Good Practice Recommendations –
Part 3: Notes and Examples

3.1 The general approach to monitoring

3.1.1 There are risks that the Act will be breached if line managers institute monitoring of their workers without authority and without taking into account the provisions of this Code. Business practices should be designed to ensure that monitoring does not take place without careful consideration of the requirements of the Act and this Code.

3.1.2 No further guidance on this recommendation.

3.1.3 If monitoring is to be justified on the basis that it is necessary to enforce the organisation’s rules and standards, these rules and standards must be known and understood by workers. In some cases the standards may be obvious, for example that it is unacceptable to engage in criminal activity in the workplace, but in others they may not. The easiest way of doing this is likely to be to set out rules and standards, for example in relation to acceptable uses of e-mail systems and internet access, in a policy that is made known to and accessible by all workers affected. Either in this policy or separately, the employer should go on to set out the circumstances in which monitoring may take place, the nature of the monitoring, how information obtained through monitoring will be used, and the safeguards that are in place for the workers who are subject to the monitoring.

3.1.4 Workers who are subject to monitoring should be aware when it is being carried out, and why it is being carried out. Simply telling them that, for example, their e-mails may be monitored may not be sufficient. They should be left with a clear understanding of when information about them is likely to be obtained, why it is being obtained, how it will be used and who, if anyone, it will be disclosed to. The necessary information can be provided, for example, through signage in areas subject to monitoring or through details given in a staff handbook. Workers should be kept aware of existing monitoring, perhaps by reminding them periodically. Where significant changes to monitoring arrangements are introduced they should be told about these.

3.1.5 No further guidance on this recommendation.

3.1.6 Monitoring may involve others having access to personal information about workers. In some cases the information may be of a private nature, for example if monitoring extends to the content of e-mail messages. As far as possible such information should be excluded from monitoring. Where this is not possible and monitoring is nevertheless justified the numbers of those who have access to the information must be kept to a minimum. They must be subject to rules to ensure the information is kept securely, not misused or improperly disclosed. They should also be trained to understand the data protection principles that arise when carrying out monitoring. Monitoring may well be more intrusive if those who have access to private information are close colleagues or the manager of a worker. Therefore employers should take care to identify the most appropriate person/people to undertake monitoring, for example for larger businesses this might be those with security or personnel responsibilities.

3.1.7 Personal information obtained for a particular purpose should not be used in a way that is incompatible with that purpose. If monitoring is justified on the basis of addressing a specific risk faced by the employer, the use of information to address a lesser risk, that on its own would not justify monitoring, should be avoided. It is in any case likely to be unfair to workers to tell them that the monitoring is undertaken for a particular purpose and then use the information for another purpose that they have not been told about unless it is clearly in the worker’s interest to do this or the information reveals activity that no employer could reasonably be expected to ignore. The type of activities that an employer could not reasonably be expected to ignore might include criminal activity at work, gross misconduct or breaches of health and safety rules that jeopardise other workers.

3.1.8 Websites can be visited unwittingly through unintended responses of search engines, unclear hypertext links, misleading banner advertising or mis-keying. Workers should have the opportunity of explaining or challenging any information before action is taken against them. Systems malfunction can cause information collected through monitoring to be misleading or inaccurate. Information can also be misinterpreted or even deliberately falsified.

3.1.9 Many businesses buy monitoring systems ‘off the shelf’. In such cases the business should make sure the system facilitates data protection compliance. In other cases appropriate system requirements should be specified. Particular care should be taken with suppliers from outside the EU who may not be used to working within the confines of data protection law. The legal responsibility for compliance rests clearly with users rather than suppliers of systems. Users cannot simply blame the system. The Information Commissioner does though recognise that it may take some time to bring existing systems up to the desired standards. He will take this into account should the possibility of
enforcement action arise as a result of a breach of the Act.

If personal information about a worker is kept or collected by an employer for its purposes the information must be made available to the worker if an access request is made, unless an exemption applies. With e-mail or video monitoring this may be onerous, particularly if the system used does not store information in a way that makes any personal information readily retrievable. This is a factor employers should take into account in their impact assessment.

3.1.10 Sometimes a customer for a supplier’s products or services may seek to impose a condition requiring the supplier to monitor its workers. For example a contractor working in a defence establishment may be required to undertake periodic security checks on those workers employed on the relevant contract. If this monitoring involves processing personal information about the workers it will not be justified simply because it is a condition of business. Such a condition cannot override the employer’s obligation to comply with the Act. Monitoring of workers by the supplier or contractor must be based on the outcome of its own assessment. This does not stop the supplier or contractor being guided by any assessment the customer for its products or services might have undertaken for itself.

See Part 2, Employment Records ‘Workers access to information about themselves’ for more information.

3.2 Monitoring electronic communications

3.2.1 It is a fundamental requirement of data protection law that workers are aware of the monitoring. One way to achieve this is for the employer to establish, document and communicate a policy on the use of electronic communications systems. However workers will base their expectations of privacy not only on the employer’s stated policy but also on its practice. For example, if the employer’s policy imposes a ban on personal telephone calls but in practice the employer ‘turns a blind eye’ to a limited number of personal calls, the employer will not be able to depend on there being a complete ban as its justification for carrying out monitoring. The capabilities of electronic systems should be used to remind workers of their responsibilities. These can be set so that workers cannot proceed to access
the internet or e-mail services without acknowledging the acceptance of certain conditions.

3.2.2 Except in limited circumstances that are unlikely to apply to the monitoring of communications by employers, interception, without the consent of sender and recipient, is against the law unless it is authorised by the Lawful Business Practice Regulations. This is the case for both public and private sector businesses. An interception occurs when, in the course of its transmission, the contents of a communication are made available to someone other than the sender or intended recipient. It therefore includes access to e-mails before they have been opened by the intended recipient, but does not include access to stored records of e-mails that have been received and opened. Bear in mind that in many cases, for example customer enquiries, the intended recipient of a communication will be the
business itself rather than a specific individual. Monitoring of such incoming communications by the business will not involve an interception. There are though likely to be incoming communications, including but not limited to private ones, where the intended recipient is a specific individual. Monitoring that extends to the content of these before they have been opened by the intended recipient is likely to involve an interception.

See the Lawful Business Practice Regulations, for more information about this.

3.2.3 Where practicable limit monitoring to that necessary to ensure the security of the system, e.g. protection from intrusion and from malicious code such as viruses or Trojans, or detection of the misuse of passwords.

Take account, particularly in any impact assessment, of the ability of automated monitoring to reduce the extent to which extraneous information is made available to any person other than the parties to a communication. For example, monitoring to protect the security of a system can generally be automated. Monitoring to detect references to matters of particular sensitivity, for example the name of a company involved in a merger negotiation, might also be automated. Automated monitoring systems are becoming increasingly sophisticated and their capabilities should be exploited to assist data protection compliance, for example through the ability to target monitoring at suspicious patterns of activity.

3.2.4 Do not introduce monitoring or the recording of the content of calls in all cases. If recording is necessary to provide evidence of business transactions, e.g. in telephone banking, and it is undertaken only for this reason it will not be ‘monitoring’ within the scope of this part of the Code. Recording should though be limited to those calls involving, or likely to involve, transactions. Take into account, particularly in any impact assessment, the possibility that acceptable benefits might be achieved by the use of an itemised call record. If the itemised call record alone is insufficient, assess whether it can be used to help ensure that monitoring is strictly limited and targeted. For example, there might be evidence that commercial secrets are being passed to a competitor. By examining itemised call records it might be possible to narrow down those under suspicion and target monitoring accordingly.

See ‘How Intrusive is Your Monitoring?’ for more information about this.

