Monitoring employees and data protection

Is it transparent, reasonable and proportionate?

There are plenty of reasons why employers might want to monitor staff; to check they’re working, to detect and prevent criminal activity, to make sure people are complying with internal policies, to check their performance, for safety and security reasons, and so on.

With significant advances in technology, there are multiple options available for employees seeking to monitor their workforce, such as:

  • Camera surveillance, including CCTV and body worn cameras
  • Webcams and screenshots
  • Monitoring timekeeping or access control using biometric data
  • Keystroke monitoring
  • Internet tracking for misuse
  • Covert audio recording

Add the growing number of AI-powered solutions into the mix, and the opportunities are seemingly endless. I’ve even seen demos of AI tools which sentiment check emails; scanning the language employees use to detect content which might be discriminatory, bullying or aggressive.

Just because a range of monitoring technologies exist, doesn’t mean we should use them.

A survey commissioned by the UK’s Information Commissioner’s Office in 2023 revealed almost one in five people believe they’ve been monitored by their employer, and would be reluctant to take a job if they knew they were going to be monitored. This research showed 70% of the public believe it’s intrusive to be monitored in the workplace.

However, there is a broad understanding employers might carry out checks on the quality and quantity of their work and an appreciation there may be a necessity to do this proportionately to meet health and safety or other regulatory requirements. Emily Keaney, the ICO’s Deputy Commissioner of Regulatory Policy says “While data protection law does not prevent monitoring, it must be necessary, proportionate and respect the rights and freedoms of workers. We will take action if we believe people’s privacy is being threatened.”

Earlier this year, the ICO did just that, and ordered a Leisure Company to stop using biometric data to monitor their staff. You can read more about the case here: using biometrics to monitor staff

To prevent monitoring employees in an overly intrusive and disproportionate way, it’s crucial to carefully consider any planned monitoring activity and make sure it’s a reasonable thing to be doing.

Workplace monitoring checklist

Here are some of the key considerations to take into account:

1. Is it `lawful, fair and transparent?

To be lawful you need to identify a lawful basis under UK GDPR and meet relevant conditions. Remember, consent would only work where employees have a genuine and fair choice. Often an imbalance of power means consent is not appropriate in an employee context. Employees may feel duty-bound to give consent and therefore there may be an imbalance.

You may be tempted to rely your employment contract with individuals, (i.e the ‘contractual necessity’ lawful basis) but this would need to be genuinely necessary. Many employers may choose to rely on legitimate interests, but this requires a balancing test, and we’d highly recommend conducting and keeping a record of your Legitimate Interests Assessment (LIA).

To be fair you should only monitor workers in ways they would reasonably expect, and in ways which wouldn’t have unjustified adverse effects on them. The ICO says you should conduct a Data Protection Impact Assessment to make sure any monitoring is fair and proportionate.

To be transparent you must be open and upfront about what you’re doing. Monitoring should not routinely be done in secret. Monitoring conducted without transparency is fundamentally unfair. There may however be exceptional circumstances where covert monitoring is justified.

2. Will monitoring gather special category data information?

If monitoring involves special category data, you’ll need to identify a special category condition, as well as a lawful basis. Special category data includes data revealing racial or ethnic origin, religious, political or philosophical beliefs, trade union membership, genetic and biometric data, data concerning health or data about a person’s sex life or sexual orientation.

You may not automatically think this is relevant, but be mindful even monitoring emails, for example, could, without appropriate controls in place, lead to the processing of special category data.

3. Have you clearly set out your purpose(s) for employee monitoring?

You need to be clear about your purpose(s) and not monitor workers ‘just in case’ it might be useful. Personal details captured should not subsequently be used for a different purpose, unless this is assessed to be compatible with the original specified purpose(s).

4. Are you minimising the personal details gathered?

Organisations are required to not collect more personal information than they need to achieve their defined purpose(s). This should be approached with care as many monitoring technologies and methods have the capability to gather more information than necessary. You should take steps to limit the amount of data collected and how long it’s necessary to retain it for.

5. Is the information gathered accurate?

You need to take all reasonable steps to make sure the personal information gathered through monitoring workers is accurate and not misleading, or taken out of context, and people should have the ability to challenge the results of any monitoring.

6. Have you decided how long information will be kept?

Personal information gathered must not be kept for any longer than is necessary. It shouldn’t be kept just in case it might be useful in future. Organisations must have a data retention schedule and delete any information in line with this. The UK GDPR doesn’t tell us precisely how long this should be, but other laws might. Organisations need to be able to justify any retention periods they set.

7. Is the information kept securely?

You must have ‘appropriate technical and organisation measures’ in place to protect personal information. Technical measures include things like firewalls, encryption, multi-factor authentication, and so on. Data security risks should be assessed, access should be restricted, and those handling the information should receive appropriate training.

If monitoring is outsourced to a third-party processor, you’ll be responsible for compliance with data protection law.

8. Are you able to demonstrate your compliance with data protection law?

Organisations need to be able to demonstrate their compliance with UK GDPR. This means making sure appropriate policies, procedures and measures are put in place for workplace monitoring activities. And let’s also consider any monitoring of workers who work from home, or other ‘offsite’ locations. As with everything this must be proportionate to the risks. The ICO says organisations should make sure ‘overall responsibility for monitoring workers rest at the higher senior management level’.

Monitoring people is by its very nature intrusive, it must be proportionate, justified and people should in most circumstances be told it’s happening.

The ICO has published detailed guidance on this: Employment practices and data protection: monitoring workers and the regulator’s overriding message is organisations should carry out a DPIA if they’re considering monitoring their staff.