The U.K. Information Commissioner’s Office (ICO) issued draft guidance to help ensure employers’ monitoring of staff performance does not turn into surveillance or harassment.

Spurred on by the Covid-19 pandemic forcing companies to enable employees to work from home, employers have used a range of technological tools to keep tabs on worker output and well-being. These include monitoring internet access, using webcams, keystroke logging and time-tracking devices, and even carrying out secret audio recording.

While U.K. privacy legislation, namely the General Data Protection Regulation (GDPR) and Data Protection Act, does not prevent employers from monitoring employees, the ICO is concerned some companies are overstepping the mark.

The data regulator’s guidance, released last week, reminded companies they must make workers aware of the nature, extent, and reasons for monitoring. “Covert monitoring” may only happen in “exceptional” circumstances, such as a suspicion an employee is engaging in criminal activity.

Employers must also be clear about the purpose for any monitoring and should carry out a data protection impact assessment (DPIA) to see if it might impinge on employees’ privacy rights.

The guidance wants employee monitoring to be proportionate and not intrusive. “Just because a form of monitoring is available, it does not mean it is the best way to achieve your aims,” it stated.

For example, if an employer rolls out device monitoring across the entire organization because a few people working remotely altered their timesheets to say they started their shift on time when they didn’t, the ICO warned this could infringe employees’ privacy rights because the company could use less strident and more targeted measures first, such as checking worker log-on times and allowing employees the opportunity to explain any discrepancies.

In another scenario, a company would be noncompliant with privacy legislation if the metrics used as part of its monitoring were unfair and led to inaccurate performance assessments; for example, monitoring work hours through an employee’s laptop usage but neglecting to account for other normal workplace activities, such as site visits.

Legal experts largely welcomed the ICO’s guidance.

James Potts, legal services director at HR services provider Peninsula, believes the guidance is clear and “pitches to the responsible employer who understands the benefit of employee monitoring both from a productivity perspective and an employee well-being perspective.”

Stephanie Lees, data protection associate at law firm Pinsent Masons, welcomed the ICO’s recommendation employers consult employees before any monitoring as part of their DPIA process.

“Employers may be hesitant to do this at first, but the ICO highlights how this initial transparency can foster trust from workers and save employers time and resource in responding to complaints at a later stage,” she said in a blog post.

Nicola McKinney, partner at law firm Quillon Law, described the draft guidance as “user friendly” but added there are “limitations.” She believes the document could “quickly become out of date.”

McKinney pointed to a failure by the ICO to provide practical solutions around some of the “trickier” scenarios, such as what steps companies might need to take to discover whether personal devices, rather than authorized workplace devices, are being used to send work-related communications. This issue was at the heart of more than $1.8 billion in total fines U.S. regulators handed down last month against 11 banks, investment firms, and their affiliates for employee use of unauthorized messaging services like WhatsApp.

Home working also raises its own specific challenges when it comes to monitoring, McKinney added.

“For most employers, simply flagging there is a greater expectation of privacy at home which they should factor in is unlikely to help decide what kind of monitoring is suitable and under what circumstances,” she said.

The ICO’s consultation on the draft guidance ends Jan. 11, 2023.