Privacy impact assessments
[ch 9: pages 65-66]The ICO code says an employer conducting a privacy impact assessment should:
• begin by identifying the purpose and expected benefits of monitoring and itslikely adverse impact. This includes looking at the level of privacy intrusion, whether workers can take steps to reduce it, whether monitoring results are likely to be sensitive or confidential, whether they will be seen by people who don’t need to know (such as IT technicians), the potential impact on trust and confidence and on legitimate relationships, for example between a union rep and member, and whether monitoring is “oppressive or demeaning”;
• consider alternatives: employers should ask, is there another wayto achieve the same results, such as better training, communication or supervision, avoiding electronic monitoring altogether? Would reactive investigation of specific incidents or spot checking be better than continuous monitoring? Can monitoring be confined to those workers whose jobs pose the highest risk?
• consider how the employer will meet its GDPR obligations that arise from the monitoring (see page 62); and
• decide whether the monitoring can be justified.
The Code says any monitoring must go no further than is “absolutely necessary” and that “significant intrusion into the private lives of individuals will not normally be justified unless the employer’s business is at real risk of serious damage”. The Code expects employers to consult and take into account the views of union reps and workers.
ICO, The Employment Practices Code (https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf)