance with data protection law, organisations should conduct thorough and detailed data protection impact assessments (DPIAs) to make sure that they consider and mitigate all relevant data protection risks. In particular, DPIAs for employee monitoring processes should cover three key questions:

1. Is the purpose for processing clear?

Consider why monitoring is necessary and what the intention is for the information collected. Being clear on the purpose for processing and establishing a lawful basis for processing is vital to ensuring compliance with data protection laws. Avoid monitoring workers ‘just in case’ the information might be useful at a later date.

2. Is the monitoring proportionate for the purpose?

Ask whether there are any other, less intrusive methods of achieving the intended objective. If the answer to this question is no, this might indicate that the method is proportionate. If the answer to this question is yes, it is unlikely that the monitoring is a proportionate way of meeting those purposes, and alternative methods should be explored.

3. Are employees aware?

Internal documentation (including policies and guidance notes), employee communications and privacy notices are useful methods of communicating to employees how and why their personal data is processed when monitoring is carried out. Employees should be informed of the nature, extent and reasons for monitoring, in a way that is easy to understand. DPIAs should consider whether opt-out rights are required, and ensure that there are clear and valid ways for employees to exercise those rights if so. Although there are certain circumstances where it is possible to justify covert monitoring, these are exceptional (for example, in order to prevent suspected criminal activity). You should review the ICO’s detailed guidance before implementing such practices.

If you are considering implementing employee monitoring software or would like to review your current processes, please do get in touch.

Authors: Emma-Erskine Fox, Georgía Philippou and Jennifer Cleaver

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2024. Specific advice should be sought for specific cases. For more information see our terms & conditions.