Privacy impact assessments
[ch 8: pages 83-84]Union reps should seek to ensure that employers conduct privacy impact assessments (PIAs) in relation to any proposed monitoring. Guidance on conducting PIAs is contained in the ICO Employment Practices Code. This states that employers should:
• identify clearly the purpose behind the monitoring arrangements and the benefits it is likely to deliver;
• identify any adverse impact of the monitoring arrangement;
• consider alternatives to monitoring, or different ways it could be carried out;
• take into account the obligations that arise from monitoring; and
• judge whether monitoring is justified.
There is no formal statutory obligation to share the results of monitoring with employees. Reps should try to negotiate formal workplace agreements on monitoring which include effective participation in impact assessments and in periodic reviews following implementation. Employers who fail to take proper account of worker voice when engaged in monitoring risk breaching the implied contractual duty of mutual trust and confidence.
Workers do however have a right to access their own personal data under the DPA, and can make a “Data Subject Access Request” to obtain this (see page 72).
Union reps should also seek to encourage employers to adopt the “privacy by design” approach advocated by the ICO. The approach promotes privacy and data protection compliance from the start, issues which are unfortunately “often bolted on as an afterthought or ignored altogether” according to the ICO.
Such an approach will help to ensure that:
• potential problems are identified at an early stage, when addressing them will often be simpler and less costly;
• awareness of privacy and data protection is increased across the organisation;
• organisations are more likely to meet their legal obligations and less likely to breach the DPA;
• actions are less likely to be privacy intrusive and have a negative impact on individuals.
Conducting PIAs is integral to the “privacy by design” approach. The ICO has produced a Code of Practice on conducting PIAs. See ICO, Conducting privacy impact assessments, Code of Practice: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf.
For more on the “privacy by design” approach see: https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design.
Reps should also refer to the TUC guide on Privacy at Work: TUC, Worksmart, Privacy at Work: www.tuc.org.uk/sites/default/files/tuc/privacyatwork.pdf.
Guidance from the Acas conciliation and employment advice service on developing internet and email policies can be downloaded at: www.acas.org.uk/media/pdf/d/b/AL06_1.pdf.