The ICO Code of Practice
[ch 1: pages 8-9]The Information Commissioner’s Office (ICO) has produced an Employment Practices Code to aid employers in complying with the DPA and to encourage good practice. Part 3 of the Code covers monitoring at work.
This is an important reference point for unions in raising any concerns about monitoring practices and negotiating workplace policies. The ICO Code is examined in more detail in Chapter 7. Among the key principles outlined in the Code are that:
• Workers should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified.
• If employers wish to monitor their workers, they should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered. In this regard, the Code suggests that employers should consider conducting an impact assessment on current or planned monitoring, identifying the purpose behind the monitoring and any likely adverse impact, and considering less intrusive alternatives to monitoring to achieve the desired objective (for example, better training, communication or supervision by managers, spot-checks or audits rather than continuous monitoring, or targeted monitoring where there is a particular problem).
• Employers should keep to a minimum those who have access to personal information obtained through monitoring. Personal information collected through monitoring should not be used for purposes other than those for which the monitoring was introduced.
With regard to information gathered during monitoring, the Code recommends that if this is used against workers, then they should be presented with the information and allowed to “explain or challenge, the results of any monitoring.”
With regard to covert monitoring, the Code states that this should be deployed only for specific investigations, and if there are grounds for suspecting criminal activity or equivalent malpractice, when notifying individuals about the monitoring “would prejudice its prevention or detection.” Employers should disregard other information collected in the course of this monitoring unless it reveals information that no employer could reasonably be expected to ignore (the law on covert monitoring is discussed in more detail on pages 61-66)
It is important to note that the ICO Code does not represent a statement of the law itself but recommends practice for employers in following the law and acting in a fair and reasonable way.
The introduction to the Code warns that while employers “may have alternative ways of meeting these requirements…if they do nothing they risk breaking the law.”
The ICO Employment Practices Code, ICO, 2011 and supplementary guidance are available from the ICO website: https://ico.org.uk/for-organisations/guide-to-data-protection/employment
The ICO recommendations are a set of benchmarks which unions should hold employers to. On a number of occasions reference by unions to the ICO Code or complaints to the ICO have led to employers changing their practice. Some of these cases are referred to in Chapters 2-6.
GMB calls for a more proactive ICO approach
At its 2015 Congress, the GMB general union called on the ICO to adopt a more proactive approach towards employers who abuse surveillance systems, and to conduct a thorough audit of all workplaces.
A motion adopted by the Congress called on the union to campaign to pressure the ICO to develop a more robust attitude and take more stringent legal actions with regard to abuses in monitoring practices that breached the Data Protection Act 1998. The motion referred to the “rapid growth of data technology” which is “now constantly being abused by employers, via deliberate, overt and covert monitoring, together with log in technology data, plus CCTV surveillance” and operating “without appropriate licence or regard to legislation and laws on data protection or CCTV surveillance.”
Practices mentioned in the debate on the motion include phone systems used to monitor calls: “Who you phoned, at what time and the complete duration of the call”; IT computer systems: “to monitor what time we logged in at work”; tracking systems: “ to monitor what time we start our vehicles” and how long they are parked for; monitoring of when workers take toilet breaks, or move to another part of the building, as well as the use of biometrics with fingerprints required to open doors, with workers threatened with dismissal if they refuse to give their fingerprints.
This was described as “an invasion” of “silent cyber-monitoring systems” used “covertly and unscrupulously by managers” and as a “silent invisible security guard” which “never sleeps, never eats and is constantly monitoring.”