There are many reasons why monitoring employees is a good business practice. Employees do, however, have a right to privacy when they are at work. So, when monitoring employees, you need to know the extent to which you can impinge on that right to privacy. This guide to monitoring employees sets out to address the issues involved.
In the UK there is no data privacy law which specifically deals with whether or how employers can monitor employees. Instead, it is necessary to look at different pieces of legislation and case law to work out when monitoring employees is allowed and how to do it. Here we provide a guide on what monitoring is allowed and in what circumstances and what needs to be in place for it to be lawful.
Jump to:
- What are the laws that apply to monitoring employees?
- What do we mean by ‘monitoring employees’?
- Why might an employer want to monitor its employees?
- What is the right to privacy at work?
- How do you lawfully monitor employees?
- When is it illegal to monitor employees?
- Does an employer need consent to monitor the employee?
- Do you need to tell employees you are monitoring them?
- What should employers do with information collected from monitoring?
- Tips on developing a workplace monitoring policy
What are the laws that apply to monitoring employees?
There are different laws that can apply to monitoring employees. Which ones apply will depend on what you are monitoring and why. The relevant law includes:
- Article 8 of the European Court of Human Rights, which has been incorporated into UK law by the Human Rights Act
- General Data Protection Regulation (GDPR) and Data Protection Act 2018
- Regulation of Investigatory Powers Act 2000 and Investigatory Powers Act 2016
- Telecommunications (Lawful Business Practice Interception of communications) Regulations 2000
- Implied duty of trust and confidence which exists in all contracts of employment
- The concept of fairness as applied by Employment Rights Act 1996
- Equality Act 2010
What do we mean by ‘monitoring employees’?
Monitoring means looking at what your employees are doing during work time and includes:
- Email content and senders and recipients of emails
- Internet use and destination sites (by use of ‘cookies’ or ‘web prints’)
- App usage
- Computer screen monitoring
- Keystrokes counting
- Webcams
- Telephone use and conversation content
- CCTV and video/audio surveillance undertaken in an employer’s workplace and the surrounding areas
- GPS vehicle tracking
- Access badge location tracking
- Searching bags or lockers etc.
- Drug testing (it is best to have this set out in a separate ‘Substance Misuse Policy’)
- Bio-tracking, which looks at vital signs and moods
- Micro-chipping employees (yes – this isn’t now just a plot line in a Bond film, it has been done by an American company to volunteer employees!)
- Productivity checking handheld devices/wristbands
Technology has now made monitoring very easy to do, but just because it’s available in the marketplace does not mean you can automatically use it. When you use technology to monitor employees you must still comply with the law.
Monitoring can be done in two ways:
- Overtly – where the employees are made aware that they are being monitored and the reasons why, with the monitoring taking place in plain sight.
- Covertly – where the employee is unaware they are being monitored before the monitoring takes place and, in some cases, might never find out it has taken place.
Why might an employer want to monitor its employees?
There are many lawful reasons why you might wish to monitor your employees. Lawful reasons for monitoring employees include:
- Assessing performance and productivity, to improve it
- Ensuring company procedures are being followed
- Investigating breach of company rules or misconduct
- Preventing damage to an employer’s reputation
- Reducing or assessing loss of business
- Protecting employees and the public against harassment and discrimination
- Protecting the employer, its employees and the public against defamation
- Preventing the transmission of confidential information and trade secrets
- Preventing accidental formation of contracts and breaches of contract
- Preventing copyright infringement, whether the copyright belongs to the employer or third party
- Preventing hacking
- Preventing transmission of viruses and other malware that could attack the employer’s system
- Assessing employee negligence
What is the right to privacy at work?
As was said in a recent case, ‘an employer’s instructions cannot reduce private social life in the workplace to zero’. This clearly establishes two principles:
- an employee has some right to privacy at work, even during the time for which they are receiving pay and when they have been informed that they are being monitored; and
- an employer cannot put in place policies that completely remove that right to privacy.
This was an ECHR case though, and so it remains to be seen whether the same would be followed in the UK. There is no absolute right to privacy at work, but if there is a reasonable expectation of privacy relating to certain information or location by an employee, you will have to ensure that any monitoring of that information or location is necessary, justified and proportionate. Prior to the Data Protection Act 1998 coming into force the Information Commissioners Office (ICO) released the Employment Practices Code, which although not updated to reflect the introduction of the DPA and GDPR, is still a useful guide for employers on the right to privacy and employee monitoring.
