Workplace digital monitoring and surveillance: what are my rights?

Andrew Pakes · 8 December 2020

Covid has seen the rapid growth in digital technologies at work. While technology has helped to keep us safe over lockdown, it has led to the expansion of monitoring software to help employers check on staff working from home.

Employers should notify workers, and unions, about plans to introduce technology that monitors or uses our personal data.

A recent survey suggests that 1 in 5 employers are tracking workers online or planning to do so. The most high-profile incidence was the introduction of a new productivity tool by Microsoft. Microsoft has now responded to concerns about the software by changing its privacy settings. It remains, however, the most mainstream example of the growth in surveillance software.

Prospect research shows that the public are concerned about the risks of automated decisions and workplace surveillance.

So, what are our rights on surveillance?

Technology is transforming how we are managed and work. While digital technologies have the potential to bring flexibility and to support workers, they can also cause harm:

  • AI and digital technology can lead to discrimination through the decisions it makes about people or groups of people.
  • Monitoring software could impact on our quality of work by reducing autonomy and trust, and our right to a private life by intruding into our homes whilst we are remote working.
  • Automated decisions could lead to unfair and accountable decisions about our work life, such as on performance management.

GDPR rights to know when our data is being used for surveillance

Workers should be informed and consulted when monitoring and surveillance software is introduced. Even though the law does not protect workers’ data rights as much as we would like, we do have rights under the GDPR and Data Protection Act:

  • Digital technologies that can monitor individual behaviours, such as keystrokes on a computer, image tracking or checking files, is a use of our personal data under GDPR.
  • By collecting and using this information, employers are processing our personal data.
  • Analysis of this data is profiling.

This is what is called ‘high-risk’ processing. Recital 75 of GDPR defines ‘high-risk’ as something that “may result from personal data processing which could lead to physical, material or non-material damage.”

Employers are legally required to inform you in advance about the use of this software and consult you, and unions about it. GDPR says that a Data Protection Impact Assessment (DPIA) will be required where the processing is likely to result in a high risk to the rights and freedoms of natural persons. In other words, they are obliged to inform and consult with us in all cases where workers’ data is extracted.

Here is what the ICO has said:

“If organisations wish to monitor their employees, they should be clear about its purpose and that it brings real benefits. Organisations also need to make employees aware of the nature, extent and reasons for any monitoring.”

Remote working: a right to a private life, a right to disconnect

Remote technology brings benefits, but it can also lead to an always-on culture where workers are expected to be constantly available to their employers. Today, with many of us asking whether we are now working from home or living at the office, that concept of privacy is playing out from our laptops in our kitchens and spare rooms.

The Information Commissioners’ Office (ICO) has a voluntary guidance on employment practices.  The code states:

“Workers have legitimate expectations that they can keep their personal lives private and that they are also entitled to a degree of privacy in the work environment.”

Article 8 of the Human Rights Act (1998) also protects our right to a private life and right to enjoy our home peacefully.

These safeguards do not provide the level of protection we think is necessary in the face of the fast-changing nature of digital technology but they do provide a starting point.

That’s why Prospect are leading calls for a UK Right to Disconnect. This would provide a framework for negotiating reasonable rules on the use of technology to contact workers remotely. Such laws exist in other countries, such as France and Spain, and we believe the UK needs to follow suit.

Surveillance: what you can do?

  1. We have a right to know whether we are being monitored at work, whether that is in an office or working remotely from home. Employers need to inform us about what information is being collected, how it is being processed and its purpose.
  2. We have a right to be consulted over the introduction of high-risk data processing, such as digital monitoring of our personal data for productivity purposes. Employers have an obligation to undertake a Data Protection Impact Assessment which involves consulting the people whose data is being used (i.e. us). We have rights to know what data processing is taking place and which of these employers have identified as high risk
  3. Join a union. Get involved with your union. Together can more effectively speak up for our data rights and privacy at work.

Andrew Pakes is Prospect’s research director