Search
Close
Search
Advanced Search
Search Menu

1. INTRODUCTION

Employers have long been interested in data-driven people management. Frederick Taylor was already arguing for a ‘scientific management’ approach to labour by the late 1800s,1 and Henry Ford was known to patrol his factory floor with a stopwatch, timing workers’ motions.2 Technological changes have opened the floodgates to these practices on a much wider scale.3 Workers across the socio-economic spectrum can be evaluated along multiple axes in real-time – through GPS monitors, wearable sensors, keystroke trackers, screenshots, communication sentiment analysis and more.4 The rise of machine learning has enabled the identification of hidden correlations in these huge datasets, and big data analytics has morphed into ‘people analytics’.5

The potential harms of such practices are both deep and diffuse.6 Yet many of these harms – from health and safety violations to privacy invasions – are age-old issues in the labour context, and are consequently dealt with under various existing laws.7 Meanwhile, the personal data processing operations which underpin most algorithmic management tools are largely dealt with under data protection law.8 A comprehensive review of the legal implications of algorithmic management recently concluded that while there are ‘significant gaps in the legal protection’, there are also various ‘current laws [which] are potentially effective’ and ‘important steps… should be taken to ensure that these laws are better known’.9

That employers are struggling to understand and apply the law on algorithmic management is clear from the Department for Digital, Culture, Media & Sport (DCMS)’s recent call for views on reforming data protection law.10 Two examples are particularly telling.

The first relates to the obligation for data controllers to carry out a data protection impact assessment (DPIA) prior to processing which is ‘likely to result in a high risk to the rights and freedoms of natural persons’.11 Article 36 GDPR requires data controllers to ‘consult the Commissioner prior to processing’ where a DPIA indicates that processing would result in an unmitigable high risk to the rights and interests of the data subjects. Few controllers deem such consultation to be necessary: as of December 2021, the UK data protection authority had been approached just 17 times by data controllers proposing high-risk processing; only two of these cases were employment-related.12 These low numbers stand in contrast with the many documented cases of workers’ personal data being processed with inadequate mitigations for risks to rights and freedoms,13 indicating that employer compliance with Article 36 is limited at best.

In its recent consultation, DCMS proposed to remove the mandatory consultation requirement altogether and replace it with ‘collaborative dialogue between organisations and the ICO’.14 Following stakeholder feedback, DCMS has continued to insist that it will proceed with the proposal of removing the mandatory requirement in favour of a voluntary mechanism.15 This response seems perverse: the answer to a lack of clarity should be clarification, not abolition.

DCMS’ proposals cast a similar shadow of uncertainty over the current requirement for automated decisions with significant effect to receive meaningful human review.16 The consultation highlights the lack of case law on how the requirement ‘works in practice, or indeed how the UK GDPR is interpreted in specific AI contexts’,17 with the application of the provision to the use of algorithmic tools in recruitment to automatically reject applicants at the sift stage being given as a specific example.18 DCMS sought views on the complete removal of the human oversight requirement,19 again responding to a lack of clarity by proposing to abolish the protection altogether. After the ‘vast majority of respondents opposed the proposal to remove Article 22, with respondents noting that the right to human review of an automated decision was a key safeguard’,20 DCMS instead declared that it would consider ‘how to amend Article 22 to clarify the circumstances in which the Article must apply’.

The urgent need for clarity should mean that the Information Commissioner’s Office (ICO)’s proposed employment guidance is welcome.21 Unfortunately, the current proposals suffer from some serious shortcomings. In part, these shortcomings stem from a lack of ambition on the part of the ICO: despite significant contextual changes, the proposed instrument would retain a structure which dates back to 2005.22 Other problems are more fundamental. The existing ‘code of practice’ on data protection and employment will be replaced with mere ‘guidance’ which will have no legal significance; and the new instrument will focus narrowly on data protection law, leaving workers and employers to decipher its interaction with the myriad other codes of practice. In short, guidance is needed, but the substance and form of the forthcoming instrument will not fulfil the necessary function.

These issues are symptomatic of a broader phenomenon in both the labour context and the data protection context: quasi-legislative instruments have been promulgated over the course of decades without adequate thought being given to their objectives or to the structural and constitutional decisions necessary to ensure those objectives are met. Rather than proceeding with the proposals on guiding employer data practices, the ICO and policymakers should take the opportunity to step back to reassess how employer data practices should be guided.

This article proceeds by first highlighting some key internal shortcomings in the forthcoming quasi-legislation. Section 3 takes a step back to consider the legal insignificance of the instrument, while section 4 takes an even wider lens, highlighting the difficult questions which must be answered if any guidance instrument is to be effective. Section 5 places the ICO’s proposed instrument in context, explaining why issuing separate instruments on different aspects of the employment relationship is ultimately unhelpful. We conclude by calling for a broader rethinking of the status and purpose of ‘quasi-legislation’ in the employment context, and we highlight how the rise of algorithmic management – which creates novel interactions between historically discrete areas of law – could be a key inflection point to inspire this rethinking.

2. FIXING THE BASICS: INTERNAL SHORTCOMINGS

The proposed instrument explaining the law on employer data practices seems promising. Even on its own terms, however, the ICO’s proposal is flawed. Since its first iteration in 2005, the Employment Practices Code has been structured around four topic areas: recruitment, selection and verification; employment records; monitoring at work; and information about workers’ health.23 The intention was that each part could ‘stand alone’, with employers advised to ‘choose’ parts of the code depending on ‘the relevance to [their] organisation of each area covered’.24 From an historical perspective, division into the four topic areas made sense. The technology which employers used to monitor workers once differed from that used in recruitment, for example; and different data protection considerations applied to the different activities.

Such a division is no longer tenable. Management is now mediated through all-in-one software packages which fully or partially automate numerous HR functions – including recruitment, pay, scheduling, employee monitoring and performance management.25 Any attempt to define employers’ data protection obligations by activity will thus be both over- and under-determinative: over-determinative because the same obligations will apply to all activities, resulting in repetition throughout the guidance; and under-determinative because confining the discussion to certain activities may give a false impression that data protection considerations only arise in those instances.

Imagine, for example, an employer who is considering purchasing a service in which an algorithm vendor captures event logs from a handheld scanner at a warehouse. The event logs are stored by the vendor and analysed to generate monthly employee performance scores. To determine the legality of this proposal, should the employer look at ‘employment records’ or ‘monitoring’? Similarly, some employers track their employees’ physical movements for occupational health and safety reasons.26 Where records are generated and stored, should employers look for guidance under ‘employment records’ or ‘health’? While some issues thus fall to be dealt with repeatedly under multiple headings, other pervasive practices would appear to fall through the cracks: under what section would data processing for automated scheduling or automated pay be covered, for example?

The ICO has explicitly recognised that ‘[m]uch has changed’ since the old Code was issued,27 and its stated aims in updating the Code include ‘reflect[ing] the changes in the way employers use technology and interact with staff’.28 Despite this recognition, the ICO’s initial call for views proposed that the new guidance should ‘retain [the original four] topic areas’.29 A few months later, the ICO summarised the consultation responses: many suggested that the guidance would ‘need to address other topic areas’, including ‘cross-cutting topics’ such as ‘the increasing use of AI and algorithmic decision-making… impacting on several areas, including… recruitment… monitoring… performance management… [and] allocation of work’.30 Some suggested that a more fundamental restructuring might be necessary, such as by reference to the data protection principles.31 The ICO nonetheless reiterated that ‘[w]e think the new guidance should retain the four main topic areas from the [old] code’.32

3. LEGAL STATUS: FROM ‘CODE’ TO ‘GUIDANCE’

Fixing the structure of the instrument would not be a silver bullet. Despite replacing the Employment Practices Code, the ICO has been clear that it has ‘no plans to issue a new code of practice in this area’33 – the new instrument will be mere ‘guidance’. The reason for the apparent downgrade is that the Data Protection Act 2018 withdrew the ICO’s power to issue ‘codes of practice’ autonomously, which it had relied upon to issue the first Employment Practices Code.34 The rationale behind this withdrawal is hard to divine35 and stands in contrast with the powers afforded to Advisory, Conciliation and Arbitration Service (ACAS) and the Equality and Human Rights Commission (EHRC).36 In a context of rising risk, a shift from ‘code’ to ‘guidance’ might seem concerning.

Confusingly, though, the downgrade is actually of no legal significance. Although the old instrument had the facial authority of being called a ‘code of practice’, unlike the ACAS and EHRC codes37 it too had no legal status before courts or tribunals.38 The implications of this became clear when an employee was dismissed on the basis of information obtained through covert video surveillance.39 The Employment Appeal Tribunal considered the alleged violation of the Employment Practices Code as irrelevant to the fairness of the dismissal, pointing out that:

The Employment Practices Data Protection Code is expressly guidance. No statutory provision requires it to be paid regard to… It is not obvious to see why ignorance of a code which the employer was not bound in law to have regard to in any event would render an investigation into the wrongdoing of the Claimant unreasonable when it would otherwise have been reasonable.40

To understand the nature of ‘codes of practice’ in data protection law, a brief review of history is necessary.

A. ‘Codes’ and Data Protection Law

‘Codes of practice’ first appeared in the Data Protection Act 1984 as wholly voluntary instruments drawn up by trade associations to provide ‘guidance in complying with the data protection principles’.41 The Data Protection Act 1998 altered this position by extending the power to create ‘codes of practice’ to the Information Commissioner.42 The Commissioner had already had the power to disseminate ‘information’ about data protection law, so this addition merely permitted a more authoritative name to be given to formal guidance.43 It was this new power to issue ‘codes’ without legal effect which formed the basis for the Employment Practices Code.

However, by 2008, the wholly voluntary nature of codes had proven unsatisfactory: a report on data sharing co-authored by the Information Commissioner suggested that data controllers were relying on a ‘plethora’ of ‘piecemeal and outdated guidance’, and that a statutory code of practice on the issue – that is, a code of practice with some legal status – should be created.44 An amendment to primary legislation was duly made in 2009, requiring the Information Commissioner to promulgate a data-sharing code which tribunals and courts would be required to take it ‘into account’ when dealing with relevant questions.45

Surprisingly, this new legal status was not extended to other existing data protection ‘codes of practice’, such as the Employment Practices Code, which in legal terms remained mere guidance. A confusing two-tier framework thus emerged. This is particularly surprising when one considers that the 2008 report had itself challenged the ‘piecemeal’ nature of the guidance and had noted that a requirement for courts to consider a data sharing code would be ‘in keeping with similar codes in other fields’, including employment.46 Despite its apparent incoherence, the two-tier structure of codes of practice was expanded when further statutory (or ‘tier one’) codes were added in 2017 and 2018.47 The legislative history discloses no rationale for maintaining the confusing idiosyncrasy,48 and indeed the issue appears to have been skimmed over in some Parliamentary debates.49 The ICO’s website does not even try to explain the distinction, stating simply that:

The ICO is required under the Data Protection Act 2018 (DPA 2018) to produce four codes of practice… The DPA 2018 also allows the Secretary of State to require the ICO to prepare other codes of practice…50

Moreover, although ‘codes of practice’ (of either shape) can now be issued only by the ICO, trade associations retain the authority to issue voluntary ‘codes of conduct’, compliance with which can help to demonstrate conformity with certain specified provisions of the General Data Protection Regulation (GDPR).51

B. Choosing a Legal Status

Although the change is nominal only, there is a risk that it will impact on compliance. Anecdotal evidence indicates that employers are already ignoring ‘guidance’ promulgated by the ICO.52 Yet the desirability of according ‘codes’ legal status also remains unclear. While one might expect that the proliferation of ‘codes of practice’ over the past two decades to have been guided by empirical research, the opposite is true: the piecemeal regulatory landscape belies an absence of empirical evidence. Ganz’ seminal 1987 work on ‘quasi-legislation’ such as codes of practice found that many instruments were ‘too recent to have yielded any results’,53 and while research on employer awareness of the Race Relations Code of Practice carried out by the Commission for Racial Equality in 1989 reached generally positive conclusions, we can find no comparable research on the impact of equality codes in employment published since then.54 A 2011 report on the ACAS Code of Practice on disciplinary and grievance procedures did establish that that Code enjoys broad familiarity among employers,55 but given its special legal status, the example is not representative.56 By contrast, early research on the ACAS Code of Practice on disclosure of information to trade unions found the instrument to be of ‘limited relevance’ in the collective bargaining context.57

The absence of evidence makes it difficult to reach any conclusions about what status an instrument guiding employer data practices should have in order to be effective. This is a question for policymakers, but it is not one that has been answered. Indeed, the issue of status was not even addressed in the ICO’s initial proposal.

The legal status of a non-legislative instrument is, moreover, not only an empirical question. It is also a constitutional one. While ‘quasi-legislation’ is now a familiar and accepted part of the legislative scene,58 its role has not always been uncontroversial.59 As codes of practice for the industrial context became increasingly commonplace from the 1970s onwards, scholars began to raise concerns about requiring such instruments to be ‘taken into account’ by courts and tribunals.60 Chief among them was the concern that codes of practice could be used to indirectly impose rules which had not been agreed by Parliament.61 Codes receive little parliamentary oversight: the most common process for their approval is the negative resolution procedure,62 which involves no line-by-line analysis of codes or opportunity for amendment.63

This is not to say that quasi-legislation is inherently constitutionally problematic. Recent caselaw has established that quasi-legislation ‘does not have the binding effect which a statutory provision or a statutory instrument would have’.64 Moreover, although public bodies must generally follow their own published policies,65 the court has the final say when it comes to interpreting legislation:

[Quasi-legislation] cannot supersede statutory provisions passed by the legislature, nor can it restrict, qualify or extend statutory provisions… where guidance is given amounting to an interpretation of [statute], it should be borne in mind that only the courts can interpret the law authoritatively.66

The instruments do not, however, come without risk. Several codes of practice were adopted in the 1980s for reasons of apparent of ‘political expediency’ which restricted workers’ collective action rights in controversial ways.67 The Code on Picketing, for example, suggested a limit of six pickets at any workplace entrance68 – a limit which did not exist in the statute, but which continues to influence judicial approaches to this day.69 As Elias commented in relation to restrictions imposed by the contemporaneous Closed Shop Code:

[I]t is constitutionally unacceptable that [provisions impacting collective action rights] should be in a code rather than the body of the law. It comes close to the Government directing the tribunal to reach a particular decision and then disowning responsibility for it.70

While these codes no doubt reflected the zeitgeist of 1980s industrial relations, there are still indications that codes are being used by the executive to avoid legislative reform. A very recent example is the Government’s promise of a new ‘statutory code of practice’ on ‘fire and rehire’ (dismissal and re-engagement)71 following the P&O Ferries scandal.72 Calls have long been made for specific legislative changes to be made in relation to the same issue, but a bill on ‘fire and rehire’ practices failed to pass a second reading in 2021.73 Similar trends can be seen in data protection law: following calls for a statutory inquiry into data protection breaches by news publishers in 2018, the Government instead proffered a statutory code.74 Meanwhile, concerns about parliamentary oversight remain well-placed: recent governmental proposals on certain data protection codes of practice have suggested replacing the negative resolution procedure with alternative executive sign-off.75

In short, codes of practice should not be adopted as a ‘political compromise between conflicting pressures to do nothing and to enact legal rules’.76 Against that backdrop, it is notable that the proposed guidance on employer data practices follows consistent calls for a legislative to algorithmic management,77 including in a recent report by an All-Party Parliamentary Group.78 While the initiative comes from the ICO rather than the executive, the risk remains that the existence of a code of practice will bolster the Government’s previous response to calls for legislative reform: that ‘existing law meets the concerns raised’.79

4. GUIDING EMPLOYER DATA PRACTICES: CLARITY OF PURPOSE

The significance of replacing the Employment Practices Code with ‘guidance’ therefore has both practical and constitutional implications. To be capable of empirical evaluation and constitutional consensus, the purpose of the instrument must be clear. Most fundamentally, will the new document explain legal minima or set higher standards?

A. Clarifying Legal Obligations?

The ICO’s stated intention is to provide a ‘new, more user-friendly online resource’ which ‘addresses the changes in data protection law; reflects the changes in the way employers use technology and interact with staff; and meets the needs of the people who use [the ICO’s] guidance products’.80 Clarification of legal obligations is one of the ICO’s functions,81 and since codes of practice are not bound by the strictures of potential judicial interpretation,82 they can explain the law in language accessible to a layman. As Ganz explains:

The precise legal language in which statutes and statutory instruments are couched so that the courts will not be able to misunderstand the will of the legislature, forms an enormous obstacle to understanding and use which can be circumvented by the use of informal rules written in ordinary everyday language and not given direct legal force.83

Giving such instruments indirect legal force, by requiring a court or tribunal to take a party’s compliance with the instrument into account when considering compliance with a legal obligation, for example, can provide greater certainty for readers, but entails the constitutional concerns detailed above. These constitutional concerns become more marked when the ‘explanation’ is not accurate, as where complex legal obligations are oversimplified or misrepresented.84

B. Recommending Best Practice?

Even more difficult is the situation where instruments contain ‘recommendations’ which go beyond the law. Despite the ICO’s stated intentions to focus on ‘data protection law’, the old Employment Practices Code was structured around ‘good practice recommendations’.85

Setting higher standards is potentially useful: Ganz identified that in addition to clarification of obligations, another ‘basic reason for preferring quasi-legal or non-legal rules to law’ is that ‘persuasion may be preferable to compulsion’.86Craies on Legislation similarly suggests that ‘[w]here the government wants to control, it should legislate, in clear justiciable terms; where it wants to influence, particularly where attempts to control are unlikely to be successful or helpful, quasi-legislation will often be the appropriate and desirable mechanism.’87 The ICO is required to consult with stakeholders in the course of issuing codes of practice, and codes of conduct are created by trade associations – so both forms of quasi-legislation do provide potential avenues for co-construction of good practice standards.88

The distinction between obligation and recommendation should be made clear, however, which is not the case in the existing ICO Employment Practices Code.89 The question of legal status is also omnipresent: is it constitutionally acceptable to give indirect legal force to standards which go beyond the law?

5. DATA PROTECTION LAW IN ISOLATION

Whether the instrument will explain legal minima or establish higher voluntary standards, one thing is clear: it will deal only with data protection law. Meanwhile, the five ACAS codes of practice, the Employment Statutory Code of Practice on equality, the multitude of Approved Codes of Practice from the Health and Safety Executive and various other codes and guidance on trade unions will continue to bear upon aspects of data-driven employment decisions. If the purpose of quasi-legislation is to simply, in its current form it does the opposite.

Concerns about the potential emergence of a complex quasi-legislative web were first raised in a 1944 note by Robert Megarry,90 which highlighted a ministerial ‘assurance’ made in Parliament about the application of a provision of the Workmen’s Compensation Act 1925 as an example of the ‘haphazard promulgation’ of ‘quasi-legislation’ which was taking lawyers outside the ‘reasonable comfort and safety’ of a ‘world bounded by Acts of Parliament, Statutory Rules and Orders and judicial decisions’.91

It seems Megarry’s fears have proven well-founded. Consider, for example, an employer’s use of an automated tool to identify job applicants with unionist tendencies.92 Personal data ‘revealing… trade union membership’ is designated as ‘special category’ under the GDPR,93 and the processing of such data is tightly restricted under data protection law.94 Meanwhile, the Blacklisting Regulations 2010 make it unlawful for employers, employment agencies and others to compile, supply or use a blacklist of trade union members or activists for purposes such as employment vetting or treatment of workers.95 An instrument which deals with one regime but ignores the other will hardly be helpful.96

Despite such obvious overlaps, the new guidance on employer data practices is unlikely to even cross-reference other areas of law. The ICO’s recent Guidance on AI and data protection, for example, recognises the risks of discriminatory algorithms but limits itself to ‘guidance on interpreting the discrimination-related requirements of data protection law’, explicitly avoiding any discussion of the interplay with equality law standards.97 Employers and workers, then, are left to work out how the ICO’s guidance on ‘discrimination-related requirements of data protection law’ relate to the EHRC’s guidance on discrimination law itself.

Cross-referencing to other instruments would be a positive step: the EHRC’s Employment Code, for example, cites employee protection legislation and summarises relevant provisions where necessary.98 An even better alternative would be a co-produced instrument explaining how the various legal regimes apply to given practical examples. A recent report for the TUC ‘strongly recommend[ed]’ the creation of guidance ‘on a cross-disciplinary basis’ between the EHRC, ACAS, and the ICO, as well as the Centre for Data Ethics (CDEI) – a government expert body with expertise in data and AI policy – and bodies representing industry and labour.99 Joint statutory guidance by the ICO and EHRC was also proposed by the Institute for the Future of Work (IFOW)’s Equality Task Force in its report on AI accountability.100

Regulatory cooperation is a frequently lauded aim, and features in the ICO’s most recent Information Rights Strategic Plan;101 the EHRC’s draft strategic plan for 2022–25;102 and ACAS’ 2021–25 strategy.103 The recently established Digital Regulatory Cooperation Forum, set up to establish regulatory collaboration, demonstrates that regulatory co-operation is a government priority – although the HSE, the EHRC and ACAS are all excluded from the consortium.104 It seems likely that a single code on employer data practices, co-produced by all of the relevant regulators, would serve employers and workers better than a plethora of codes issued by different regulators.105

6. CONCLUSION

There is a clear need for clarity on the legal framework regulating algorithmic management. At first glance, the ICO’s proposed Employment Practices Code might seem a useful instrument for achieving such clarity. The structure, status, and content of the instrument will be hamstrung, however, by an absence of constitutional debate and empirical evidence on quasi-legislation. These absences have translated into a much larger problem in both employment and data protection: quasi-legislation has proliferated without adequate thought being given to its role and efficacy. As well as the data protection code (or guidance), employers are also expected to be aware of the ACAS codes of practice,106 the code of practice on equality law,107 codes on trade union recognition and derecognition ballots,108 and on picketing109 and a series of codes of practice on workplace health and safety – among other instruments. The absence of careful deliberation and empirical evidence has meant that the only consistent theme is heterogeneity.

First, legal statuses vary: while many codes of practice are issued by regulators and ‘taken into account’ by tribunals and (in some cases) by courts,110 codes of practice on some topics in data protection law have no status before judicial bodies.111 It seems likely that such instruments are followed less closely than their higher-status counterparts, but there is no evidence to that effect. A similar diversity can be seen when one looks at form and content. Some codes of practice are short and instructive, while others are longer and more discursive. The ACAS Code of Practice on disciplinary and grievance procedures contains only 47 paragraphs, while the Equality and Human Rights Commission (EHRC)’s Employment Statutory Code of Practice comes to 321 pages. The existing Employment Practices Code comes to 100 pages,112 while its replacement will be an online ‘hub’ of unspecified size.113

Rather than ploughing ahead with another isolated piece of guidance, the rise of algorithmic management should provide an opportunity for the ICO and policymakers to take a step back and reassess the regulatory landscape. Guidance on how historically discrete areas of law interact to regulate a new phenomenon is clearly helpful. The form, status, and content of that guidance should be a matter for careful consideration.

In 2011, the Law Commission found that ‘the amount of guidance’ on adult social care was causing ‘difficulties’; that there was ‘overwhelming support’ for a ‘single code of practice’, or at least ‘consolidated guidance’; and that consultees’ concerns included ‘confusion about the precise legal status of the various pieces of guidance’.114 It seems likely that a similar review of quasi-legislation in data and employment would be more fruitful than another piece of siloed guidance.

We acknowledge funding from the European Research Council under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 947806).

Footnotes

1

F. Taylor, ‘A Piece Rate System, Being a Step toward Partial Solution of the Labor Problem’ (1895) 16 Transactions of the American Society of Mechanical Engineers 856.

2

I. Ajunwa, K. Crawford and J. Schultz, ‘Limitless Worker Surveillance’ (2017) 105 California Law Review 735, 741–742.

3

Ibid. 743.

4

A. Bernhardt, L. Kresge and R. Suleiman, Data and Algorithms at Work: The Case for Worker Technology Rights (UC Berkeley Labor Center, 2021).

5

‘People Analytics’ (McKinsey & Company) <https://www.mckinsey.com/solutions/orgsolutions/overview/people-analytics> date accessed 7 July 2022.

6

W. Christl, ‘Digitale Überwachung und Kontrolle am Arbeitsplatz’ https://crackedlabs.org/daten-arbeitsplatz/info accessed 5 September 2022 (2021); Abigail Gilbert and Anna Thomas, ‘The Amazonian Era – The Gigification of Work’ https://www.ifow.org/publications/the-amazonian-era-the-gigification-of-work accessed 5 September 2022 (2021); N. Newman, ‘Reeingeering Workplace Bargaining: How Big Data Drives Lower Wages and How Reframing Labor Law Can Restore Information Equality in the Workplace’ 85 University of Cincinnati Law Review 68; Ajunwa, Crawford and Schultz (n 2).

7

For examples, see J. Atkinson, ‘Workplace Monitoring and the Right to Private Life at Work’ (2018) 81 Modern Law Review 688; P. Collins, ‘Automated Dismissal Decisions, Data Protection and The Law of Unfair Dismissal’ (UK Labour Law, 19 October 2021) <https://uklabourlawblog.com/2021/10/19/automated-dismissal-decisions-data-protection-and-the-law-of-unfair-dismissal-by-philippa-collins/> accessed 14 April 2022; A. Kelly-Lyth, ‘Challenging Biased Hiring Algorithms’ (2021) 41 Oxford Journal of Legal Studies 899.