Access legal support from just £145 per hour
If you’re an employer and require advice on data protection and privacy laws relating to your employees, both our employment law solicitors and data protection and privacy solicitors can help.
How do you lawfully monitor employees?
Given that employees have the right to privacy, how do you lawfully monitor them?
If you want to monitor emails, internet usage and all other things that involve data (which would include GPS location), images or drug testing, this electronic surveillance involves processing personal data and so you need to ensure that you comply with the DPA 1998 and the GDPR.
To comply with the Data Protection Act and GDPR, surveillance must be necessary, justified and proportionate. In order to assess this, you need to carry out an impact assessment. It is not intended to be complicated or a formal process, but it is advisable that to keep a written record of the impact assessment so that you have evidence of your decisions at each stage, can ensure you are acting consistently and in case you are asked to justify the monitoring at a later time.
This means asking yourself the following questions:
Step 1 | If you are already monitoring employees, what monitoring are you doing? | You need to undertake an audit to understand, what types of monitoring is being carried out, who in your organisation has the authority to monitor employees and why is it being carried out. |
Step 2 | Why is the monitoring being, or to be, carried out? | You need to understand the purpose behind your decision to monitor employees. As set out above, there are many lawful reasons why you might want to monitor your employees. In carrying out the impact assessment, you need to be specific about why you are monitoring your employees because the information you collect from that monitoring can only be used for the purpose for which it was collected. There is a useful exception to this. This exception is if the monitoring shows activity that you could not reasonably ignore. Examples of this are likely to include potential criminal activity or evidence of potential gross misconduct. |
Step 3 | Can you achieve what you want without monitoring? | Once you have identified the reason why you are undertaking the monitoring, you need to assess whether you can achieve it without monitoring. So, if you want to protect the security and integrity of your computer system and you are thinking about monitoring what websites your employees visit or what files they download or upload, so they don’t go to unsecure sites that could result in viruses or malware on your system, there are various ways this can be achieved without monitoring employees. You can use various tools available that can block inappropriate websites, prevent employees from sending or receiving files of a certain size or from certain accounts, and prevent employees having the authority or ability on your system from downloading or uploading files. |
Step 4 | If you cannot achieve it without monitoring, is there a less intrusive way of monitoring than the one you are contemplating? | For example, if you want to ensure that employees are not breaching confidentiality relating to company information. You could have an individual checking emails sent by employees and looking at the content. This is a very intrusive method of monitoring, whereas a less intrusive method would be to have automated monitoring (not overseen by someone) looking at email addresses or subject matter, blocking emails with attachments of a certain size or checks for specific words or phrases. |
Step 5 | What is the impact on the employee of monitoring them? | As this is an impact assessment you are carrying out, it is essential that you assess the impact of what you are doing, or proposing to do, on your employees. You need to look at how much the monitoring encroaches on their private lives, which reveals confidential information or information which is sensitive. To this ask yourself the following questions: Is the monitoring likely to be regarded as belittling or unfair by employees? This means considering that if the monitoring was done to you, how would you feel about it? This can be tricky because you are likely to see a good business reason for monitoring. Is there any impact on your duty of trust and confidence? This is an obligation on both employer and employees that is contained in all contracts of employment by law, which requires neither to do anything that is likely or calculated to cause trust and confidence to be undermined. You need to note that if what you are doing or proposing to do is likely to undermine trust and confidence, it does not matter if that is what you intended; it will still undermine the relationship. This is important because if you do this, an employee can potentially resign and claim constructive unfair dismissal. Will any confidential or sensitive information be revealed to people in your organisation who do not have a business need to see such information? You cannot completely remove an employee’s right to privacy in the workplace, and that means they are able to use your business computer systems for private matters that could quite easily include confidential or sensitive information. For example, they could refer to the balance of their bank account in an email or a doctor’s appointment in their calendar. This is not something that just anyone in your organisation should or needs to see. It is therefore important that you ensure that only those who have a business need to see the information do so. Examples: Your HR manager might have a legitimate business reason to know an employee’s salary, but only your accounts manager needs to know their bank account details to facilitate their salary payments. Your accounts team might need to know that a person has been absent from work on sick leave (to enable sick pay to be made), but only your HR manager needs to know the medical reasons for the sick leave. |
Step 6 | Can the monitoring be justified? | Once you have gone through the first 5 steps, you need to make a clear decision about whether, you can justify the monitoring. In general terms, it is going to be easier to justify monitoring that is less intrusive which employees know about. Other helpful ways to justify the monitoring is by consulting with your employees about what and how you are going to monitor. It is best if you wait to justify more intrusive monitoring for when you are likely to need it, for example, when there is a serious risk of damage to your business. |
When is it illegal to monitor employees?
