Monitoring employees can be an effective way for employers to safeguard their staff from unsafe working practices or the threat of crime. Monitoring can also be used to ensure that staff are conducting themselves in accordance with workplace rules and, in limited cases, to prove misconduct in the context of disciplinary action. The use of different monitoring methods can even help to minimise the incidence of malpractice or misconduct at work.
However, any activity used to monitor employees must not breach workers’ rights to privacy and must adhere to UK data protection rules.
The following practical guidance for employers looks at what the law says on monitoring employees, and employee rights in this context, as well as the lawfulness of employers monitoring remote workers. We also look at the implications of unlawfully monitoring employees and best practice advice for employers on remaining legally compliant.
What does the law say about monitoring employees at work?
There are a number of ways in which employers might monitor employees. This could include the use of CCTV, fleet vehicle-trackers and drug-testing, where each scenario gives rise to legal considerations relating to both data protection and the right to privacy.
In broad terms, data protection law covers any type of employee monitoring that involves taking data and images, or samples of hair or bodily fluids for testing. However, the nature and extent of the law in the context of data protection will depend on the type of monitoring used by the employer and the circumstances in which this is carried out.
Equally, when it comes to the right to privacy, much will depend on the method of monitoring and the purpose for which this is used, where covert or overly intrusive monitoring at work will usually be construed as a violation of an employee’s human rights.
Using cctv & video recordings
By law, employers can monitor the activities of those on their premises using closed circuit television (CCTV), although there are various risks associated in doing so. This is because when it comes to video footage captured by CCTV, this constitutes personal data under the United Kingdom General Data Protection Regulation (UK-GDPR). This means that there are strict rules that must be followed by employer’s when collecting and processing this data.
In certain scenarios, the use of CCTV in the workplace may also constitute a breach of the employee’s right to privacy, as well as a breach of the duty of mutual trust and confidence implied into all employment contracts. In circumstances where CCTV is misused, such as without the employee’s knowledge, this could result in irreparable damage to the employment relationship and a claim for constructive dismissal following their resignation.
Under the UK-GDPR, although employers are legally entitled to monitor their employee’s activities, they must have a legitimate business reason to do so and only use the footage for the purpose for which it was obtained. The employer must also make staff aware that CCTV is installed on their premises and in active use, as well as the purpose for which this surveillance will be used. For example, it is perfectly legitimate for an employer to install CCTV for safety and security reasons, thereby safeguarding their property and staff from the threat of crime, but there must be clear signage stating that CCTV is being operated.
However, where CCTV has been deployed solely for the prevention and detection of crime, any alternative use of personal data captured in this way will be unlawful under data protection law. This includes the use of CCTV footage in the context of disciplinary action, even if this provides irrefutable evidence of misconduct on the part of an employee.
Equally, covert CCTV surveillance, where cameras are secretly installed, will only ever be justifiable in exceptional circumstances, such as where there are grounds to suspect criminal activity or serious malpractice. Even in these exceptional circumstances, any covert surveillance should only be targeted at those under suspicion. Covert surveillance should also only be undertaken for limited periods and as part of an outside investigation.
Using fleet vehicle-trackers
There is no specific prohibition against the use of vehicle-trackers, although employers must again comply with the rules relating to data protection and respecting the employee’s right to privacy. This is because any data that is collected from a vehicle-tracking device, including a vehicle’s location, speed, movement and stopping times, links the performance of driver’s to their identity, giving rise to both personal data and privacy issues.
This essentially means that it is not unlawful for an employer to use vehicle-tracking devices, provided the employee is aware of the device and has expressly consented to its use. The employer must also have a legitimate commercial reason for tracking the vehicle.
Vehicle-tracking devices will often be used by logistics companies to monitor a driver’s location and manage a fleet remotely, although there are various other legitimate reasons to support the use of fleet vehicle-trackers. These could include taking steps to minimise fuel consumption caused by speeding and other unsafe driving habits or implementing anti-theft measures. As such, employers are legally allowed to monitor things like mileage, hours on the road, routes used and even driver behaviour, so long as the vehicle is designated for business use and there is a business need for the data being collected in this way.
However, as with CCTV footage, the data collected using GPS tracking technology should only be used for the business purpose for which it was originally collected, where using a vehicle tracker to monitor employee behaviour or to prove employee misconduct in the context of a disciplinary hearing could potentially be classed as a misuse of personal information and a breach of privacy. Still, unlike the use of CCTV, there is greater overlap here between legitimate business reasons and the incidence of employee misconduct.
For example, if GPS data reveals excessive vehicle speeds, this is a matter for which an employer is entitled to collect data for safety reasons and so can probably also use as evidence of misconduct against an employee. In contrast, data collected to monitor vehicle location for customer deliveries, that is also used as evidence of an employee collecting their children from school during working hours, is arguably a misuse of that data.
