cherezoff -

ICO consults public on personal data in employment practices

The ICO has launched a public consultation on employers’ use of personal data to help it provide practical guidance for both businesses and workers

The UK’s Information Commissioner’s Office (ICO) has launched a consultation on the use of personal data by employers, including in workplace monitoring technologies, which will be used to update its existing Employment Practices guidance.

On 12 August 2021, the ICO’s acting director of regulatory assurance, Anulka Clarke, published a blog about data protection and employment practices, in which she introduced the regulators call for views.

“In recent times, working life has changed for millions of us in a way few could have predicted,” she said.

“Every industry sector and its workers have been impacted. Both in the public and private sector, and businesses large and small.

“Artificial intelligence [AI] and machine learning are impacting the ways decisions are made about workers; monitoring technologies are more varied and widespread in use; and the pandemic has suddenly accelerated the trend for remote working and for obtaining health data.”

Because of the impact these developments and others can have on people’s privacy, she added that it was vital that employers understand how they can operate in a changing business environment and build trust with workers over their information rights.

The digital monitoring tools available today allow enterprises to see a range of information about their employees’ activities, from recording their keystrokes and mouse clicks to tracking their physical location and use of applications or websites.

Predictive and behavioural analytics

Using these and a variety of other metrics, such software is used by enterprises to conduct predictive and behavioural analytics, ostensibly enabling managers to understand and track how productive employees are over time.

“Data protection is not a barrier to the use of new technologies to improve and develop employment practices. Data protection enables innovation to happen responsibly, it builds trust between employers and workers,” said Clarke. “Innovation itself enables economic growth which is vital as we look towards a post pandemic future.

“We’ve launched a call for views today to help us to create practical employment guidance where personal data is used, that supports both employers and staff. It is crucial we reflect as many responses as we can from as many sectors as possible.”

Clarke addressed the ICO’s call to everyone with an interest in UK employment practices, including businesses of every size, workers, trade unions, and professional or trade bodies, who can share their views by answering a survey.

“In replacing the [Employment] code, we plan to produce easily accessible online resources, that reflect the way work has changed and are relevant,” she said. “The employment practices and data protection guidance will cover topics including recruitment and selection, employment records, monitoring of workers, and information about workers’ health. We intend to add to this evolving resource over time.

A dramatic increase in workplace surveillance

While the use of employee monitoring tools was already ramping up before Covid-19 – a 2019 Accenture survey of C-suite executives found that 62% of their enterprises were “using new technologies to collect data on their people and their work to gain more actionable insights” – the move to remote working has facilitated a dramatic increase in their use.

According to David Emm, principal security researcher at Kaspersky, heightened workplace surveillance is a trend that is occurring across all sectors of the economy.  

“Our research found that 44% of the UK’s pandemic-forced home working contingent have had monitoring software installed on company-provided devices. This is naturally having a massive effect on wellbeing, with 46% of UK employees working overtime as a direct result of workplace surveillance, and a further 25% admitting they work ‘harder’ for fear of being perceived as lazy,” he said.

“Aside from the obvious risks of burnout and resentment, this sharp increase in surveillance also leads to an increased risk of shadow IT and associated threats, as some staff use personal devices, that are ‘off the radar’ for work. While remote working does bring significant benefits to workers, there is also a dark side when it’s not managed holistically. There is a serious need for employers to examine their ‘surveillance’ practices to understand the true impact on productivity and worker satisfaction.”

A separate survey from Skillcast from November 2020 also found that one in five employers were already using, or otherwise planning to introduce, employee monitoring software for those working remotely from home.

In the same month, a report from the UK’s Trades Union Congress (TUC) found that one in seven workers had experienced increased monitoring at work since the start of the coronavirus pandemic.

Unions respond

In response to the consultation announcement, Andrew Pakes, research director at specialist professional science and research union Prospect, told Computer Weekly that technologies enabling the mass collection of employee data have the capacity to fundamentally change the work relationship, with potentially serious consequences for workers rights.

“The growth in remote working and power of digital technology has transformed how we work over the last 18 months but it has also come with a the worrying rise in intrusive management by surveillance. There are increasing concerns that our data is being used to micro-manage, monitor and control workers, often without any transparency over how decisions are made,” he said.

“This consultation needs to be the first step in ensuring workers’ data rights on surveillance are clear, spelt out to workers and recognises the power digital technology has over how we are managed and work.

“We need new guidance that confirms to employers that workers and unions have rights to be consulted about how monitoring software is introduced and used by employers.”

He added that work already underway to ensure workers voices were well-represented in the consultation.

Read more about employer’s data practices

In June 2021, Computer Weekly reported on a campaign by the United Tech and Allied Workers union (UTAW) to protect workers’ privacy and raise awareness about workplace monitoring practices.

“Our main findings through UTAW’s campaign show that hardly anyone knows how to spot surveillance nor knows their legal rights around surveillance. Without awareness and understanding there is no chance that any protections will be applied in workplaces,” said UTAW spokesperson Marcus Storm in response to the consultation, adding he would like for the resulting ICO guidance to be simple, easy to understand, and applied consistently throughout the UK.

“I’d also like to see employees have a say in any implementation of surveillance in the workplace. This is because surveillance has a different place in different types of industry – think of warehouses and think of software engineering. Employees will know what type of surveillance is most appropriate and suitable for them to do their work, and because it touches upon sensitive topics such as privacy, they should absolutely have a say and be able to express their opinions on any surveillance policy.

“Without employees being able to push for their wants, there is a real danger that managers simply adopt the most invasive surveillance tools they can, because nobody is pushing back on them. I’m sure you saw the recent ridiculous XSolla firing of 150 employees based on silly metrics like clicks, Jira activity, and emails. Powerful surveillance simply gives poor managers more reasons to unfairly get rid of people.”

Employee surveillance guide

As part of its campaign, UTAW worked with legal experts to build an employee surveillance guide on its website, with the aim of helping workers – as well as managers – to better understand their rights and responsibilities.

Throughout 2021 the App Driver’s and Courier’s Union (ADCU) has been pushing for greater algorithmic transparency from ride-hailing firms like Uber, Ola and Bolt, particularly in regards to how data is used in employment decisions.

James Farrar, general secretary of the ADCU, said while the consultation is welcome, “I’d prefer to see the regulator take rigorous enforcement action against rogue gig economy employers who have ridden roughshod over data protection law for years.

“I am concerned that the proposed review takes a passive approach emphasising a focus on static data, and not nearly enough attention is paid to opaque active algorithmic management processes underpinned by AI and machine learning.

“For instance, secret worker profiles are now routinely used illegally by platform employers for automated decision making relating to work allocation, performance management and pay. Gig workers are subjected to intense digital surveillance even at times when they have not logged in to make themselves available for work.”

Farrar added that, due to the seriousness of the impact these practices can have on precarious workers, the ICO must also conduct an urgent review dedicated solely to how personal data is used in gig economy employment practices.

Legal basis for workplace monitoring

Speaking to Computer Weekly in May 2021 about deploying monitoring software ethically, Philippa Collins – a lecturer in law at Bristol University who specialises in labour law, human rights and technology – said that organisations should only collect and process data that is absolutely necessary for the purposes they have defined, adding that they must be able to understand what the software is doing and clearly explain why it is necessary.

“If I was in the room with an [external] data protection officer… could I convince them that every single data processing point was necessary? I think that’s going to be quite tricky,” she says, adding the software’s deployment also needs to be monitored on an ongoing basis to ensure its use remains within the original purpose and is therefore compliant with the General Data Protection Regulation (GDPR).

“You’ve got to keep checking. It’s not like you just introduce it one day and your obligations are done – you have to keep checking that what you’re doing is legitimate and that it’s actually achieving the aims you set out to achieve.”

While Collins agreed employees should be consulted, both generally and as data subjects, she said organisations cannot simply rely on employee consent as their legal basis for using such technologies.

“It’s very clear that, because of the imbalance of bargaining power between workers and employers, an employer would not, as a data processor, be able to rely on the consent of their employees to process their data,” she said, adding it is a common misconception that signing an employment contract automatically allows enterprises to process their workers’ data.

“If you’re that employer, you’re looking to be compliant, you’re looking to do this in a way that’s entirely legitimate. Consultation would improve how you go about it – it would improve the logistics of it because you’d have employee buy-in, but you’d still want to be looking for another lawful basis to support your processing.”

The deadline for submitting views to the ICO on personal data and employment practices is Thursday 21 October 2021.

Read more on Business applications

Data Center
Data Management