1 minute read

Do we have to define our purpose for monitoring workers?

Further reading – ICO guidance

Data protection impact assessments

Advertisement

In detail – Data protection Impact Assessments

Data Protection Officers

It is good practice to carry out a DPIA even if there is no specific high risk. It is a flexible and scalable tool which assists your decision making. You should document any decision to proceed without carrying out a DPIA.

If you have carried out a DPIA which identifies high risk that you cannot reduce, you must consult the ICO before going ahead with the monitoring.

Further reading – ICO guidance

How do we do a DPIA?

Yes. You must be clear about the purpose for monitoring. Purpose limitation is a key principle of data protection law. You should not monitor workers ‘just in case’. For example, you may monitor email traffic for security purposes. Or you may use CCTV for site safety purposes. You should document why you are monitoring workers and what you intend to do with the information you collect.

You should only change your purpose for monitoring if your new purpose is:

• compatible with your original purpose; • related to a clear legal provision allowing the processing in the public interest; • clearly in the worker’s interest to do so; or • related to activity that no employer could reasonably ignore.

The types of activity an employer could not reasonably ignore might include criminal activity at work, gross misconduct and health and safety breaches which jeopardise workers.

If the monitoring is to enforce your organisation’s policies, make sure these are clearly set out. You should regularly bring the policies to the attention of workers. The policy or policies should also outline the nature, purpose and extent of any monitoring. You should consider that workers base their expectations of privacy not only on policy but also on practice. Excessive

This article is from: