Monitoring staff is a sensible business decision for several reasons, but this must be balanced with employees’ right to privacy while at work.
In this guide, we outline what types of monitoring are permissible, under what conditions, and what must be in place for it to be legal.
What do we mean by ‘monitoring’ workers?
Monitoring refers to ways of observing what your employees are doing during work hours, either overtly or covertly. Examples of employee monitoring techniques include:
- CCTV and video/audio surveillance in an employer’s place of business
- Email monitoring – of content, senders and recipients
- Internet usage and destination sites
- Vehicle tracking via GPS
- Computer display monitoring
- Keystroke counting
- Tracking the location of ID badges
- Inspecting bags, lockers, etc.
Telephone use and content of conversations
Why do employers monitor workers?
There are numerous legal grounds for monitoring personnel. Legal justifications for employee monitoring include:
- Evaluating performance and productivity in order to enhance it
- Ensuring that company processes are adhered to
- Examining violations of business policies or wrongdoing
- Avoiding reputational damage to an employer
- Reducing or measuring business loss
- Protecting employees and the public from discrimination and harassment
- Defamation protection for the employer, its employees, and the public
- Preventing the spread of sensitive information and trade secrets
- Preventing accidental contract formation and contract breaches Preventing copyright infringement, regardless of whether the copyright belongs to the employer or a third party
- Preventing intrusion
- Stopping the spread of viruses and other malware that could compromise the employer’s system.
- Evaluating employee misconduct
ICO guidance on monitoring workplaces
In October 2023, the UK’s Information Commissioner’s Office (ICO) issued new guidance for employers on monitoring practices at work.
The guidance is focused on the need for employers to balance data protection obligations with the ability to monitor workforce.
This new guidance covers both systematic monitoring, where an employer monitors all workers or groups of workers as a matter of course (for example, if software is used to monitor productivity), as well as occasional monitoring, where an employer implements monitoring as a short-term response to a specific need (for example, installing a camera to detect suspected theft).
Are employers legally allowed to monitor employees?
Yes, employers are allowed to monitor employees at work in the UK, but there are legal limitations and requirements that must be followed, notably under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
What does the law say about monitoring employees?
There is no single piece of data privacy law in the United Kingdom that specifcally addresses workforce monitoring. Instead, it is necessary to examine various pieces of legislation and case law to determine when and how to monitor employees.
The most notable areas governing the law on monitoring employees include:
- Data Protection Act 2018 and General Data Protection Regulation (GDPR)
- Article 8 of the European Court of Human Rights, which has been incorporated into UK law by the Human Rights Act
- Telecommunications (Lawful Business Practice Interception of communications) Regulations 2000
- Equality Act 2010
- Implied duty of trust and confidence which exists in all contracts of employment
Under the data protection legislation, employers must have a valid reason for monitoring employees and must inform them of the monitoring activities. The reason for monitoring must be lawful, necessary, and proportionate to the intended purpose. The monitoring must also not be intrusive, and employers should not collect more data than is necessary.
Data protection laws in the UK, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, set out specific requirements for employers who wish to monitor their employees.
Firstly, employers must have a lawful basis for monitoring their employees, and the monitoring must be necessary for a specific purpose. This means that employers cannot carry out monitoring activities without a good reason, and they must be able to demonstrate that their monitoring is necessary to achieve a legitimate business purpose, such as protecting the company’s assets, complying with legal obligations, or ensuring employees’ health and safety.
Secondly, employers must be transparent about their monitoring activities and inform employees of the types of monitoring that will be carried out, the reasons for monitoring, and how the data will be used. This information must be provided in a clear and accessible format, such as a privacy notice or staff handbook, and employees must be given the opportunity to ask questions or raise concerns about the monitoring.
Thirdly, employers must ensure that their monitoring is proportionate to the intended purpose and does not infringe on employees’ privacy rights. This means that they must use the least intrusive methods of monitoring that are necessary to achieve the intended purpose, and they must avoid collecting any unnecessary or excessive data. Employers must also ensure that any personal data collected is kept secure and protected against unauthorised access or disclosure.
Finally, employees have the right to access their personal data, including any data collected through monitoring activities, and employers must respond to requests for access within a reasonable timeframe. Employees also have the right to object to monitoring activities if they believe that their privacy rights are being infringed.
What rights do employees have to privacy at work?
Case law states that ‘an employer’s instructions cannot reduce private social life in the workplace to zero’. There are two principles that apply:
- an employee has some right to privacy at work, even during the time for which they are receiving pay and when they have been informed that they are being monitored; and
- an employer cannot put in place policies that completely remove that right to privacy.
There is no absolute right to privacy at work, but if an employee has a reasonable expectation of privacy regarding certain information or location, you must ensure that any surveillance is necessary, justified, and proportional.
Do you need to inform employees they are being monitored?
To comply with data protection legislation and treat personal data in a fair, legitimate, and transparent manner, you need inform your employees of the monitoring that will occur at work and the rationale behind it. There are limited instances in which monitoring employees without their knowledge is permissible. In particular, the exception is applicable if: you suspect the employee is committing a crime; it is reasonable to conclude that informing the employee would make it more difficult to detect the crime; you only covertly monitor for a specific investigation and discontinue monitoring once the investigation is complete; and you only monitor for the duration of the investigation.