8

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (2016) OJ L119/1 (General Data Protection Regulation, GDPR), art 4.

9

R. Allen and D. Masters, ‘Technology Managing People – the Legal Implications’ (Trades Union Congress 2021) 6.

10

‘Data: A New Direction’ (Department for Digital, Culture, Media and Sport 2021) <https://www.gov.uk/government/consultations/data-a-new-direction> date accessed 7 July 2022.

11

GDPR, art 35(1).

12

Freedom of information request submitted by the author to the Information Commissioner’s Office, response received 8 December 2021. a

13

Gilbert and Thomas (n 6).

14

‘Data: A New Direction’ (n 10) paras 171–173.

15

‘Data: A New Direction - Government Response to Consultation’ (GOV.UK) <https://www.gov.uk/government/consultations/data-a-new-direction/outcome/data-a-new-direction-government-response-to-consultation> date accessed 9 July 2022.

16

‘Data: A New Direction’ (n 10) 94–101.

17

Ibid. 100.

18

Ibid. 97.

19

Ibid. 101 Q1.15.17.

20

‘Data: A New Direction - Government Response to Consultation’ (n 15).

21

ICO Call for Views on Employment Practices (ICO, UK, 2022) <https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/ico-call-for-views-on-employment-practices/> date accessed 7 July 2022.

22

The Employment Practices Code 2005.

23

Ibid.

24

Ibid. 10.

25

Christl (n 6).

26

Ibid. The Employment Practices Code 2005 36–38, 85–88.

27

‘ICO Call for Views on Employment Practices’ (n 21).

28

Call for Views on Employment Practices and Data Protection: Summary of Responses (ICO, UK, V10 20211221) 4.

29

Ibid.

30

Ibid. 5, 9–10.

31

Ibid. 5.

32

Ibid. 4.

33

Ibid. 6.

34

Data Protection Act 2018 s 128.

35

The authors have not been able to identify the rationale for this change following a search of Hansard and discussion with an ICO representative.

36

Equality Act 2006 s 14(1), 15(3); Trade Union and Labour Relations (Consolidation) Act 1992 s 119(1), 207(1).

37

Equality Act 2006; Trade Union and Labour Relations (Consolidation) Act 1992.

38

Data Protection Act 1998 s 51(3).

39

City and County of Swansea v Gayle [2013] IRLR 768 (EAT).

40

Ibid. 27-30. See also Mr P Atkinson v Community Gateway Association UKEAT/0457/12/BA; F&C Alternative Investments (Holdings) Ltd v Barthelemy [2012] Ch 613, [2011] EWHC 1731 (Ch).

41

Data Protection Act 1998 s 36(4), 36(5). See also HC Deb 5 June 1984, vol 61, col 214-217.

42

Ibid. 51(2).

43

Data Protection Act 1984 s 36(3); Data Protection Act 1998 s 51(2). The only exception to this was that compliance with a relevant code of practice issued in relation to journalism could be considered for assessing a data controller’s belief that publication is in the public interest: Data Protection Act 1998 s 32(3) (as enacted).

44

R. Thomas and M. Walport, ‘Data Sharing Review’ (2008) 60–61.

45

Data Protection Act 1998 ss 52A and 52E.

46

Thomas and Walport (n 44) 61 (reference to the ACAS code on discipline and grievance).

47

Data Protection Act 1998 s 52AA; Data Protection Act 2018 ss 121–124.

48

There is no indication that these codes were identified as requiring a higher status. Two of them predated the GDPR. Of the other two, the Age Appropriate Design Code was the result of advocacy by Baroness Kindron, OBE, see HL Deb 11 December 2017, vol 787, cols 1426-1443; on the journalism code, see below, text to n 78.

49

See, for example, the discussion on a code on protecting personal data in education, Data Protection Bill Deb 22 March 2018, cols 323-327.

50

‘Codes of Practice’ (14 April 2022) <https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/codes-of-practice/> date accessed 8 July 2022.

51

GDPR, art 40.

52

CDEI, Review into Bias in Algorithmic Decision-Making (Centre for Data Ethics and Innovation, 2020) 47.

53

G. Ganz, Quasi-Legislation: Recent Developments in Secondary Legislation (London: Sweet & Maxwell, 1987) 97–98.

54

The Race Relations Code of Practice in Employment: Are Employers Complying? A Research Report (Commission for Racial Equality, 1989).

55

N. Rahim, A. Brown and J. Graham, ‘Evaluation of the Acas Code of Practice on Disciplinary and Grievance Procedures (ACAS Research Paper Ref 06/11, 2011).

56

Employment Rights Act 1998 s 98(4); Trade Union and Labour Relations (Consolidation) Act 1992 s 207A.

57

J. Jackson-Cox, John E.M. Thirkell and J. McQueeney, ‘The Disclosure of Company Information to Trade Unions: The Relevance of the ACAS Code of Practice on Disclosure’ (1984) 9 Accounting, Organizations and Society 253, 270.