3.2.5 Although this Code of Practice is primarily concerned with information about workers rather than external callers, employers should bear in mind that monitoring workers will often involve collecting information about those people who make calls to or receive calls from the organisation as well as about workers themselves. Where monitoring goes beyond simply listening-in in real time on calls without recording them and so involves the processing of personal data, these people should also be told that monitoring is taking place and why. Unless it is self-evident that monitoring is taking place and why, provide this information, where reasonably practicable, through the use of recorded messages on telephone systems. Don’t forget that those who might be making personal calls to workers are less likely to expect that their calls may be monitored, or to understand why, than, for
example, customers who might expect some recording to take place. If there is no better way of providing information, instruct workers to inform callers that their calls may be recorded and to explain why this is the case.

3.2.6 Where employers pay for mobile phones which workers may use for personal calls or for land lines in their homes, they may receive itemised bills directly or via their workers. Employers should bear in mind that workers’ expectations of privacy are likely to be significantly greater at home or outside the workplace than in the workplace. This distinction should be reflected in making an impact assessment. If bills are received directly, workers should be made aware of the extent of information about personal use received by the employer. In either case, information about personal calls should not be used for monitoring. It may be used for billing or in exceptional circumstances, where there is
evidence of work related criminal activity, accessed as part of a specific investigation.

3.2.7 In an impact assessment of e-mail monitoring you should consider the following;

• Can analysis of e-mail traffic rather than monitoring the content of messages be used? If the traffic record alone is not sufficient, can the traffic record be used to narrow the scope of content monitoring, for example to restrict any examination of the content of messages to those that are being sent to a rival organisation?
• Is it feasible to use an automated monitoring and detection process that for example detects malicious code such as viruses or Trojans, or limits the size of attachments that can be received?
• Is there a risk that monitoring the content of messages will breach a duty of confidence owed to workers or customers?
• Are there secure lines of communication, for example for the transmission of sensitive information from the worker to an occupational health advisor or for trade union communications that will not be subject to monitoring? Some systems can be set up so that messages to and from particular individuals or sections of the organisation are not subject to monitoring or are monitored differently to others.
• Is there a system that allows workers to mark personal communications as such?
• What would be the implications of making adjustments to the system, for example to provide facilities that allow messages to be sent that do not bear the employer’s ‘official’ heading? The provision of such facilities should reduce the risk of employers’ liabilities in respect of personal e-mails sent using the employer’s equipment.
• Can any monitoring be confined to external rather than internal e-mail messages? In some cases monitoring of internal messages might be more intrusive for workers whereas the benefits of monitoring might come mainly from external messages.
• Can e-mails that are marked personal, or which there are other grounds to believe are personal, be excluded from monitoring or treated differently? Apart from automated monitoring which rejects or returns unacceptable messages for security reasons messages that are personal should only be opened in exceptional circumstances, for example where a worker is suspected of using e-mail to harass other employees.
• Is there a ban on personal use of the e-mail system or a restriction on the types of messages that can be sent? Such a ban or restriction does not in itself justify the employer knowingly opening messages that are clearly personal. However an employer designing monitoring is entitled to work on the assumption that messages in the system are either all likely to be business ones or, if personal, are only likely to be of a particular type. If personal use is prohibited it may be possible to detect personal messages from the header or address information and take action against the sender or recipient without opening them.
• Are workers provided with a separate e-mail account or an encryption capability? Are they allowed access to web-based mail services for personal use?
• Are systems for recording information about e-mail use reliable? Employers should bear in mind that e-mails and associated records can be misleading or even falsified, and if cited in court could be challenged.

In an impact assessment of internet access monitoring you should consider the following;

• Can monitoring that prevents rather than detects misuse be used, for example by blocking access to inappropriate sites or material by using web-filtering software? Consider the capabilities of the latest technology, for example, products are available that, it is claimed, can undertake complex analysis of images and thereby prevent the display of sexually explicit material without disrupting normal business activity.
• Is it possible to prevent misuse of systems by recording the time spent accessing the internet rather by monitoring the sites visited or the contents viewed?
• Is it possible to limit the use of the information collected? For example, if the issue is that a worker has been spending too much time on the internet for purposes that are not work-related, is it necessary for the worker’s manager to be told exactly what sites have been visited?
• Can private internet access be separated from business access, perhaps by having a different log-on for private use and then limiting the collection of information on private use to the length and time of the session?
• Can monitoring be done on an aggregated basis, for example examining logs of which sites have been accessed from which departments and only focussing on specific workers if it is apparent there is a problem?

