Employers have the right to monitor your activities at work. Workplace monitoring includes:
All of these forms of monitoring are covered by the law on data protection, however, the law does not protect employees from monitoring in the workplace. Instead, it sets down rules about the circumstances and the way in which monitoring should be carried out.
An employer can monitor electronic communications in the workplace where:
As long as an employer sticks to these rules, they don't need to get employee consent before they monitor electronic communications.
An employer can only monitor use of electronic communications without consent where there is a 'legitimate business activity':
Ideally, an employer should have a policy that covers workplace monitoring.
An employer must give you clear notice in advance that communications might be monitored and how. They must take care to limit the extent of the monitoring to what is strictly necessary. Further, employees must be given safeguards, so that communications cannot be accessed unless they know this might happen.
Employers can limit monitoring in time and limit those who have access to the material.
It is important that the employer thinks through their reasons for monitoring employee communications and accessing their content - are these justifiable to achieve a business purpose?
When monitoring employee communications, the employer must also use the least intrusive methods necessary to achieve the business aim. Before any surveillance can take place, employers must create a policy that lets employees know the circumstances of monitoring and their expectations of fair use. To do this, they must first warn employees about monitoring of their social media use (eg by having a Social media policy) and the types of prohibited behaviour warning that disciplinary action might be taken. For further information, read our Quick Guide on Employees and social media.
As private communication meets the definition of personal data, organisations must prove that they have a lawful ground to collect and monitor this information.
The General Data Protection Regulations (GDPR) say that an employee cannot give consent to an employer because of the inherent imbalance of power. Consent can’t be 'freely given' if the data subject faces a potential negative effect from not consenting. It’s reasonable to expect that an employee might fear losing their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.
Under no circumstances are employers justified in using exhaustive or automated monitoring methods (such as spyware) to look through an employee’s browser history and workplace communications to find evidence of misuse.
Employers should also refrain from methods that leave no trace of their monitoring, such as physically sitting at the employee’s computer and looking through their private communications.
In short, there should be mutual trust between employee and employer. Employers should aim to achieve a balance between an employee’s right for private correspondence and an employer’s right to take steps to ensure the smooth running of the business.