Table of Contents
Nearly every UK business requires some employees to use an electronic device, such as a laptop, to carry out work. However, with electronic devices comes the potential for electronic monitoring. The General Data Protection Regulation (GDPR) aims to prevent employers from unlawfully accessing data and, as such, covers workplace monitoring practices. This article will explore the risks of using technology to monitor employees closely. In particular, we will consider the limits on electronic monitoring exercises under UK law and why it may be beneficial to restrict practices such as laptop monitoring.
GDPR on Employee Monitoring
The UK GDPR is our primary data protection law regarding electronic monitoring activities. These rules acknowledge that UK organisations have the technological ability to track all activities and conversations within a workplace and through their devices. Because of this, it aims to restrict the extent to which UK businesses can monitor their staff. Accordingly, UK organisations tend to take heed of the rules within the GDPR due to the risk of hefty Information Commissioner’s Office fines in the event of non-compliance.
Why Should My Business Be Aware of the ICO?
The power of the ICO to fine UK organisations up to £17.5m for GDPR violations motivates the majority of UK businesses to ensure good practice.
The ICO has issued significant fines to UK businesses that expose staff to excessive surveillance methods. Therefore, it is in your company’s best interests to act within GDPR rules.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Does Employee Monitoring Mean?
Employee monitoring technology includes all digital systems that seek to record the words and actions of staff. Some examples of employee monitoring systems include:
- CCTV cameras;
- time-recording systems;
- keystroke monitoring technology;
- website tracking; and
- audio call recordings.
The last three examples are most relevant to laptop monitoring, which is the main focus of this article.
Laptop Monitoring
As mentioned above, common ways of monitoring staff through their laptops (and computers) involve keystroke monitoring, website tracking and audio call recording technology.
Let us explore each of these in turn below.
Keystroke Monitoring
Keystroke monitoring is an electronic system that records the time and use of every computer key (or mouse click). The primary purpose of this system is to check that staff are working at their computers (particularly those who are remote working).
Website Tracking
Website tracking is as simple as it sounds. Companies can set company internet browsers to record details of each webpage visited. This will allow your business to check that a staff member is visiting work-related sites during working hours and not using risky or virus-ridden web pages.
Audio Call Recording
Audio call recording technology is more prevalent in this era of video conferencing. Many remote workers have become acclimatised to making phone or video calls through their computers rather than mobile phones. For example, a UK business can potentially set their company’s computing system to record all calls with clients.
Monitoring Techniques Permitted by the ICO
Your UK business can use the above techniques upon meeting certain conditions. These conditions include the following:
- informing staff of your use of these systems in advance (usually through their induction and written IT or privacy policies);
- collecting the information for a legitimate purpose, for example, to ensure the security of personal data and encourage compliance with legal obligations; and
- ensuring that only relevant information is collected and processed, for example, information relating to calls with clients, not with family members.
The difference between an innocent and GDPR-compliant monitoring network and an unlawful, non-compliant system is likely to lie in a company’s original purpose and motivations. For example, a business checking website data during working hours to protect against viruses (under a written policy) is likely compliant. This is because the staff are pre-warned, and the aim is to ensure personal data is not stolen or held ransom by cybercriminals.
However, a business that uses covert monitoring devices or monitors computer systems without pre-warning its staff will likely risk a hefty financial penalty from the ICO. This is because UK organisations can only utilise covert recordings in exceptional circumstances.
Key Takeaways
Ensuring full compliance with data protection legislation is a challenging task. As a result, many UK businesses ask an expert lawyer to carry out a Data Protection Impact Assessment (DPIA). A DPIA is a form of risk assessment that advises your company as to which employee monitoring systems have a lawful basis.
If you need help ensuring the safe use of employee monitoring techniques, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
A Data Protection Impact Assessment can help your business ensure good employment practices and provide much-needed peace of mind in an increasingly digital world.
Data protection matters are complex because things are not always black and white as to what legitimate interests are lawful. However, most lawyers will advise that any company that pre-warns their employees of the nature and scope of their monitoring systems in advance faces less risk.
We appreciate your feedback – your submission has been successfully received.