To stay within the confines of the law, the employer must additionally ensure that data collected using a GPS vehicle-tracker is only ever collected during working hours. If private use of a vehicle is allowed, monitoring the movements of a vehicle in the employee’s own time will rarely be justified, not unless the employer has an employee’s express consent.
Using workplace drug-testing
Data protection and privacy issues also come into play in the context of drug-testing at work. However, given the intrusive nature of asking staff to provide either a hair or bodily fluid sample for drug-testing, it will be much harder to justify its legitimate use.
Drug-testing in the workplace can only usually be justified for health and safety reasons, ie; where there are safety-critical elements to a job role — whether this be the health and safety of the employee, the workforce as a whole and/or the wider public. Typically arising within the transport or construction industries, healthy and safety issues can be linked to driving, operating heavy lifting equipment, and using machinery or electrical equipment.
This essentially means that an employer should not implement a drug-testing policy unless there is good reason to do so and this provides significantly better evidence of impairment than other less intrusive means. The employer must also have the employee’s consent, having explained to the employee what substances they are being tested for and why.
If an employee agrees to be tested for drugs or alcohol and they fail that test, depending on the circumstances, this may justify disciplinary action, including dismissal. Still, a positive test result does not necessarily justify dismissal or other disciplinary sanctions, not unless there is clear evidence of illicit use at work. The employer may first need to explore the underlying cause of any positive test result before taking action. In circumstances where an employee has tested positive for prescribed medication, the employer may also need to make reasonable adjustments to an employee’s job role to minimise the impact of that medication, otherwise risk an allegation of unlawful disability discrimination.
ICO guidance on monitoring employees at work
In October 2023, the UK’s data regulator, the Information Commissioner’s Office (ICO), issued guidance, “Employment practices and data protection − Monitoring workers”, for employers on monitoring workers.
The guidance was developed in light of the widespread adoption of hybrid working and increased use of monitoring tactics by employers, such as tracking keystrokes, using webcam footage or audio recordings and utilising specialist monitoring software.
In summary, the ICO guidance says that any tracking must be done in the “least intrusive” way possible and that workers must be made aware explicitly of the “nature, extent and reasons for monitoring”. Employers also need a lawful basis for processing workers’ data for monitoring purposes, through for example employee consent or legal obligation.
Cases of “excessive” employee surveillance that contravene workers’ privacy rights can result in enforcement action by the ICO, including fines against the employer.
Employee rights
When it comes to an employee’s rights around workplace monitoring, much will depend on the nature and extent of the method being used to monitor members of staff.
For example, the use of CCTV in the workplace is not, of itself, a breach of an employee’s rights. However, this does not give an employer the freedom to monitor every staff movement, nor to single out individual members of staff for surveillance, not unless there is an outside investigation into malpractice or criminal activity. Equally, where staff have a reasonable expectation of privacy, such as in toilets or changing rooms, any use of CCTV will almost certainly expose an employer to potential breaches of both data protection and human rights laws, as well as breach of the implied duty of mutual trust and confidence.
In most cases, the nature and extent of an employee’s data protection and privacy rights should be set out in writing in a staff handbook, on the staff intranet site or in individual workplace policies. However, in any instance where the use of monitoring employees is overly intrusive or disproportionate to the purpose for which it is intended to be used, regardless of what is specified in writing in any workplace policy or otherwise, this will potentially be a breach of the employee’s data protection and privacy rights. The employee may also be entitled to hand in their notice and claim constructive dismissal.
Can an employer monitor remote workers?
It is not illegal to monitor staff while they work from home using online surveillance techniques, such as time-tracking software or logging keystrokes, or by tracking internet and email use, although data protection and privacy concerns will again be relevant here.
In many cases, rather than using online surveillance, employers may want to opt to keep tabs on employee productivity, such as tracking time sheets and setting regular staff targets. It is often about finding a balance between the employer’s rights to ensure that their staff are working productively, against the data protection and privacy rights of their employees.
Getting it wrong
There are various implications when monitoring employees is not conducted within the confines of the law, including legal action against the employer for an infringement of UK-GDPR or a violation of an employee’s human rights. In addition to any claim for misuse of personal information or breach of privacy, the employer could also be exposed to:
- a claim for constructive dismissal where an employee has forcibly resigned for breach of the implied duty of mutual trust and confidence, or
- a claim for unfair dismissal where evidence of misconduct obtained from monitoring has been misused in disciplinary proceedings.
However, there are a number of ways that employers can go about monitoring employees at work, while not breaching the information and privacy rights of their workforce.
Best practice
Monitoring employees is not, of itself, unlawful. However, it can be construed as a breach of personal information and privacy rights if employers either fail to follow the rules around data protection and/or take their surveillance methods too far.