It is not only illegal to monitor employees if you do not carry out the impact assessment correctly, but also to monitor employees when there is a legitimate expectation of privacy.
If the employee had a reasonable expectation of privacy in relation to communications, Article 8 will be engaged, otherwise it will not. If the employee has a reasonable expectation of privacy, the court would then consider whether the interference with that privacy was lawful and proportionate.
In some instances it is difficult to see how monitoring would ever be proportionate, for example monitoring in toilets, prayer rooms, breastfeeding areas or monitoring of vehicles during the time an employee has personal use of the work vehicle.
Does an employer need consent to monitor the employee?
If you have carried out your impact assessment properly then it is unlikely that you would need to have your employees’ consent. This is helpful. It used to be that you needed to show the employee consented, but it is unlikely in an employment relationship that consent would be regarded as being given freely. It is therefore best to rely on a business need for the monitoring.
Do you need to tell employees you are monitoring them?
Yes, you should advise your employees of the monitoring which will take place at work and the reasoning for it in order to comply with the GDPR in processing personal data in a fair, lawful and transparent manner. There are limited circumstances when you can monitor employees without letting them know. Specifically, the exception applies if:
- you suspect the employee is committing a crime;
- it is reasonable to conclude that letting the employee know would make it harder to detect the crime; and
- you only covertly monitor for a specific investigation and cease monitor as soon as the investigation is concluded.
What should employers do with information collected from monitoring?
Once you have collected the information from monitoring, you have various obligations under the DPA 1998 and GDPR on how you use and store that data.
- Once you have the data, you cannot use it in any way unless you can satisfy that you are doing so for a reason allowed under the DPA 1998 or GDPR.
- Once you have your reason, you can only use the information for the purpose for which it was collected.
- Only keep information that is relevant and not excessive.
- Once you have the data, ensure that it is accurate at the time of collecting and then ensure you keep it up to date.
- Do not keep the information for longer than you need for the purposes that you gathered it in the first place, or as required by law (for example, payroll information needs to be kept for 3 years from the end of the tax year it relates to).
- Ensure the data is processed in a way which is consistent with the employee’s rights under the DPA 1998 and GDPR.
- Make sure that only those who need to access it, see the information. They need to have been trained and be fully aware of their obligations and be subject to confidentiality obligations.
- Do not accidentally destroy or damage the information.
- Do not transfer the information or data outside the European Economic Area unless there are comparable data and privacy rights in relation to personal data.
- Ensure that you balance your need to gather and process the information against the employee’s right to privacy.
If you are unsure about your obligations in respect of the collection or storage of employee data, seek guidance from the ICO or a specialist legal adviser, who will be able to guide you in your business’ specific circumstances.
What are the consequences of illegal monitoring and breaching the employee’s privacy?
Breaching your obligations to employees can have several consequences:
- It could lead to a grievance from an employee;
- a complaint to the Information Commissioners’ Office, which would involve your organisation being investigated and could mean receiving a fine of up to £500,000 or an order requiring you to rectify or destroy inaccurate data or prosecution for criminal offences;
- a claim for compensation for damages and distress;
- a claim for constructive unfair dismissal or potential discrimination to defend in an Employment Tribunal.
Tips on developing a workplace monitoring policy
Given the need for employees to be informed of what monitoring you are doing, it is important for you have a policy that covers monitoring employees and should include:
- When email use is monitored;
- Why email use is being monitored;
- How the information collected will be used; and
- Who the information collected will be disclosed to.
However, you should not stop there. You should have a precisely drafted and comprehensive electronic monitoring policy. Once you have written your policy, it is important that you inform your employees of the policy and make this accessible for them. It is advisable to keep a record of employees’ acknowledgement they have been informed about the policy. Practically speaking, this means:
- Give a copy of the policy to employees when they start employment;
- Ask employees to confirm they have read and understood the policy not only when it is implemented but also every time it is amended or updated;
- Issue reminders about the policy; and
- Provide regular training to employees, managers and those who are receiving monitored data.
It is crucial that whenever you have issues that arise from monitoring employees at work, that you treat each case consistently and fairly. If you do not, you will expose your organisation to potential claims for unfair dismissal and discrimination. If you genuinely have a reason for treating someone differently under the policy, then ensure you keep a written record of that reason. Again, if you are unsure, seeking legal advice on employment law at an early stage is advisable.