Handley Gill
LEGAL, REGULATORY & COMPLIANCE CONSULTANTS

Handley Gill Limited

Our expert consultants at Handley Gill share their knowledge and advice on emerging data protection, privacy, content regulation, reputation management, cyber security, and information access issues in our blog.

I Always Feel Like Somebody's Watching Me

To coincide with London Tech Week 2022, and its Future of Work Summit taking place on Wednesday 15 June 2022, as well as the work focus of CogX Festival, in this presentation - the title of which is inspired by the classic 1980’s Rockwell hit song, the lyrics to which are “I always feel like somebody's watchin' me. And I have no privacy” - we address the legal and regulatory issues surrounding the use of employee monitoring and surveillance technology in the remote and hybrid workplace and provide guidance in the form of the top 10 actions to take to deploy such technology lawfully and compliantly.

Placing employee monitoring and surveillance technologies within the private home environment brings with it additional risks, and potential impact on non-employees, and this must be considered when preparing to deploy such technologies and mitigations established. The timing, frequency and nature of monitoring, and ensuring that employees are well aware of it and its extent, will be crucial to ensuring proportionality and lawful use.
— Handley Gill Limited

10 top tips for deploying workplace monitoring and employee surveillance technologies

  1. Just because you can buy or use a product, doesn’t mean that it is lawful or compliant for you to deploy it or that it will deliver on the sales pitch.

  2. When considering purchasing a product, test the veracity of the sales pitch and consider how it will support you in responding to data subject rights requests for personal data captured using the product.

  3. Always give employees notice of the fact and nature of any monitoring that is intended to be deployed in advance, and how data will/could be used, and obtain written authorisation for installation of software on or other access to personal devices. Consider building this into your ‘Bring Your Own Device’ (BYOD) policy.

  4. Identify and record why you consider the deployment to be necessary and how you meet your legal obligations, completing a data protection impact assessment in connection with high risk processing.

  5. Where possible, consult with employees/union representatives in relation to the intended deployment.

  6. Consider whether you need to consult with the Information Commissioner in relation to high-risk processing the risks of which cannot be mitigated.

  7. If the supplier will process personal data on your behalf, ensure that a written data processing agreement is in place and, if they are based outside the UK, or uses suppliers based outside the UK, consider what lawful basis for transferring personal data overseas will be relied on and conduct an international data transfer risk assessment / transfer impact assessment (TIA) where required.

  8. Ensure data collected is held securely and establish a process for approving access to data.

  9. Monitor the data collected both to meet your purpose and test the utility of the data in the least intrusive way possible.

  10. Ensure you establish and implement retention policies in connection with the data collected.

Nicola CainPersonal Data, Data Protection, UK GDPR, Data Protection Act 2018, Human Rights, Human Rights Act 1998, European Convention on Human Rights, Article 8, Article 8 European Convention on Human Rights, Privacy, Surveillance, Employment Law, Employee Monitoring, Workplace Monitoring, BYOD, Bring Your Own Device, Computer Misuse Act 1990, Investigatory Powers Act 2016, Bărbulescu v. Romania (app no. 61496/08), Trust & Confidence, Hybrid Work, Remote Work, Right to Private and Family Life, London Tech Week 2022, Future of Work Summit, Investigatory Powers Regulations, CogX, Data ControllerComment