Workplace monitoring – justified or intrusive?

October 2023

Almost one in five people believe they’ve been monitored by an employer, and would be reluctant to take a new job if they knew they were going to be monitored. Research commissioned by the UK’s Information Commissioner’s Office (ICO) also shows 70% of the public believe it’s intrusive to be monitored in the workplace.

However, the research also shows workers generally understand employers might carry out checks on the quality and quantity of their work. Similarly, they appreciate the necessity of monitoring for health and safety reasons, or to meet other regulatory requirements.

There are plenty of reasons why employers might want to monitor staff; to check they’re working, to detect and prevent criminal activity, ensuring policy compliance, and for safety and security reasons.

With more people working from home and advances in technology, there are multiple options for employers seeking to monitor their workforces;

  • Camera surveillance, including body worn cameras
  • Webcams and screenshots
  • Monitoring timekeeping or access control
  • Keystroke monitoring
  • Internet tracking for misuse
  • Covert audio recording

I’ve even heard of AI which sentiment checks emails. This scans language to detect content that might be discriminatory, bullying or aggressive. Personally, I find this terrifying. Imagine if this technology were available during the ‘Reds under the bed’ paranoia of 1950s America, or indeed 1930s Germany?

The fundamental question is this – just because you can monitor staff, should you?

The ICO has recently published guidance: Employment practices and data protection – monitoring workers. Emily Keaney, Deputy Commissioner – Regulatory Policy at the Information Commissioner’s Office, says; “While data protection law does not prevent monitoring, our guidance is clear that it must be necessary, proportionate and respect the rights and freedoms of workers. We will take action if we believe people’s privacy is being threatened.”

Summary of workplace monitoring considerations

1. Is your workplace monitoring lawful, fair and transparent?

To be lawful you need to identify a lawful basis under UK GDPR and meet relevant conditions. Remember consent would only work where employees have a genuine choice. Often an imbalance of power means consent is not appropriate in an employee context.

To be fair you should only monitor workers in ways they would reasonably expect, and in ways which wouldn’t have unjustified adverse effects on them. The ICO says you should conduct a Data Protection Impact Assessment to make sure monitoring is fair.

To be transparent you must be open and upfront about what you’re doing, monitoring should not routinely be done in secret. Monitoring conducted without transparency is fundamentally unfair. There may however be exceptional circumstances where covert monitoring is justified.

2. Will monitoring gather sensitive information?

If monitoring involves special category data, you’ll need to identify a special category condition, as well as a lawful basis.

Special category data includes data revealing racial or ethnic origin, religious, political or philosophical beliefs, trade union membership, genetic and biometric data, data concerning health or data about a person’s sex life or sexual orientation.

You may not automatically think this is relevant, but be mindful even monitoring emails, for example, is likely to lead to the processing of special category data.

3. Have you clearly set out your purpose(s) for workplace monitoring?

You need to be clear about your purpose(s) and not monitor workers ‘just in case’ it might be useful. Details captured should not subsequently be used for a different purpose, unless this is assessed to be compatible with an original purpose.

4. Are you minimising the personal details gathered?

Organisations are required to not collect more personal information than they need to achieve their defined purpose(s). This should be approached with care as many monitoring technologies and methods have the capability to gather more information than is necessary. You should take steps to limit the amount of data collected and retained.

5. Is the information gathered accurate?

The ICO says organisations must take all reasonable steps to make sure the personal information gathered through monitoring workers is not incorrect or misleading and people should have the ability to challenge the results of any monitoring.

6. Have you decided how long information will be kept?

Personal information gathered must not be kept for any longer than is necessary. It shouldn’t be kept just in case it might be useful in future. Organisations must have a data retention schedule and delete any information in line with this. The UK GDPR doesn’t tell us precisely how long this should be, organisations need to be able to justify any retention periods they set.

7. Is the information kept securely?

You must have appropriate organisational and technical measures in place to protect personal information. Data security risks should be assessed, access should be restricted, and those handling the information should receive appropriate training.

If monitoring is outsourced to a third-party processor, you’ll be responsible for compliance with data protection law. Processors will have their own security obligations under UK GDPR.

8. Are you able to demonstrate your compliance with data protection law?

Organisations need to be able to demonstrate their compliance with UK GDPR. This means making sure appropriate policies, procedures and measures are put in place for workplace monitoring activities. As with everything this must be proportionate to the risks. The ICO says organisations should make sure “overall responsibility for monitoring workers rest at the higher senior management level”.

Monitoring people is by its very nature intrusive, it must be proportionate, justified and people should in most circumstances be told it’s happening. The overriding message from the ICO is carry out a Data Protection Impact Assessment if you’re considering monitoring people in the workplace. This should fully explore any impact on people’s rights and freedoms.