With the rise and widespread popularity of homeworking, employers have been far more concerned about keeping track of what their staff are doing. As such, staff monitoring has been an increasingly common business practice. However, monitoring staff is high risk and you must ensure that you comply with strict legal rules when doing so.
You must remember that staff have a right to privacy when they are at work (whether they are in the office, or at home). So, when monitoring staff, you need to fully understand the extent to which you can monitor staff, whilst also respecting their right to privacy. In practice, the balance can be hard to achieve.
This guide to monitoring staff sets out some of the key legal issues relating to staff monitoring, with a focus on data protection law rules. In this guide, we provide insights on important issues to consider in order to monitor your staff lawfully. If you would like legal advice on your staff monitoring practices, please contact our data protection solicitors for support.
Contents:
- What is ‘monitoring’ and why do employers do it?
- Which laws apply to monitoring staff and why does it matter?
- Data protection law and the UK ICO’s guidance on monitoring in the workplace
- How do I ensure my staff monitoring is lawful?
- The ICO’s guidance on employee monitoring – key points for employers
- What are the consequences of breaching the rules on monitoring?
- Monitoring staff – key takeaways for employers
- Conclusion
What is ‘monitoring’ and why do employers do it?
Monitoring has a very wide definition and includes a variety of activities such as tracking calls, messages, and keystrokes. It can include taking screenshots, webcam footage or audio recordings, or using specialist monitoring software to track activities of individuals.
Employer monitoring could range from checking when staff log on to your work systems, to checking their mobile devices.
Common examples of widely used staff monitoring include:
- Checking email content, internet and app usage.
- Carrying out computer screen monitoring and monitoring of telephone conversations.
- CCTV and GPS tracking.
Monitoring can be done in two ways:
Overtly – where the employee is made aware that they are being monitored and the reasons why, with the monitoring taking place in plain sight.
Covertly – where the employee is unaware they are being monitored before the monitoring takes place and, in some cases, might never find out it has taken place.
There are many reasons why you might wish to monitor your employees. In today’s digital world where numerous staff work at home, monitoring has become a standard practice.
In most cases, employers seek to monitor staff to check that they are doing their job, assess their performance and ensure that company procedures are being followed. Monitoring can also be used to investigate any suspected breaches of a company’s rules or policies and prevent misconduct.
Whatever your reason for monitoring staff is, you should pay careful attention to the rules which apply when doing so. Is it vital that any staff monitoring is not excessive and does not undermine an individual’s right to privacy.
Which laws apply to monitoring staff and why does it matter?
There are various laws that can apply to monitoring staff. The laws which apply will depend on what you are monitoring and why.
The relevant laws applicable to staff monitoring include:
- Article 8 of the European Court of Human Rights, which has been incorporated into UK law by the Human Rights Act 1998.
- The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA).
- The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-Keeping Purposes) Regulations 2018.
- Telecommunications (Lawful Business Practice Interception of communications) Regulations 2000.
- The implied duty of trust and confidence which exists in all contracts of employment.
- The concept of fairness as applied by Employment Rights Act 1996.
- The Equality Act 2010.
A significant law which applies to most businesses in the UK is data protection law, which is the focus of this guide. The UK GDPR and DPA set out various rules which businesses must ensure they follow when seeking to monitor staff.
There are also certain employment rights which are very important in this context and could create risks. For example, monitoring could lead to adverse reactions from staff and make them feel micromanaged or targeted, even leading to staff suffering from mental health issues. Unlawful monitoring of an employee’s activities could lead to an employee resigning and claiming constructive unfair dismissal. It could also give rise to discrimination issues, if an employee alleges they have been unfairly targeted due to certain issues such as their race or gender. We cover this in more detail our employment law workplace monitoring guide.
Data protection law and the UK ICO’s guidance on monitoring in the workplace
The UK Information Commissioner's Office (ICO) published important updated guidance on monitoring employees in October 2023, following a public consultation.
The ICO's research revealed 70% of the public would find monitoring in the workplace intrusive. As such, it is vital that employers ensure that their staff feel that their privacy rights are prioritised and protected.
The ICO’s guidance seeks to help employers comply with the requirements under the UK GDPR and DPA. This guidance has been eagerly awaited, as an update on the ICO’s position has been critical following the technological advances and rapid rise in homeworking in recent times.
In its press release, the ICO noted the increase in remote working and developments in technology, meaning employers have sought to carry out checks on their workers.
The ICO stated that organisations need to consider both their legal obligations and workers' rights prior to implementing any monitoring in the workplace.
Emily Keaney (Deputy Commissioner, Regulatory Policy at the ICO) noted the importance of this topic, as follows:
'Our research shows that today’s workforce is concerned about monitoring, particularly with the rise of flexible working - nobody wants to feel like their privacy is at risk, especially in their own home.
