ICO publishes draft guidance on employee monitoring and processing worker health information

10 November 2022

New draft guidance has been issued to assist employers with the complex and potentially risky areas of monitoring staff and using health information during employment.  Our summary of the guidance is available here.

The Information Commissioner's Office (ICO) have published drafts of two further guidance documents; one covers employee monitoring which will replace the previous "monitoring at work" chapter contained within the employment practices code of 2011 and the other relate to processing information about worker's health.

Guidance on employee monitoring

The new guidance is considerably more detailed (currently running to 54 pages) than the previous version, with additional guidance required to reflect the changes to how we use technology in the workplace.

The new guidance adopts a clear, practical approach and provides a number of checklists for employers to follow when they're carrying out specific types of monitoring. It also introduces some key changes in the guidance, including:

  • A requirement to regularly remind staff of the monitoring policy and any policies which employers rely on to justify monitoring.
  • Confirmation that the ICO will not consider monitoring justified if the purpose is to monitor compliance with a policy which is not enforced in practice. For example, if an employer has a policy which prohibits personal calls from company phones but in reality, it allows a reasonable number of personal calls, it cannot rely on this policy to justify monitoring inbound/outbound calls on work phones.
  • A focus on carrying out Data Protection Impact Assessments (DPIAs) where employers are carrying out monitoring, even where there is no legal requirement to do so.
  • A strong emphasis on consultation when rolling out new monitoring activity; the guidance states that the views of staff or representatives should be sought unless there is a good reason not to. 

The consultation is open until 11 January 2023 and is expected to be finalised shortly afterwards.

Guidance on processing workers' health data

This guidance is the first to be published by this ICO on this subject and is intended to provide clear examples of how to apply the provisions of the data protection legislation.

The new guidance includes practical advice on the following areas:

  • When employers should rely on consent for processing health data and an example of when consent may appear to be freely given but an employee could feel compelled to do so.
  • The conditions which could apply to processing health data.
  • How employers should handle sickness and injury records, including ensuring that they are processed lawful, stored securely and when this information should be shared.
  • Accessing an employee's medical records lawfully and the use of occupational health professionals and sharing information with them.
  • How to ensure medical examinations, drug/alcohol and genetic testing are carried out lawfully.
  • The use of health monitoring technologies.

The consultation is open until 26 January 2023

Back to news