Do employees need to consent to being monitored?
If you have conducted a thorough impact assessment, it is unlikely that you will need the approval of your employees. Historically, you were required to demonstrate that the employee consented, but in the context of an employment relationship, consent is unlikely to be regarded as freely given. It is therefore best to base monitoring on a business need.
When is it illegal to monitor employees?
It is prohibited to monitor employees not only if the impact assessment is not conducted effectively, but also if there is a legitimate expectation of privacy.
Article 8 will apply if the employee had a reasonable expectation of privacy in connection to communications; otherwise, it will not. If the employee has a reasonable expectation of privacy, the court will evaluate whether the invasion of that private was legitimate and proportional.
In other situations, it is difficult to see how surveillance could ever be fair, such as in restrooms, prayer rooms, and nursing areas, or when an employee has personal use of a company car.
How to monitor remote workers
It is important for employers to strike a balance between monitoring remote employees and respecting their privacy rights. Employers should only monitor work-related activities, and they should not use monitoring as a substitute for effective management and communication with their remote employees.
Approaches can include use of software to track time and activity, and monitor email activity, encourage the use of self-reporting and check-ins with management.
Workplace monitoring policy
If you are implementing employee monitoring, it is best practice to create a policy that outlines how, when and why monitoring is being used, how the collected information will be used, and to whom the collected information will be disclosed.
Your workforce should then be made aware of the policy and it should be accessible to them. It is recommended to maintain a record of employees’ confirmation that they have been informed of the policy. In terms of application, this means:
- Providing a copy of the policy to workers upon their hire;
- Request that employees affirm they have read and comprehended the policy not only when it is initially introduced, but also whenever it is revised or updated.
- Send out reminders regarding the policy; and
- Give employees, managers, and anyone receiving monitored data with ongoing training.
It is essential that you approach each case consistently and fairly whenever monitoring individuals at work presents problems. If you do not, your organisation will be vulnerable to allegations of discrimination and wrongful termination. If you have a valid basis for treating someone differently under the policy, you must document that reason in writing. Again, if you are uncertain, it is advisable to seek employment law advice early on.
Tips for lawful workplace monitoring
Employers may monitor employees through various means, including CCTV cameras, computer monitoring, email and internet use, and phone calls. However, they must ensure that their monitoring activities are conducted in a way that respects employees’ privacy rights and that any data collected is used and stored securely.
Employees also have the right to access their personal data and can request copies of any data that their employer has collected about them. Employers must respond to such requests promptly and should have procedures in place to handle data access requests.
Employers can obtain consent from employees to monitor their work activities. However, this consent must be given freely, and employees must be informed of the purpose of the monitoring, the types of data that will be collected, and how the data will be used.
Use of Company Devices
Employers can monitor remote employees who use company devices, such as laptops, mobile phones, and tablets. However, they must inform employees that the devices are being monitored, and they must limit the monitoring to work-related activities.
Use of Productivity Software
Employers can use productivity software to monitor the performance of remote employees, such as the amount of time spent on specific tasks or the number of keystrokes. However, they must inform employees that the software is being used, and they must ensure that the data collected is used only for work-related purposes.
Employers can use video conferencing to monitor remote employees during meetings or training sessions. However, they must inform employees that the video conferencing is being recorded and provide a reason for the recording.
Best practice for employers
Businesses should be aware of the following:
- The UK GDPR and the Data Protection Act 2018 do not prevent monitoring. They set out a framework for the collection and use of personal data. Employers must balance the level of intrusion caused by monitoring against their legitimate business needs and those of their workers.
- Employers must make staff aware of the nature, extent and reasons for the monitoring unless exceptional circumstances mean that covert monitoring is necessary.
- Businesses must be clear about their purpose for monitoring. They must not use the information collected for a new purpose unless it is compatible with the original purpose in most circumstances.
- Employers must carry out a DPIA for any monitoring that is likely to result in a high risk (as above), and should keep this under review. Where a DPIA is not mandatory, they should consider completing one anyway to demonstrate overall compliance and best practice.
- The ICO extended the deadline for responses on the draft guidance to 20 January 2023, after which it is anticipated the finalised guidance will be published later this year.
Monitoring employees FAQs
Is monitoring of employees in the workplace legal?
It is legal to monitor employees in the workplace, provided the employees' privacy rights are not breached and that the conditions set out under the Data Protection Act 2018 are met. The employer must only collect the information required for particular purposes, and should only retain as much information as necessary for as long as necessary and should ensure the information is held securely. The employee must also be allowed access to the information on request.
How do you monitor employees in the workplace?
Depending on the working environment, it may be appropriate to monitor employees using CCTV, tracking technology on company-owned assets or security checks when entering and leaving the workplace.
The matters contained in this article are intended to be for general information purposes only. This article does not constitute legal advice, nor is it a complete or authoritative statement of the law, and should not be treated as such. Whilst every effort is made to ensure that the information is correct, no warranty, express or implied, is given as to its accuracy and no liability is accepted for any error or omission. Before acting on any of the information contained herein, expert legal advice should be sought.