See ‘How Intrusive is Your Monitoring?’ on page 56 for more information about this.

3.2.8 Accessing the contents of a worker’s personal e-mails or other correspondence will be particularly intrusive. This should be avoided wherever possible. It is particularly important if the worker has a genuine expectation of privacy. This might be confined to e-mails where the words ‘private’ or ‘personal’ have been included in the message header if workers have been clearly instructed to mark personal e-mails in this way. If the content of personal e-mails is to be accessed, the employer must have a pressing business need to do so, e.g. grounds to suspect the worker of work-related criminal activity. This must be sufficient to justify the degree of intrusion involved and there must be no reasonable, less intrusive alternative. It is recommended that the impact assessment approach is used to determine whether this is the case. An employer is, of course, entitled to take into account anything workers may have been told about the likelihood and extent of monitoring in its assessment.

3.2.9 Monitoring external e-mails will mean processing information about those people who send e-mails to or receive e-mails from the organisation, as well as about workers. Unless it is self-evident, these people are also entitled to be told, where practicable, that monitoring is taking place and why. This may not be easy to achieve. Employers would not, for example, be expected to inform external senders of e-mails that messages will be virus checked even though this may involve processing their personal information. However, if information about external contacts is to be used in ways they would not expect, then they should be told. If e-mail responses are solicited, for example, when job applicants are asked to send in their applications by e-mail, it should be possible to provide any necessary information beforehand, for example in the job advertisement. If e-mails are unsolicited, the information could be provided in any response.

3.2.10 The purpose for doing this should be to ensure the business responds properly to its customers and other contacts during a worker’s period of absence. Workers should be aware that communications addressed to them will be opened in their absence. Employers may wish to encourage the use of a marking system to help protect personal communications when the intended recipient is absent. Only in exceptional circumstances should e-mails that are clearly personal be opened, for example if the worker is suspected of using the employer’s communication system to engage in criminal activity.

3.2.11 There are a variety of ways in which workers can be told about the retention of information about their e-mail or internet usage. This might be done by giving them an information pack addressing this when they are given access to the office’s internet or e-mail systems, or by displaying on-line information on their computer. It is important to ensure that workers are aware of retention periods and, in particular, that they are not misled into believing that information will be either deleted or retained when this is not the case.

3.3 Video & audio monitoring

3.3.1 Continuous video or audio monitoring is particularly intrusive for workers. The two combined are even more intrusive. The circumstances in which continuous monitoring of individual workers is justified are likely to be rare, for example work in particularly hazardous environments such as refineries or nuclear power-stations, or where security is a particular issue, for example in the premises of a precious stone dealer. This is different from the security monitoring of public or semi-public areas where workers may pass from time to time, e.g. corridors or car-parks. Depending on how and why it is set up, such monitoring may not fall within the scope of this part of the Code. It is in any case much more likely to be justified, particularly if one of its purposes is to protect workers or their property.

In an impact assessment of video and/or audio monitoring you should consider the following;

• Can video and audio monitoring be targeted at areas of particular risk, for example where there is a risk to safety or security?
• Can monitoring be confined to areas where workers’ expectations of privacy will in any case be low, for example areas to which the public have access?
• Can video and audio capability be treated separately?
• Will the employer be in a position to meet its obligations to provide subject access to and, to the extent that it might be necessary, remove information identifying third parties from audio and video recordings?

