Updated Guidance and legislative changes

27th November 2023

  1. Employee monitoring and the importance of Data Protection Impact Assessments

The Information Commissioner’s Office (ICO) published guidance on 3 October 2023 on how employers can monitor workers lawfully, transparently and fairly.

Employers often monitor a myriad of employee activities, ranging from the less intrusive, such as monitoring employee access to their premises, to more invasive monitoring such as using productivity tools to log employee keystrokes and monitor their internet use. The latter type of processing being much more common now that home working is more ubiquitous.

In circumstances where any monitoring takes place, the ICO has set out in this new guidance the steps employers must follow before monitoring its employees.  All employers should, as a minimum follow, this checklist to ensure compliance with data protection legislation:

  • Make workers aware of the nature, extent and reasons for monitoring.
  • Have a clearly defined purpose and use the least intrusive means to achieve it.
  • Have a lawful basis for processing workers data – such as consent or legal obligation.
  • Tell workers about any monitoring in a way that is easy to understand.
  • Only keep the information which is relevant to its purpose.
  • Carry out a Data Protection Impact Assessment (DPIA) for any monitoring that is likely to result in a high risk to the rights of workers.
  • Make the personal information collected through monitoring available to workers if they make a Subject Access Request.

None of this is new, and merely sets out what businesses should already be doing. One slight change in emphasis is on the use of DPIAs, something that will be key where more intrusive monitoring is taking place. A DPIA is an important document that demonstrates that a business has considered the impact of the processing activity and its compliance with relevant legislation and documents its reasoning if ever queried by the ICO.

Given the fines the ICO can levy, and the enforcement powers that it possesses, organisations should ensure that they have DPIAs in place.  You need to be able to demonstrate data protection compliance, and that your processes are proactive and by design rather than a defensive response to events.


  1. New ACAS guidance on predictable working patterns

Flexible contracts, such as zero hours contracts can benefit businesses and individuals where they meet the needs of both parties. That being said, some workers, working under these contracts may want to seek a more permanent working pattern, as by their very nature, they tend to be varied and unpredictable.

As such, the Workers (Predictable Terms and Conditions) Act 2023 was designed to offer a solution for workers who are seeking a more stable working pattern. Once it comes into force, likely at some point next year, it will introduce a statutory right for workers to request a predictable working pattern.

Given this new legislation, it is likely that businesses will receive many of these requests, certainly in sectors where flexible working is more common, such as the leisure sector. Ahead of this upcoming legislation, ACAS has produced a new draft statutory Code of Practice setting out a suggested procedure to be followed when dealing with predicable working requests.

Although this guidance is currently only a draft, it does outline a detailed suggested procedure. The process is similar to when an employee makes a flexible working request.

  1. To make a request, a worker must have worked for the employer at least once in the month in the period before the 26 weeks leading up to the day of the request.
  2. A statutory request must be in writing and must include:
    1. the date of the request;
    2. a statement that it is a statutory request for a predictable working pattern;
    3. the change the worker is seeking to their working pattern;
    4. the date on which the worker would like the change to come into effect; and
    5. if and when the worker has made a previous request to their employer for a predictable working pattern as a worker will only be able to make two statutory requests in a 12-month period.
  3. Once they receive a request, employers should arrange a meeting to discuss the request.
  4. During this meeting, they should consider the workers current working pattern and evaluate the impact of the requested change. Just as with a flexible working request, this will involve considering the benefits and negatives to accepting the request.    Permissible reasons for rejecting a request will be the same as for rejecting a flexible working request. It is worth noting that the ACAS code suggests that employers must accept a worker’s request unless there is a genuine business reason not to.
  5. Meetings should be held without unreasonable delay and the worker should be allowed to be accompanied.
  6. Employers should inform the worker of the outcome of their request in writing, in a reasonable timeframe.
  7. The worker should be allowed to appeal.
  8. All requests, including appeals, must be decided and communicated to the worker within one month of the date of the request.

The Code will not be legally binding but will be taken into account by courts and employment tribunals when considering relevant cases.


  1. Disclosing criminal convictions

Under the Rehabilitation of Offenders Act 1974, job applicants must disclose certain convictions on job applications. However, if enough time has elapsed after the sentence has been served – the rehabilitation period – then the conviction will be considered ‘spent’ and will no longer be disclosable.

From 28 October 2023, under the Police, Crime, Sentencing and Courts Act 2022, the Government has decided to shorten the period before certain criminal offences can be considered ‘spent’, which means a reduction to the length of time job applicants must declare certain criminal convictions in job applications. For example, a custodial sentence of less than 1 year will be spent 1 year after the sentence has been served. Up to 4 years, it is spent after a further 4 years, and finally custodial sentences of over 4 years are spent after another 7 years.

There are exceptions to these new rehabilitation periods, where the crime involved serious sexual, violent or terrorist offences. These offences are never spent and will always be disclosable.

There are also excepted occupations, offices and professions (of which there are many) which are not subject to the general principle on rehabilitation which require the disclosure of spent and unspent convictions.  The work types fall into five broad categories which are:

  1. Professions (for example lawyers, medics, accountants, vets, chemists).
  2. Those employed to uphold the law (judges, police, prison officers, traffic wardens).
  3. Certain regulated occupations (financial services, those in charge of certain types of nursing homes, taxi drivers, firearms dealers).
  4. Those who work with children, provide care services to vulnerable adults or who provide health services.
  5. Those whose work means they could pose a risk to national security (such as air traffic controllers and certain Crown employees).

Employers must inform prospective employees at the time when the questions are asked that they are obliged to disclose spent convictions.

Employers should consider the above during their recruitment processes, and also remember that criminal record checks should only be undertaken on job applicants in limited circumstances. Employee and applicant criminal record data is akin to special category personal data under data protection legislation in the UK, and there needs to be appropriate safeguards in place to allow for the processing of this category of data, as well as a coherent and demonstratable lawful bases to undertake this type of check.

If you would like to discuss employee monitoring, data protection compliance or the proposed predictable working changes, please contact – james.howarth@kuits.com.

Kuits FSQS registered
Kuits good employment supporter