As the data protection regulator, we want to remind organisations that business interests must never be prioritised over the privacy of their workers. Transparency and fairness are key to building trust and it is crucial that organisations get this right from the start to create a positive environment where workers feel comfortable and respected.
We are urging all organisations to consider both their legal obligations and their workers’ rights before any monitoring is implemented.
While data protection law does not prevent monitoring, our guidance is clear that it must be necessary, proportionate and respect the rights of workers. We will take action if we believe people’s privacy is being threatened'.
It is vital that organisations take the ICO’s guidance extremely seriously when it comes to staff monitoring. In our ever evolving technologically progressive society, employers must balance their right to monitor against the rights of their staff to be protected. The ICO has warned that it will take action if employers breach the relevant rules.
Here is the ICO’s guidance on monitoring workers.
How do I ensure my staff monitoring is lawful?
The law does not stop you from monitoring staff, but you may only do so if you comply with applicable legal rules.
Note the following key rules:
- Article 8 of the Human Rights Act 1998 sets out the right to respect for a private and family life. This is a fundamental right to remember when you are carrying out staff monitoring, as monitoring of staff could infringe upon their rights to a private and family life.
- Data protection laws set out various rules which can be applied in the context of staff monitoring, as this involves the processing of staff personal data. The rules are wide-ranging and apply to all businesses who carry out staff monitoring involving the processing of personal data. The UK GDPR has extra territorial reach and so the rules may also apply to non-UK organisations who fall within its scope.
The ICO’s guidance on employee monitoring – key points for employers
Employers can monitor staff if they do so in a way which is consistent with data protection law rules.
The ICO’s guidance on staff monitoring sets out several issues for employers to consider from a data protection law perspective.
A key point to note is that the rules do not just apply to ‘employees’. These rules apply to all ‘workers’, which we refer to here as ‘staff’. So, you will need to comply with these rules regardless of the type of staff you hire (be they employees or freelancers, or otherwise).
The ICO’s guidance highlights several important steps for employers to take.
Here are some of the key steps employers should take when seeking to monitor staff:
Have a clearly defined purpose for monitoring and use the least intrusive method
Monitoring of staff must be proportionate and conducted in the least intrusive way to achieve your purposes. As such, you must be able to justify that there is no other reasonable and less intrusive way to achieve your purpose, apart from monitoring staff. Note that just because you have an option to monitor staff, this does not mean monitoring is the best way to achieve your purposes. From the outset, it is vital to think about whether you really need to monitor staff, as you will need to be able to justify this if so. Further, you must ensure that you only keep monitoring information which is relevant to its purpose. Do no keep personal data obtained from monitoring for longer than is necessary.
Only monitor staff if you have a ‘lawful basis’ to do so
The processing of personal data is only lawful if you can establish a lawful basis for processing that data, failing which you must not process it. The UK GDPR rules set out six lawful bases for processing personal data. As such, you must establish at least one of these bases in order to process personal data lawfully when carrying out staff monitoring.
There are six potential lawful bases which you may be able to rely upon. These are:
- Consent
- Contract
- Legal obligation
- Vital interest
- Public tasks
- Legitimate interests
However, relying on consent as a lawful basis for processing is difficult in the employment context – due to the significant imbalance of power between employers and staff, meaning it can only be relied upon where staff have a genuine choice over the monitoring.
You should also note that additional considerations apply where you are processing ‘special category personal data’.
Special category personal data means:
- Any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
- Data concerning health or a natural person's sex life or sexual orientation.
- Genetic or biometric data processed for the purpose of uniquely identifying a natural person.
If your monitoring of staff may capture special category data, then in addition to a lawful basis for processing, you must also identify a special category condition for processing. This can be complicated to determine, and you should seek legal advice if you are unsure.
Further rules apply where an organisation collects or uses biometric data to monitor staff. Biometric data means personal data that is unique to an individual and their behaviour or biology, obtained using technology (for example, fingerprints and iris scanning). The ICO guidance states that organisations should consider further security measures when collecting or storing biometric data.
Ensure staff are aware of the monitoring and inform staff about it in a way that is easy to understand
Transparency is a key concept under the UK GDPR. It is vital that you tell staff about the monitoring you plan to carry out. You should also ensure that you tell staff when there are changes to the way in which they are being monitored and keep your privacy information fully up to date. It is important that staff are fully aware of the nature, extent and reasons as to why you are monitoring. You could achieve this by giving staff a clear policy document explaining how they will be monitored and why.You can only carry out covert monitoring in exceptional circumstances. For example, where monitoring is needed to prevent or detect alleged criminal activity or gross misconduct. The ICO’s guidance highlights the need to comply with several detailed criteria and rules when you are carrying out covert monitoring. For example, you will need to carry out a Data Protection Impact Assessment (DPIA) and seek authorisation from senior management.
