Security News > 2023 > August > Get your staff's consent before you monitor them, tech inquiry warns
Evidence from Oxford University's Fairwork Project cited in the report also notes that the UK GDPR provides a "Certain degree of protection for private individuals. However, it is more limited in protecting workers in the workplace."
OII researcher Dr Matthew Cole noted in his evidence that: "Unless there is a union that is litigating around these things or an existing collective bargaining agreement, there is a lack of enforcement at the state level. The UK government could do much better at ensuring protections for worker data and protecting citizens of the UK from global giants like Uber, for example."
According to current guidance from the government outlining employees' rights in relation to being monitored at work, "Employers must explain the amount of monitoring clearly in the staff handbook or contract." And according to recent ICO guidance, still in draft form, not only do companies need to tell workers that they are being monitored, they need to outline what counts as a "Reasonable number of personal emails and phone calls", and if personal emails and calls are not allowed, they need to say so at the outset.
As for covert monitoring, where staff wouldn't be aware it was happening, the draft guidance says it is only allowed under "Exceptional circumstances," employers need to be able to justify why it is necessary, and it can't be used to capture communications that workers would reasonably expect to be private, such as personal emails.
The ICO's draft guidance also suggests companies "Make sure workers understand what data is being processed during monitoring," and suggests setting up a system to ensure workers "Remain aware that monitoring is being conducted."
"While we understand that some companies do not share data outside the UK, we are concerned that differing expectations between those companies and companies that do share data outside the UK may give the impression of 'lesser' protections for processing personal data in the UK overall."