58

D. Greenberg, Craies on Legislation, 12th edn (London: Sweet & Maxwell, 2021).

59

Compare ‘Dignity at Work at the AI Revolution: A TUC Manifesto’ (TUC 2021) 8-10; and the stance of the TUC in the 1980s per Ganz (n 53) 34–35.

60

R. Baldwin and J. Houghton, ‘Circular Arguments: The Status and Legitimacy of Administrative Rules’ (1986) Summer Public Law 239; Ganz (n 53); Christopher McCrudden, ‘Codes in a Cold Climate: Administrative Rule-Making by the Commission for Racial Equality’ (1988) 51 Modern Law Review 409.

61

Ganz (n 53) 12, 34–35; see also Baldwin and Houghton (n 60); P. Elias, ‘Closing in on the Closed Shop’ (1980) 9 ILJ 201.

62

See, for instance, Data Protection Act 2018 s 125.

63

For in-depth critique, see Ganz (n 53) 27–31.

64

R (on the application of Munjaz) v Mersey Care NHS Trust [2005] UKHL 58; [2006] 2 AC 148 [21].

65

Failure to follow published policy, absent good reason for departing from it, is an established ground for judicial review: R (Lumba) v Secretary of State for the Home Department [2011] UKSC 12, [2012] 1 AC 245, [26] (Lord Dyson), [202] (Lady Hale) and [313] (Lord Phillips); R (Lee-Hirons) v Secretary of State for Justice [2016] UKSC 46, [2017] AC 52, [17] (Lord Wilson) and [50] (Lord Reed).

66

MacIntyre v Scottish Ministers [2021] CSIH 1, [2021] SC 223 [38].

67

Ganz (n 53) 12–14, 34–35; Baldwin and Houghton (n 60) 264–265.

68

The Employment Code of Practice (Picketing) Order 1980 section E.

69

C. D. D., ‘Code of Practice on Picketing’ (1981) 10 ILJ 46, 46; Thomas v National Union of Mineworkers (South Wales Area) [1986] Ch 20, [1985] 2 WLR 1081, 1113; Gourmet London Ltd. v Transport and General Workers Union & Ors [2005] EWHC 1889 (QB), [2005] IRLR 881 [29]-[31]. Concerns were also raised early on about the prospect of the recommended cap morphing into a legal limit: Anthony Blair, ‘Codes today, law tomorrow?’ (New Statesman, 1980), reproduced (2007) 136 New Statesman 62.

70

Elias (n 61) 211.

71

‘New Statutory Code to Prevent Unscrupulous Employers Using Fire and Rehire Tactics’ (Department for Business, Energy & Industrial Strategy, 2022) <https://www.gov.uk/government/news/new-statutory-code-to-prevent-unscrupulous-employers-using-fire-and-rehire-tactics> date accessed 8 July 2022.

72

P. Brione, ‘P&O Ferries: Employment Law Issues’ (House of Commons Library, Research Briefing Number CBP 9529, 19 April 2022). The scandal saw 786 seafarers made redundant without prior consultation.

73

A. Bogg, ‘Firing and Rehiring: An Agenda for Reform’ (IER) <https://www.ier.org.uk/comments/firing-and-rehiring-an-agenda-for-reform/> date accessed 8 July 2022; Employment and Trade Union Rights (Dismissal and Re-engagement) Bill, Private Members’ Bill (Ballot Bill). See also existing ACAS guidance on the issue, which would imply that non-statutory instruments are insufficient: ‘Making Changes to Employment Contracts – Employer Responsibilities’ (Acas) https://www.acas.org.uk/changing-an-employment-contract/employer-responsibilities date accessed 8 July 2022.

74

P. Greenfield, ‘Matt Hancock: Lords’ Leveson “yes” Vote Is Blow to Local Press’ The Guardian (11 January 2018) https://www.theguardian.com/media/2018/jan/11/matt-hancock-lords-leveson-yes-vote-is-blow-to-local-press date accessed 8 July 2022; Data Protection Bill Deb 9 May 2018, cols 700-741..

75

‘Data: A New Direction’ (n 10) para 380. The negative resolution procedure currently applies to what are described in text to n 50 as ‘tier one’ data protection codes. ‘Tier two’ codes, including the old Employment Practices Code, have never had to receive parliamentary approval (although executive regulations requiring their promulgation do).

76

Ganz (n 53) 3.

77

See, for example, P. Moradi and K. Levy, ‘The Future of Work in the Age of AI’ in Markus D. Dubber, F. Pasquale and S. Das (eds), The Oxford Handbook of Ethics of AI (Oxford: Oxford University Press, 2020); B. Rogers, ‘The Law and Political Economy of Workplace Technological Change’ (2020) 55 Harvard Civil Rights-Civil Liberties Law Review 532; D. Mangan, ‘Beyond Procedural Protection: Information Technology, Privacy and the Workplace’ (2019) 44 European Law Review 559.

78

‘The New Frontier: Artificial Intelligence at Work’ (A final report produced by the All-Party Parliamentary Group on the Future of Work November 2021) <https://www.ifow.org/publications/new-frontier-artificial-intelligence-work>; see also Prime Minister’s Office, ‘Matt Warman to Lead Review into the Future of Work’ (GOV.UK, 12 May 2022) <https://www.gov.uk/government/news/matt-warman-to-lead-review-into-the-future-of-work> date accessed 16 May 2022.