3.3.2 Employers carrying out monitoring should make it clear to workers that monitoring is taking place and where and why it is being carried out. This could be done by ensuring that in areas subject to monitoring, a prominent sign is displayed that identifies the organisation responsible for the monitoring and why is it being undertaken, and says who to contact regarding the monitoring. Simply telling workers that from time to time they may be subject to video or audio monitoring is not sufficient. A good rule of thumb for fairness is for the employer to consider whether workers, at the point at which they are subject to monitoring, would be aware that it is taking place. Although in limited circumstances the Data Protection Act allows for covert monitoring, for example where telling workers about the monitoring would be likely to prejudice the detection of crime, workers should normally be told clearly when monitoring is taking place.

3.3.3 Not only workers but also others who might be caught by monitoring should be informed that it is taking place and why it is taking place. Any notification given should identify the organisation responsible for the monitoring, its purposes, and should say who to contact regarding the monitoring.

3.4 Covert monitoring

3.4.1 Where the carrying out of monitoring results in the collection or other processing of personal information, those who are subject to it should be made aware that it is being carried out and why it is being carried out. The more intrusive the monitoring the more precise the information given to workers needs to be. Where video or audio monitoring takes place workers should have specific information such as the location of cameras or microphones. Where communications are monitored the information may be less specific but workers should know when to expect that information about them will be collected. In any other case the monitoring is likely to be covert.

Covert monitoring is monitoring carried out in a manner calculated to ensure those subject to it are unaware that it is taking place. Employers should ask themselves if the workers about whom they are collecting information would be likely to know the collection is taking place. If the answer is ‘no’, the monitoring will be covert. Covert monitoring may take place inside or outside the workplace. The covert watching of a worker by another person is not in itself subject to the Data Protection Act, but once it results in a record being kept about the worker, the Act will apply.

Covert monitoring will only be justified in a particular case if openness would be likely to prejudice the prevention or detection of crime or equivalent malpractice or the apprehension or prosecution of offenders. There may be cases where one of the other exemptions in the Act could apply, but these are unlikely to arise in the employment context. It is therefore essential that the employer makes a considered and realistic assessment of whether such prejudice is likely. A reliable test of whether covert monitoring is justified is to consider whether the activity being monitored is of sufficient seriousness that it would be reasonable for the police to be involved. This does not mean, though, that the employer need necessarily involve the police. However, the implications of covert
monitoring are such that senior management authorisation ought to be a prerequisite.

3.4.2 No further guidance on this recommendation.

3.4.3 It is hard to see circumstances where an employer would be justified in installing secret video cameras or other covert monitoring devices in areas where workers would have a genuine and reasonable expectation of privacy. This would include toilets. It is also likely to include closed offices allocated to individual workers for their exclusive use, although the extent to which particular parts of the workplace can genuinely be regarded as private will vary from employer to employer. Whilst in exceptional circumstances covert monitoring in private areas might be justified, for example where there is evidence of drug-dealing on the premises, any such monitoring should take place with the intention of involving the police.

3.4.4 An employer does not avoid its obligations by engaging a private investigator or other agent to collect personal information about workers on its behalf. If an employer engages a private investigator to collect information covertly on workers the private investigator will be a ‘data processor’. The employer retains responsibility for data protection compliance. This can be discharged through the contract the employer must have with the private investigator and under which data protection obligations must be placed on the investigator.

3.4.5 Limit the number of staff involved in covert monitoring and identify clearly who has authorisation to be involved. Clear rules should be set down limiting the disclosure of and access to personal information obtained. Information about workers who are not the target of the investigation should be deleted as soon as practicable. The type of activities that an employer could not reasonably be expected to ignore might include criminal activity, gross misconduct or practices that jeopardise the safety of others.

