The information Commissioner’s Office (ICO) has produced detailed new guidance for employers on managing employee’s data
How to securely manage ‘Health data’ – a special category of personal data with enhanced protection under the UK General Data Protection Regulation (“GDPR”) and the guidance (available here) explains how data protection laws apply to the processing of workers’ health information and the key points to consider to ensure compliance (particularly with the stricter statutory requirements for processing ‘special category data’). The guidance;
- Reminds employers that when they want to collect and use information regarding their workers’ health, they must be clear about why they are doing so and have justified reasons for collecting such data
- Explains how data protection applies to specific workplace scenarios, such as sickness and injury records, medical and drug/alcohol testing and sharing workers’ health data
- Sets out recommended good practice to ensure compliance with legal requirements
- Provides useful checklists which can help provide employers with an overview of what to consider when collecting and using workers’ health data
Monitoring – The ICO has updated its guidance for employers on monitoring staff (available here) to help ensure they comply with their obligations under the data protection regulations to do so transparently and fairly. The guidance explains that the term ‘monitoring’ can cover a variety of activities (including tracking calls and messages) and in particular monitoring technologies can include:
- Camera surveillance including wearable cameras for the purpose of health and safety;
- Webcams and screenshots;
- Technologies for monitoring timekeeping or access control;
- Keystroke monitoring to track, capture and log keyboard activity;
- Productivity tools which log how workers spend their time;
- Tracking internet activity and keystrokes;
- Body worn devices to track the locations of workers;
- Hidden audio recording.
In summary, the guidance says employers should:
- Clearly communicate to staff the nature, extent, and reasons for monitoring, so that staff know what to expect.
- Have a clearly defined purpose for monitoring and do so using the least intrusive means necessary.
- Establish a lawful basis for processing workers’ personal data and ensure that they do so by complying with legal requirements.
- Only collect and retain information that is directly relevant to the stated monitoring purpose and avoid any unnecessary accumulation of data.
- Conduct a Data Protection Impact Assessment to identify and mitigate potential risks.