Data protection principles
When monitoring staff in the workplace, employers should comply with the data protection principles. These include:
Being lawful, fair and transparent about workplace monitoring
An employer must give staff members clear notice in advance that communications might be monitored and should explain how. They must take care to limit the extent of the monitoring to what is strictly necessary. Further, employees must be given safeguards, so that communications cannot be accessed unless they know this might happen.
It is important that the employer thinks through their reasons for monitoring employee communications and accessing their content - are these justifiable?
When monitoring employee communications, the employer must also use the least intrusive methods necessary to achieve their business aim. Before any surveillance can take place, employers must create a policy that:
lets staff members know the circumstances of monitoring, and
sets out staff members' expectations of fair use
To do this, they must first warn employees about monitoring (eg of their social media use via a Social media policy). They should then set out the types of prohibited behaviour, warning that disciplinary action might be taken.
Limiting the monitoring and keeping information secure
Employers should always consider limiting the scope of their workplace monitoring. For example, limiting the monitoring to particular areas of the business and only monitoring staff working in those areas. Taking this approach rather than a one-size-fits-all approach can help employers demonstrate that they are only monitoring staff where it is necessary.
Employers should also consider limiting access to any monitoring material (eg CCTV footage) to those who need to see it. This helps ensure staff information is kept secure and confidential.
Care should also be taken to protect any information against damages, losses or theft and to securely delete or dispose of it when it is no longer needed.
Having a lawful basis for the monitoring
As private communications meet the definition of personal data, employers must prove that they have a lawful ground to collect and monitor this information. Data protection laws set out the following lawful grounds:
performance of a contract
compliance with a legal obligation
vital interests of the data subject
Under the GDPR, a staff member cannot give an employer consent to process their personal data because of the inherent imbalance of power between the staff member and their employer. Consent can’t be 'freely given' if the data subject (ie the staff member) faces a potentially negative effect if they don’t consent. It’s reasonable to expect that a staff member might fear losing their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.
Under no circumstances are employers justified in using exhaustive or automated monitoring methods (such as spyware) to look through an employee’s browser history and workplace communications to find evidence of misuse.
Employers should also refrain from methods that leave no trace of their monitoring, such as physically sitting at the employee’s computer and looking through their private communications.
In short, there should be mutual trust between employee and employer. Employers should aim to achieve a balance between an employee’s right to private correspondence and an employer’s right to take steps to ensure the smooth running of the business.