3.5 In-vehicle monitoring

3.5.1 In an impact assessment of monitoring of vehicles used by workers you should consider
the following;

• Can the monitoring be conducted without yielding information that relates to the private use of vehicles? Information about the location of the vehicle will be the most intrusive.
• Is private use of vehicles supplied by, or on behalf of, the employer, allowed? Where private use of vehicles is allowed, monitoring their movement when used privately, without the freely given consent of the user, will rarely be justified. (Note: this means that if the vehicle is used for both private and business use there ought to be a ‘privacy button’ or other arrangement that enables the monitoring to be disabled. However where an employer is under a legal obligation to monitor the use of vehicles, even if used privately, for example by fitting a tachograph to a lorry, then the legal obligation will take precedence.)
• Is monitoring of workers’ own vehicles to take place? Monitoring of such vehicles will only be justified where the vehicle is being used for business purposes, the worker has freely consented to the installation and use of any monitoring device, and the information collected by the employer is strictly necessary for its business purposes, for example to reimburse the worker for the cost of business use.

The approach of making an impact assessment should be applied to monitoring even if vehicles are provided by, or on behalf of, the employer, exclusively for business and related use, e.g. home to work journeys.

3.5.2 It is important to lay down clear rules as to what private use is or is not allowed of vehicles supplied by, or on behalf of, the employer and the conditions that attach to both private and business use. Workers should be told clearly of any monitoring that takes place and how any information obtained will be used. It should be possible for the user to disable any monitoring of the vehicle’s movements when it is being used privately although there may be a facility to override this in exceptional circumstances, e.g. theft.

Ensure workers given access to vehicles are aware of the policy.

3.6 Monitoring through information from third parties

3.6.1 An impact assessment should be based on the presumption that workers are entitled to keep their private lives private and that employers should not intrude into this unless they face a real risk to which the intrusion is a proportionate response. As part of the assessment, consider whether there is evidence that the monitoring is justified. For example, a worker’s financial circumstances should not be monitored unless there are firm grounds on which to conclude that a worker in financial difficulties in the job in question actually poses a significant risk to the employer. One area where this might be the case is in some parts of the financial services industry where there are particular opportunities for fraud.

3.6.2 Workers can be told about the sources that will be used to carry out checks on them in a variety of ways. General information can be put in a staff handbook, displayed on a notice board or delivered on-line to workers with access to computer systems. However, where a specific check is to be carried out, the worker should be directly informed of this unless to do so would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders.

3.6.3 Section 55 of the Act makes it a criminal offence to obtain personal information without the authority of the data controller. Credit reference agencies hold a range of information about individuals. Some can only be used for credit decisions. An employer using a facility for employee monitoring that is provided to assist it in making credit decisions about customers is likely to be obtaining information without the authority of the agency.

Bear in mind that information held by credit reference agencies is based on public records which are not compiled with worker monitoring in mind. They can be incorrect or misleading.

3.6.4 Do not monitor workers through information you have as a result of a different relationship with them, e.g. as a customer or client, unless it is based on a condition of employment and the intrusion caused by the monitoring is justified by the risk faced. This is only likely to be so in special cases, for example a bank must not routinely monitor the bank accounts of all workers. If monitoring can be justified it must be targeted at particular individuals and particular information that poses a risk. For example monitoring to detect serious indebtedness by bank workers with a particular opportunity for fraud might be justified on the basis that preventative action can then be taken. This would not however justify examining the details of payments made by these workers unless criminal activity was suspected.

3.6.5 As with any worker records, steps should be taken to ensure the reliability of staff that have access to monitoring information. This is especially important where private or confidential information is likely to come into their hands. This is not simply a matter of carrying out background checks; it also involves instruction or training and ensuring that workers understand their responsibilities in respect of such information. Consider placing confidentiality clauses in the contracts of employment of relevant staff.

3.6.6 Once information has been obtained through monitoring and any necessary evaluation of this made, do not retain the information unless there is an overriding reason for doing so. Usually it will be sufficient to record that the evaluation has been carried out and its result. As a general rule, unless there is a legal or regulatory obligation to do so, the information should not be retained for more than 6 months. There might however be some exceptions, for example where the information has ongoing relevance to the placement of the worker, such as might be the case with an employment agency that routinely places its workers in a variety of short-term assignments with its clients.