Workplace monitoring

Employers have the right to monitor staff activities at work. Workplace monitoring includes:

• opening mail or emails

• using automated software to check emails

• checking logs of websites visited

• recording on CCTV cameras 

• searching bags

• drug testing

Workplace monitoring is covered by the law on data protection (including the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018). The law does not prohibit monitoring in the workplace. Instead, it sets down rules about the circumstances and the ways in which monitoring should be carried out.

Employers will generally need a legitimate reason to monitor the workplace. Staff members will typically expect that some degree of monitoring is necessary (eg to ensure staff aren’t at risk because of an unsafe environment or working practices). However, if workplace monitoring is done improperly or in the wrong situation, it can: 

• intrude on staff members’ private lives

• disrupt staff members’ work 

• interfere with the mutual trust and confidence between staff members and their employer

When monitoring the workplace, employers should:

• determine whether they have a legitimate reason for monitoring staff (consider using the Information Commissioner’s Office (ICO) tool to help you determine whether you have a legitimate reason) 

• carry out a Data protection impact assessment (DPIA) to minimise the extent of monitoring and the degree of privacy intrusion

• take into account any objections that staff have to monitor arrangements (eg through consultations with trade unions or other staff representatives) 

• ensure workplace monitoring is proportionate (eg by implementing clear limits on how long monitoring will take place) 

• clearly tell staff that they are being monitored and when, why, and how this is the case (eg in their Employment contract or Employee handbook) 

• have a reason for monitoring (eg to ensure workplace health and safety) and not use the results of the monitoring for other purposes

There are many reasons why an employer may consider it necessary to monitor the workforce. Potential legitimate reasons include:

• to establish facts that are relevant to the business

• to check procedures are being followed

• to check standards (eg the quality of work) 

• to prevent or detect crime

• to check for unauthorised use of telecommunications systems (eg whether employees are using the internet or email for personal use)

• to ensure electronic systems are operating effectively

• to check whether communications received are relevant to the business 

• to control the transmission of trade secrets and confidential information

• to act in the interests of national security 

• to prevent workplace bullying or harassment

Ideally, an employer should have a Communications and equipment policy that covers workplace monitoring.

Data protection principles

When monitoring staff in the workplace, employers should comply with the data protection principles. These include:

Being lawful, fair and transparent about workplace monitoring

An employer must give staff members clear notice in advance that communications might be monitored and should explain how. They must take care to limit the extent of the monitoring to what is strictly necessary. Further, employees must be given safeguards, so that communications cannot be accessed unless they know this might happen.

It is important that the employer thinks through their reasons for monitoring employee communications and accessing their content - are these justifiable?

When monitoring employee communications, the employer must also use the least intrusive methods necessary to achieve their business aim. Before any surveillance can take place, employers must create a policy that: 

• lets staff members know the circumstances of monitoring, and 

• sets out staff members' expectations of fair use

To do this, they must first warn employees about monitoring (eg of their social media use via a Social media policy). They should then set out the types of prohibited behaviour, warning that disciplinary action might be taken.

Limiting the monitoring and keeping information secure

Employers should always consider limiting the scope of their workplace monitoring. For example, limiting the monitoring to particular areas of the business and only monitoring staff working in those areas. Taking this approach rather than a one-size-fits-all approach can help employers demonstrate that they are only monitoring staff where it is necessary.

Employers should also consider limiting access to any monitoring material (eg CCTV footage) to those who need to see it. This helps ensure staff information is kept secure and confidential.

Care should also be taken to protect any information against damages, losses or theft and to securely delete or dispose of it when it is no longer needed.

Having a lawful basis for the monitoring

As private communications meet the definition of personal data, employers must prove that they have a lawful ground to collect and monitor this information. Data protection laws set out the following lawful grounds: 

• consent 

• performance of a contract 

• compliance with a legal obligation 

• vital interests of the data subject 

• public interest 

• legitimate interests

Under the GDPR, a staff member cannot give an employer consent to process their personal data because of the inherent imbalance of power between the staff member and their employer. Consent can’t be 'freely given' if the data subject (ie the staff member) faces a potentially negative effect if they don’t consent. It’s reasonable to expect that a staff member might fear losing their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.

Other considerations

Under no circumstances are employers justified in using exhaustive or automated monitoring methods (such as spyware) to look through an employee’s browser history and workplace communications to find evidence of misuse.

Employers should also refrain from methods that leave no trace of their monitoring, such as physically sitting at the employee’s computer and looking through their private communications.

In short, there should be mutual trust between employee and employer. Employers should aim to achieve a balance between an employee’s right to private correspondence and an employer’s right to take steps to ensure the smooth running of the business.

Covert monitoring is any monitoring that is carried out without staff members knowing. In most circumstances, employers should not consider covert monitoring as an option. There are, however, limited exceptional circumstances where it may be necessary. For example, where covert monitoring is necessary to prevent and detect suspected criminal activity or gross misconduct in the workplace.

The employer’s policies on workplace monitoring (eg a Communications and equipment policy) should clearly outline the types of unacceptable behaviour and the situations in which covert monitoring may take place.

Whenever an employer is considering covertly monitoring staff, they must first carry out a DPIA. They should make sure the covert monitoring only takes place as part of a specific investigation and for a limited period of time.

Due to the complexity of covert monitoring, employers considering covertly monitoring their staff should first Ask a lawyer.

For more information on workplace monitoring in general, read the ICO’s guidance and the Government’s guidance. If you have any questions or concerns, Ask a lawyer.