The ICO’s guidance further suggests that organisations should seek to document the views of workers when planning to introduce monitoring, unless there is a good reason not to. Staff also have a right to object to monitoring in certain circumstances.
Data Protection Impact Assessments may be needed
If you intend to carry out monitoring which is high risk to staff, you must carry out a DPIA (a data protection risk assessment). This is particularly necessary when it comes to using new technologies for monitoring. Some examples of high-risk processing include:
- Using biometric data of individuals
- Keystroke monitoring
- Monitoring which could result in financial loss to individuals
Completing a DPIA will help you identify risks to individual an mitigate against those risks.
Even where DPIAs are not strictly mandatory, employers should consider carrying a DPIA as good practice, given the process will enable them to make better risk-based decisions around monitoring.
Make personal information collected through monitoring available on request
You must ensure that any personal information you collect through monitoring staff is made available to staff if they make a subject access request (unless an exemption applies).
Other situations relating to staff monitoring
These above are some of the key highlights from the ICO’s guidance, which also sets out a range of other data protection law issues to consider when monitoring staff. The ICO’s guidance also covers specific staff monitoring scenarios relevant to some employers, for example around:
- what to do when using monitoring tools that use solely automated processes;
- remote monitoring, in particular where staff are at home;
- monitoring telephone calls, email and messages,
- using video or audio surveillance; and
- monitoring time and restricting access.
- Employers should carefully review the ICO’s guidance and the areas applicable to their staff monitoring practices.
What are the consequences of breaching the rules on monitoring?
Breaching your legal obligations concerning staff monitoring can have several consequences.
For example:
- The ICO has various powers to take action for a breach of data protection law rules, including the power to issue fines of up to the higher of £17.5 million or 4% of a company's annual worldwide turnover for serious breaches. Further, the ICO can issue reprimands and enforcement notices for breaching data protection laws.
- You could suffer from serious reputational damage, particularly if staff feel their privacy rights have been violated.
- You could face grievances from employees for breaching your obligations.
- You could also face claims for compensation for damages and distress, or a claim for constructive unfair dismissal or potential discrimination to defend in an Employment Tribunal. More details on this are provided in our employment law guide on workplace monitoring.
Monitoring staff – key takeaways for employers
Given the vast innovations in technology over the last few years, now is the time to review your monitoring systems and procedures and ensure that they are aligned with the ICO’s expectations as published in its latest guidance.
There are various steps employers should take when carrying out staff monitoring.
Some of the key action points for employers to consider include the following:
- Conduct an audit of your workplace monitoring and document your reasons for staff monitoring, including any changes in recent years.
- Ensure you notify staff of the nature, extent, and rationale of your monitoring, as mentioned above. Further, consider if you have appropriate documentation in place relating to staff monitoring. For example, a data protection policy and staff privacy notice. Check if these documents need to be updated considering the ICO’s guidance. Consider implementing a comprehensive electronic monitoring policy and ensuring staff read and understand it.
- Ensure you comply with all applicable data protection law requirements when processing staff data for the purposes of monitoring, including having an appropriate lawful basis, collecting only minimal data and ensuring your processing of data is fair. You will also need to ensure that you delete any personal data collected through monitoring when you no longer need it. Your time periods for retention for such data can be set out in a Data Retention Policy.
- Carry out a DPIA before engaging in any monitoring activities involving high risk processing. Also, take special care where you intend to carry out covert monitoring or monitoring of biometric data. You will need to comply with strict legal rules when doing so.
- If you engage a third-party provider to carry out monitoring of staff, ensure you take steps to actively assess the service provider's compliance with the UK GDPR.
- Consider the impact of the ICO’s latest guidance on your staff monitoring. Review whether you need to make any changes to your current procedures to comply with the guidance.
Whilst this guide focusses on the key staff monitoring issues under UK data protection law, employers will also need to consider the legal implications of any other relevant laws concerning staff monitoring.
Conclusion
A lot has changed in the employment space since the COVID-19 pandemic and remote working is rife and often demanded by staff, to allow flexible working patterns in the modern world. We talk about the challenges for HR professionals in our guide to data protection in HR.
Whilst monitoring staff can be a legitimate concern for employers, you must always remember the need to balance this concern with the requirement to protect the privacy rights of individuals. Not only will building good data practices around staff monitoring help you comply with your legal obligations, it will also help you develop a culture of trust with your team.
Employers who fail to comply with the ICO’s guidance are at risk of breaching the data protection law rules and could face several negative consequences. Further, your organisation may also face potential employment law claims (such as claims for unfair dismissal, or discrimination) and other claims.
In practice, the balance between legitimate monitoring and complying with several legal obligations can be difficult for employers to navigate. We can provide employers support with advice on both employment and data protection law issues and are here to help you address these complex issues.