An overhaul of worker oversight has been released, in draft form, by the UKthe data protection regulatory authority, the Office of the Information Commissioner (ICO)to deal with significant changes to the way we work since its current Code of Employment Practices was published in 2011. Covid-19 has been a further acceleration, with more screening and biometric tracking of workers.
The orientation project is presented for return before January 11, 2023 and aims to provide practical advice as well as help employers carry out monitoring to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, both of which are undergoing major reform. Neither prevents the monitoring of workers.
The guidance covers general principles such as the balance between intrusion and the needs of the employer, workers and the public; workers must be made aware of surveillance (except in exceptional circumstances for secret approaches); the data cannot be used for any other purpose and data protection impact assessments (DPIA) must be carried out.
Worker Biometric Monitoring Guide
The draft guidelines come from a position encouraging employers to question their own reasons for wanting to use biometrics in the first place, and whether such use would be deemed proportionate: employers must “document the evidence base for choosing to rely on biometric data, including any consideration of other less intrusive means and why they are inadequate.
Employers must also identify a legal basis for their implementation of biometrics (there are six bases to choose from). As special category data, the collection of biometric data requires the identification of a special category, with guidance provided.
The UK GDPR further protects workers if automated decision-making has significant legal or other effects on workers. The explicit consent of the worker is required.
“This is the most likely gateway to using biometric data for access control, but obtaining true consent can be difficult due to the power imbalance between workers and employers,” indicates the draft guidelines. “You must offer an alternative to workers who do not want to give their consent so that they have a free choice. The alternative must not be detrimental to the workers who choose to use it, you must consider whether express consent can be genuine when a manual option takes longer.
Systems such as facial recognition require specific consent and a system that scans all workers, whether or not they consented, would be illegal.
DPIAs are mandatory and must contain the justifications already prepared. Data should be stored more securely, with additional guidance available.
Once operational for access, manual reviews of false negative biometric sensors should be available and should not be detrimental to workers.
Elsewhere, the draft guidelines note that “if you are monitoring remote workers, keep in mind that workers’ expectations of privacy are likely to be higher at home than in the workplace. The risks of capturing family and private life information are higher, so you need to consider this risk in your planning.