Employee Monitoring: What Employers Can and Cannot Do

Monitoring employees raises significant legal and ethical issues. Understanding the rules helps you monitor lawfully.

The Legal Framework

Key Laws

• UK GDPR: Personal data processing principles
• Data Protection Act 2018: UK-specific data protection rules
• Regulation of Investigatory Powers Act 2000 (RIPA): Interception of communications
• Human Rights Act 1998: Right to privacy (Article 8)
• Employment law: Trust and confidence, contract terms

Core Principles

1. Lawfulness: Have a legal basis for monitoring
2. Transparency: Tell employees about monitoring
3. Proportionality: Don't go further than necessary
4. Purpose limitation: Use data only for stated purposes
5. Security: Protect monitoring data

Types of Monitoring

Email and Internet Monitoring

What you can monitor:

• Work email accounts
• Internet browsing history
• Downloaded files
• Time spent online

Legal requirements:

• Clear policy in place
• Employees informed
• Legitimate purpose
• Proportionate approach

Best practices:

• Focus on work accounts only
• Don't read every email
• Use automated filtering first
• Access content only when necessary

CCTV

Permitted locations:

• Office areas
• Entrances/exits
• Car parks
• Warehouses

Prohibited locations:

• Toilets
• Changing rooms
• Rest areas with reasonable privacy expectation

Requirements:

• Clear signage
• Legitimate purpose (security, health and safety)
• Data Protection Impact Assessment if extensive
• Retention policy (delete when no longer needed)

Computer Monitoring

Types:

• Keystroke logging
• Screen capture
• Application usage
• File access monitoring

When justified:

• Regulatory requirements
• Protecting intellectual property
• Investigating specific concerns
• Performance monitoring (with transparency)

Rarely justified:

• Constant keystroke logging of all employees
• Random screen capture
• Monitoring without any notice

GPS/Location Tracking

When appropriate:

• Company vehicles during work hours
• Field workers (for safety)
• Logistics management

When problematic:

• Personal vehicles
• Outside work hours
• Without clear policy
• Tracking location but saying it's mileage

Telephone Monitoring

Call recording:

• Must tell employees and callers
• Legitimate purpose (training, quality, evidence)
• Don't record personal calls

Call data (not content):

• Less intrusive than recording
• Still needs policy
• Consider proportionality

Social Media Monitoring

Work accounts:

• Can monitor if clear policy
• Use for work purposes

Personal accounts:

• Can view public posts
• Covert investigation problematic
• Cannot require access to private accounts

Legal Basis for Monitoring

Under GDPR

Must have one of these bases:

• Legitimate interests: Most common for monitoring
• Contract performance: If monitoring necessary for job
• Legal obligation: If law requires it

Legitimate Interests Assessment

Document:

1. What's the legitimate interest?
2. Is monitoring necessary to achieve it?
3. Does it override employee privacy rights?

When Consent Doesn't Work

Employee consent is problematic because:

• Power imbalance
• May not be freely given
• Can be withdrawn

Use legitimate interests instead.

Policy Requirements

What Your Policy Should Include

1. What you monitor (email, internet, CCTV, etc.)
2. Why you monitor (security, compliance, performance)
3. How you monitor (automated, manual review)
4. Who can access monitoring data
5. How long you keep the data
6. Employee rights (access, objection)
7. Consequences of policy breach

Sample Policy Statement

"The Company monitors employee use of work email and internet for legitimate business purposes including security, compliance with company policy, and protecting company assets. Monitoring is primarily automated. Manual review of content occurs only when there is specific concern. Employees should have no expectation of privacy when using work IT systems. Monitoring data is retained for [X months] and accessed only by [authorised personnel]."

Data Protection Impact Assessment (DPIA)

When Required

Must conduct DPIA if monitoring:

• Uses new technologies
• Is systematic and extensive
• Involves automated decision-making
• Monitors public areas on large scale
• Processes sensitive data

DPIA Content

• Description of processing
• Assessment of necessity
• Risks to individuals
• Measures to address risks
• Evidence of proportionality

Covert Monitoring

General Rule

Covert monitoring should be rare exception.

When Potentially Justified

• Suspected criminal activity
• Suspected serious misconduct
• Where overt monitoring would prejudice investigation
• Proportionate to suspected wrongdoing

Requirements

Even for covert monitoring:

• Authorised by senior manager
• Time-limited
• Targeted (not blanket)
• Documented justification
• Data used only for stated purpose

Not Justified

• General surveillance
• "Fishing expeditions"
• Because you don't trust employees

Employee Rights

Information Rights

Employees can:

• Know monitoring takes place (privacy notice)
• Know how data is used
• Access their monitoring data (SAR)
• Object to processing

Subject Access Requests

If employee requests monitoring data:

• Respond within one month
• Include CCTV footage of them
• Include email monitoring reports
• May redact third party data

Common Scenarios

Scenario 1: Suspected Time Theft

Employee suspected of not working during hours.

Proportionate: Review login times, application usage for that employee.

Disproportionate: Installing keystroke logger on everyone.

Scenario 2: Data Leak Investigation

Confidential information leaked to competitor.

Proportionate: Review email logs for unusual sending patterns, access logs for sensitive files.

Disproportionate: Reading all employees' personal emails.

Scenario 3: Remote Worker Monitoring

Want to ensure home workers are productive.

Proportionate: Reasonable check-ins, deliverable tracking, transparent productivity measures.

Disproportionate: Constant webcam monitoring, screenshot every 5 minutes.

Scenario 4: Sick Leave Concerns

Employee frequently off sick on Mondays.

Proportionate: Discuss with employee, occupational health referral.

Disproportionate: Hiring private investigator to follow them.

Disciplinary Use of Monitoring Data

Using Evidence Fairly

If monitoring reveals misconduct:

• Can use in disciplinary proceedings
• But must have been lawful monitoring
• Employee should have known monitoring occurred
• Evidence must be relevant and reliable

Unfairly Obtained Evidence

Evidence from unlawful monitoring:

• May still be admissible
• But obtaining it could be separate breach
• Tribunal will consider how obtained

Remote and Hybrid Working

Additional Considerations

• Can't monitor home as extensively as office
• Productivity tools should be transparent
• Webcam monitoring raises serious concerns
• Focus on outputs not surveillance

Best Practices

• Clear policy for remote workers
• Trust-based management
• Regular check-ins instead of surveillance
• Focus on deliverables

Consequences of Non-Compliance

Data Protection Breaches

• ICO enforcement action
• Fines up to £17.5 million or 4% of turnover
• Compensation claims from employees

Employment Law Issues

• Breach of trust and confidence
• Constructive dismissal claims
• Unlawful deduction if monitoring affects pay

Reputational Damage

• Employee relations damage
• Difficulty recruiting
• Media exposure

Checklist

Before Implementing Monitoring

• Identify legitimate purpose
• Assess necessity and proportionality
• Conduct DPIA if required
• Draft or update policy
• Update privacy notice
• Train managers

Operating Monitoring

• Follow stated policy
• Limit access to monitoring data
• Retain data only as long as necessary
• Respond to SARs properly
• Review effectiveness periodically

Investigating Concerns

• Document reason for investigation
• Use least intrusive methods first
• Consider covert monitoring only if necessary
• Time-limit any investigation
• Use findings appropriately