79

Data Protection Bill Deb 22 March 2018, cols 309-319; see also Public Authority Algorithm HL Bill (2021-2022) 73.

80

‘Call for Views on Employment Practices and Data Protection: Summary of Responses’ (n 28) 4.

81

GDPR, Art 57.

82

Cranage Parish Council v First Secretary of State [2004] EWHC 2949 (Admin), [2005] 2 P & CR 23 [49]; R (J D Wetherspoon) v Guildford Borough Council [2006] EWHC 815 (Admin), [2007] 1 All ER 400 [58], [59].

83

Ganz (n 53) 96.

84

See, for example, Bob Simpson, ‘Code of Practice on Industrial Action Ballots and Notice to Employers’ (1995) 24 ILJ 337.

85

The Employment Practices Code 2011 10, 67.

86

Ganz (n 53) 97–98.

87

Greenberg (n 58) 3.7.1.

88

See, for instance, Data Protection Act 2018 ss 121–124, 128.

89

The Employment Practices Code 2011 para 1.2.5.

90

R. Megarry, ‘Administrative Quasi-Legislation’ 60 Law Quarterly Review 125.

91

Ibid. 125–126.

92

N. Newman, ‘Reeingeering Workplace Bargaining: How Big Data Drives Lower Wages and How Reframing Labor Law Can Restore Information Equality in the Workplace’ 85 University of Cincinnati Law Review 68; S. Kessler, ‘Companies Are Using Employee Survey Data to Predict — and Squash — Union Organizing’ (OneZero, 2020) <https://onezero.medium.com/companies-are-using-employee-survey-data-to-predict-and-squash-union-organizing-a7e28a8c2158> date accessed 11 February 2022.

93

GDPR, art 9(1). The scandal which prompted the adoption of the Blacklisting Regulations 2010 resulted in a fine being issued by the ICO for data protection breaches.

94

There may be no legal basis under GDPR, art 6, for example, or GDPR, art 22 might preclude the automatic denial of employment to those profiled as being ‘activists’.

95

Employment Relations Act 1999 (Blacklists) Regulations 2010/493.

96

To be comprehensive, the instrument would also have to deal with the European Convention on Human Rights, art 11.

97

‘What Do We Need to Do to Ensure Lawfulness, Fairness, and Transparency in AI Systems?’ (ICO, 2021) https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-ai-and-data-protection/what-do-we-need-to-do-to-ensure-lawfulness-fairness-and-transparency-in-ai-systems/ date accessed 8 July 2022.

98

Equality Act 2010 Statutory Code of Practice Employment (Equality and Human Rights Commission 2011) para 8.10, 10.4, 17.9, 17.31. For An example summary of relevant employment protection legislation, see para 10.15-10.16.

99

Allen and Masters (n 9) para 3.49.

100

R. Binns and others, ‘Mind the Gap: How to Fill the Equality and AI Accountability Gap in an Automated World’ <https://www.ifow.org/publications/mind-the-gap-the-final-report-of-the-equality-task-force> accessed 5 September 2022 (2020).

101

ICO, Information Rights Strategic Plan 2017-2021 (version 2: 20180403) 10.

102

EHRC, Draft strategic plan for 2022-2025 14-16.

103

Acas, ‘Making Working Life Better for Everyone in Britain: Acas Strategy 2021 to 2025’ (2021) <https://www.acas.org.uk/about-us/acas-strategy-for-2021-to-2025/html> accessed 31 March 2022, in the form of a ‘policy partnership forum’.

104

‘The Digital Regulation Cooperation Forum’ (GOV.UK, 10 March 202AD) https://www.gov.uk/government/collections/the-digital-regulation-cooperation-forum accessed 8 July 2022.

105

See similarly Allen and Masters (n 9) para 3.49.

106

Code of Practice on disciplinary and grievance procedures 2015; Code of Practice on disclosure of information to trade unions for collective bargaining purposes 2003; Code of Practice on time off for trade union duties and activities 2010; Code of Practice on settlement agreements 2013; and Code of Practice on handling in a reasonable manner requests to work flexibly 2014.

107

Equality Act 2010 Statutory Code of Practice Employment (Equality and Human Rights Commission 2011).

108

Code of Practice: Access and Unfair Practices During Recognition and Derecognition Ballots, 5 September 2005.

109

The Employment Code of Practice (Picketing) Order 1980.

110

Equality Act 2006 s 15(4); Trade Union and Labour Relations (Consolidation) Act 1992 s 207; Data Protection Act 2018 s 127.

111

Data Protection Act 1984 s 36(4) and (5).

112

The ICO’s Tendency to Issue ‘Lengthy’ Guidance was Recently Criticised by the Government. See ‘Data: A New Direction’ (n 10) para 377.

113

‘Call for Views on Employment Practices and Data Protection: Summary of Responses’ (n 28) 4.

114

The Law Commission (LAW COM No 326), Adult Social Care (2011) para 3.22-3.24.

© The Author(s) 2022. Published by Oxford University Press.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted reuse, distribution, and reproduction in any medium, provided the original work is properly cited.
Issue Section:
Recent Legislation
Download all slides