Profile information Account settings
Sign up Log in

Workplace monitoring

How far can employers go in monitoring employees' digital communications without falling foul of the law? How can employers achieve a balance between their interests and employee privacy? Read Rocket Lawyer's guide on workplace monitoring to find out.

Make your Communications and equipment policy
Get started
Answer a few questions. We'll take care of the rest

Employers have the right to monitor your activities at work. Workplace monitoring includes:

  • opening mail or emails
  • use of automated software to check emails
  • checking logs of websites visited
  • recording on CCTV cameras

All of these forms of monitoring are covered by the law on data protection, however, the law does not protect employees from monitoring in the workplace. Instead, it sets down rules about the circumstances and the way in which monitoring should be carried out.

An employer can monitor electronic communications in the workplace where:

  • there is a legitimate business activity
  • the equipment being monitored is provided partly or wholly for work, and
  • the employer has made all reasonable efforts to inform you that your communications will be monitored

As long as an employer sticks to these rules, they don't need to get employee consent before they monitor electronic communications.

An employer can only monitor use of electronic communications without consent where there is a 'legitimate business activity':

  • to establish facts that are relevant to the business
  • to check procedures are being followed
  • to check standards (eg the quality of your work)
  • to prevent or detect crime
  • to check for unauthorised use of telecommunications systems (eg whether employees are using the internet or email for personal use)
  • to ensure electronic systems are operating effectively
  • to check whether communications received are relevant to the business; and
  • in the interests of national security

Ideally, an employer should have a Communications and equipment policy that covers workplace monitoring.

An employer must give you clear notice in advance that communications might be monitored and how. They must take care to limit the extent of the monitoring to what is strictly necessary. Further, employees must be given safeguards, so that communications cannot be accessed unless they know this might happen.

Employers can limit monitoring in time and limit those who have access to the material.

It is important that the employer thinks through their reasons for monitoring employee communications and accessing their content - are these justifiable to achieve a business purpose?

When monitoring employee communications, the employer must also use the least intrusive methods necessary to achieve the business aim. Before any surveillance can take place, employers must create a policy that lets employees know the circumstances of monitoring and their expectations of fair use. To do this, they must first warn employees about monitoring of their social media use (eg by having a Social media policy) and the types of prohibited behaviour warning that disciplinary action might be taken. For further information, read Employees and social media.

As private communication meets the definition of personal data, organisations must prove that they have a lawful ground to collect and monitor this information.

The UK General Data Protection Regulations (GDPR) say that an employee cannot give consent to an employer because of the inherent imbalance of power. Consent can’t be 'freely given' if the data subject faces a potentially negative effect from not consenting. It’s reasonable to expect that an employee might fear losing their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.

Under no circumstances are employers justified in using exhaustive or automated monitoring methods (such as spyware) to look through an employee’s browser history and workplace communications to find evidence of misuse.

Employers should also refrain from methods that leave no trace of their monitoring, such as physically sitting at the employee’s computer and looking through their private communications.

In short, there should be mutual trust between employee and employer. Employers should aim to achieve a balance between an employee’s right to private correspondence and an employer’s right to take steps to ensure the smooth running of the business.

Make your Communications and equipment policy
Get started
Answer a few questions. We'll take care of the rest