Get your staff's consent before you monitor them, tech inquiry warns

Companies that monitor their employees should only do so after they consult with and get consent from the staffers they are watching or tracking.

That's according to a report published this week after a year-long inquiry by the department formerly known as DCMS into the harms and benefits of connected technologies.

The report also adds that the government should "commission research to improve the evidence base regarding the deployment of automated and data collection systems at work."

It cites research from Oxford University's Fairwork Project based at the OII, with Dr Matthew Cole testifying that "micro-determination of time and movement tracking through connected devices, which had been introduced to improve productivity, such as in warehouses, had also led to workers feeling alienated and experiencing increased stress and anxiety."

Unless there is a union that is litigating around these things or an existing collective bargaining agreement, there is a lack of enforcement at the state level

Meanwhile Dr Asieh Tabaghdehi, a senior lecturer in Strategy and Business Economics at Brunel University London, told the committee that connected tech can lead to "better and more efficient production."

To no one's surprise, Amazon jumped in to argue for monitoring employees in the workplace, the committee noted. It stated that "robotics, machine learning and other technologies" in its fulfilment centers had "reduced the physical burden on employees, reducing walking time and taking on repetitive tasks, and freed them up to focus on more sophisticated tasks beyond the scope of automation."

Evidence from Oxford University's Fairwork Project cited in the report also notes that the UK GDPR provides a "certain degree of protection for private individuals. However, it is more limited in protecting workers in the workplace."

OII researcher Dr Matthew Cole noted in his evidence that: "Unless there is a union that is litigating around these things or an existing collective bargaining agreement, there is a lack of enforcement at the state level. The UK government could do much better at ensuring protections for worker data and protecting citizens of the UK from global giants like Uber, for example."

He added: "There are a few provisions there that specifically deal with subject-access requests and protect workers against algorithmic decision-making, like hiring and firing purely by algorithm, but there is a lack of enforcement."

What are UK-based workers' rights currently?

According to current guidance from the government outlining employees' rights in relation to being monitored at work, "Employers must explain the amount of monitoring clearly in the staff handbook or contract." And according to recent ICO guidance, still in draft form, not only do companies need to tell workers that they are being monitored, they need to outline what counts as a "reasonable number of personal emails and phone calls", and if personal emails and calls are not allowed, they need to say so at the outset. Companies might be in breach of the Data Protection Act if they do not do so.

As for covert monitoring, where staff wouldn't be aware it was happening, the draft guidance says it is only allowed under "exceptional circumstances," employers need to be able to justify why it is necessary, and it can't be used to capture communications that workers would reasonably expect to be private, such as personal emails.

If you're not happy about being monitored, you should check your staff handbook or contract to see if the employer is allowed to do this, the gov.UK page advises. "If they're not, the worker might be able to resign and claim unfair ('constructive') dismissal."

The ICO's draft guidance also suggests companies "make sure workers understand what data is being processed during monitoring," and suggests setting up a system to ensure workers "remain aware that monitoring is being conducted."

This week's DCMS report, titled "Connected tech: smart or sinister," recommends the Information Commissioner's Office should develop that existing draft guidance [PDF], "Employment practices: monitoring at work" into a principles-based code for designers and operators of workplace connected tech.

'We are under constant cyberattack'

The inquiry looked both at the privacy issues relating to data being gathered by connected tech, and the massive security challenge involved in securing the devices from attackers. It noted that "several features inherent to connected tech … may make it difficult for people to exercise their data rights. First, connected devices are often designed without an obvious or intuitive user interface, like a computer screen."

The Information Commissioner warned that "some of these are just sensors that are collecting and transmitting data about the user with no real ability for the user to meaningfully interact with it", which "does present a number of challenges."

The report added: "The majority of submissions to our inquiry cited the risks of excessive surveillance and datafication and the impact on privacy as the primary challenges posed by connected technology."

Also cited was Google's David Kleidermacher, who discussed the extent of the challenge of cyber threats facing businesses in particular: "At Google, given the scale of the services and products that we offer across the world and given that literally every single day, in fact as we sit here right now, we are under constant cyberattack."

Kleidermacher said that while Google could afford to be proactive, most businesses simply had to live within their means and be reactive.

The report suggests the security issues be tackled through the upcoming Product Security and Telecommunications Infrastructure Consumer bill, which makes a big ask – it actually requires that devices be secure by design, which might amuse anyone who's worked in SCADA or been tasked with finding cheap webcams. It's a good move from previous voluntary codes of practice, said witnesses, though some argued the Bill did not go far enough in codifying best practice for manufacturers, importers and distributors.

• Right to contest automated AI decision under review as part of UK government data protection consultation
• China – which surveils everyone everywhere – floats facial recognition rules
• UK's proposed alt.GDPR will turn Britain into a 'test lab' for data harvesting
• UK's GDPR replacement could wipe out oversight of live facial recognition

Why consult about surveillance? Employers and staff have an imbalance in power

In evidence the Information Commissioner's Office submitted in the inquiry, it said:

Speaking of the ICO, the report has bad news. All that stuff the government plans to do that undermines the ICO's independence, the independence of comms regulator Ofcom, and tweaks made to the Online Safety Bill – it's all going to backfire.

Data protection law tweaks – but why?

The committee was vocal about powers the government wants to introduce for the Secretary of State in multiple places which would take away Parliamentary oversight of decisions taken. Reading between the lines, it's the fear the government could, in theory, adjust details – in favor of certain companies, for example – with no recourse to representatives in the form of the Commons and Lords.

The report said the government had "not yet made a compelling case for reform of data protection."

"While we understand that some companies do not share data outside the UK, we are concerned that differing expectations between those companies and companies that do share data outside the UK may give the impression of 'lesser' protections for processing personal data in the UK overall."

The committee added:

The committee cited Trustee of the Carnegie UK Trust William Perrin, who argued that the powers delegated to the Secretary of State in the Online Safety Bill, as have been replicated in the Data Protection and Digital Information (No. 2) Bill, were:

The Reg has approached the Cabinet Office for comment.

It also said the Government should commit to ensuring that the Age-Appropriate Design Code – preventing the leakage of data from IoT gadgets used by children – is "strengthened rather than undermined" by data protection reform.

Don't say they didn't warn us. ®