ICO signals red light for intrusive monitoring
Red light, green light
With news of the release of new ICO guidance on workplace monitoring, I was reminded of the Netflix Series, Squid Game. Yes, I appreciate that might seem like a leap, but bear with me…
One of the first games in the series was called Red light, green light. This involved the participants racing to a finishing line without being spotted by a rather creepy looking revolving giant doll. If a participant was seen moving then death swiftly followed. As surveillance goes, it was at the extreme end.
Of course, workplace monitoring does not usually end up with consequences as dire as this. And if we're going to stretch the analogy a little, most employers would want their employees to be moving towards a finishing line, rather than being punished when they are spotted doing so.
However, the more important difference here is that each of the participants in Squid Game knew they were being surveilled, and what would be done with the data. That's not always the case with workplace monitoring, and is one of the key issues that ICO is seeking to address in its new guidance.
Fact and extent of monitoring
According to ICO’s research, 70% of the public would find it intrusive to be monitored by an employer, with fewer than one in five being comfortable taking a new job if they’d be subject to monitoring. However, a poll by the TUC in 2022 found that 60% of workers believed that they had been subject to some sort of surveillance and monitoring in the past year. There's a disconnect here.
And it's not only the fact of monitoring that is an issue. It's also the extent of the monitoring which can come as a surprise to an unwitting employee. By way of example, while workers may reasonably expect their timekeeping to be monitored, few would expect their private Whatsapp messages to be available to their HR department. However, if those messages are contained on a work device, then an employer may be justified in seeking access, if only to comply with its own data protection and legal obligations.
Similarly, the informality and convenience of the now ubiquitous instant message platforms can be a bear trap for the unwary employee who assumes that their “banter” with fellow colleagues is private. It may well not be, and it certainly won’t be in litigation.
And all this is before we consider more intrusive monitoring such as key stroke loggers and webcam monitoring which appear to be on the rise, and which the Institute for Public Policy Research suggests should be outlawed. While not going as far as a calling for an outright prohibition, ICO’s view is also disapproving, noting that such device activity monitoring is likely to capture excessive amounts of workers’ personal information, potentially including special category data.
Blurring of boundaries
At the heart of the heightened debate on the lawfulness and desirability of employee monitoring is what labour law academics refer to as the blurring of the boundaries between the personal and the professional. While gatekeeping between home and work was once physical; now it's digital. And digital gates are porous ones.
It's arguable that this blurring has been caused, or at least accelerated, by the Covid pandemic. With hybrid working arrangements the new norm, employers concerned about productivity have felt increasingly entitled to (metaphorically) plonk themselves on the couches of their employees. This is of course the wrong answer to the question.
Where performance or conduct issues are identified they should be addressed using the appropriate processes. Blanket and intrusive monitoring as a substitute for those processes is unlikely to be lawful, and may amount to a breach of the implied term of trust and confidence. Further, while seemingly untested at present, it is also possible that such a practice could be indirectly discriminatory if, for example, women are more likely to work at home and are therefore more likely to be subject to monitoring than men.
The new ICO guidance is therefore helpful in emphasising the obligation on employers to balance their business interests against workers’ rights and freedoms, to be clear about the purpose of any monitoring, and to select the least intrusive means to achieve that purpose.
A final thought
However, I leave with one thought. ICOs own research shows that young people are least likely to find monitoring intrusive. This chimes with my own experience.
While my children are now young adults, exhortations when they were younger that they should never write anything online that they wouldn’t want their mother to read went largely unheeded, or met with a “nothing to hide, nothing to fear” argument. Expectations of privacy are plainly reduced in a generation that has grown up with CCTV on every corner and with an acceptance (or at least an understanding) that accessing the internet comes with a tracking price.
This normalisation of surveillance may have the effect of inhibiting outrage at the more egregious monitoring, which in turn may feed into ICO’s ability to take enforcement action when bad employers cross the line.