The following best practice advice provides employers with three key ways to remain legally compliant:
- Put in place clear workplace polices that outline in detail the nature and extent of any monitoring methods, for example, a separate CCTV, vehicle-tracking and drug-testing policy. In this way, employers can let their employees know how, when and why they are being monitored, as well as how any personal data collected in these ways will be used.
- Obtain employee consent, where the employee’s contract of employment should make provision for their consent, either by way of a specific contractual clause or under any incorporated workplace policy signposted within that contract. Alternatively, the employer should obtain the employee’s express written consent, signed and dated.
- Conduct a data protection impact assessment prior to deploying any monitoring methods to weigh up the benefits of using surveillance against any adverse impact on employees, as well as any alternative means that may be used. By having an impact assessment in place, this will help to justify the legitimate and proportionate use of monitoring.
Need assistance?
DavidsonMorris’ HR consultants provide specialist guidance to employers on all aspects of workforce management and engagement, including advice on the legal and HR considerations of employee monitoring. For expert support, contact us.
Monitoring employees FAQs
Is it legal to monitor employees in the UK?
Employers can monitor employees in the UK, but they must comply with data protection laws, including the UK GDPR and the Data Protection Act 2018. Monitoring must be necessary, proportionate, and transparent.
What types of employee monitoring are commonly used?
Common methods include email and internet usage tracking, CCTV surveillance, call monitoring, keystroke logging, and location tracking for remote or field workers. Employers must ensure these methods are legally justified and employees are informed.
Do employers need to inform employees about monitoring?
Employers must clearly inform employees about any monitoring activities through workplace policies, contracts, or privacy notices. Employees should know what is being monitored, why it is being done, and how their data will be used.
Can employers monitor personal emails and phone calls?
Employers can only monitor personal communications if there is a legitimate business reason, and employees have been informed in advance. Personal data should be handled carefully to avoid breaching privacy rights.
What are the key legal considerations when monitoring employees?
Employers must ensure monitoring complies with the principles of lawfulness, fairness, and transparency. They should conduct a data protection impact assessment (DPIA) to assess risks and demonstrate compliance with data protection laws.
Can employees refuse to be monitored?
Employees cannot outright refuse lawful and proportionate monitoring, but they have the right to challenge excessive or intrusive monitoring that violates their privacy rights.
How can employers balance monitoring with employee privacy?
Employers should adopt a proportionate approach, monitor only what is necessary, and establish clear policies that balance business needs with respect for employee privacy.
What are the consequences of unlawful monitoring?
Failure to comply with data protection laws can lead to legal action, reputational damage, and financial penalties imposed by the Information Commissioner’s Office (ICO).
Are employers required to conduct impact assessments before monitoring?
For high-risk monitoring activities, such as covert surveillance or biometric data collection, employers must carry out a Data Protection Impact Assessment (DPIA) to identify and mitigate privacy risks.
What should be included in an employee monitoring policy?
A monitoring policy should outline the types of monitoring used, the purpose, the legal basis, employee rights, data storage periods, and contact details for further inquiries.
Glossary
| Term | Definition |
|---|---|
| Employee Monitoring | The process of tracking employee activities in the workplace to ensure compliance, productivity, and security. |
| UK GDPR | The United Kingdom General Data Protection Regulation, which governs the collection and use of personal data. |
| Data Protection Act 2018 | UK legislation that sets out the framework for data protection, complementing the UK GDPR. |
| Data Protection Impact Assessment (DPIA) | A process used to assess and mitigate privacy risks associated with monitoring employees or processing their personal data. |
| Privacy Notice | A document provided to employees explaining how their personal data is collected, used, and stored by the employer. |
| Lawful Basis | The legal justification required under data protection laws for processing employee data, such as legitimate interest or consent. |
| Proportionality | The principle that any monitoring should be reasonable and not excessive in relation to the intended purpose. |
| Transparency | The obligation of employers to inform employees about any monitoring activities and how their data will be used. |
| Legitimate Interest | A legal basis under the UK GDPR that allows employers to process data if it is necessary for business purposes and does not override employee rights. |
| CCTV Surveillance | The use of closed-circuit television cameras to monitor employees in the workplace for security or compliance purposes. |
| Keystroke Logging | A monitoring method that records keyboard activity to track employee productivity or detect unauthorised actions. |
| Call Monitoring | The practice of recording or reviewing employee phone calls for quality control, compliance, or training purposes. |
| Internet Usage Tracking | Monitoring employees’ internet activity to ensure appropriate use of company resources and compliance with policies. |
| Workplace Policy | A set of rules and guidelines that outline acceptable behaviour and the employer’s approach to monitoring and data protection. |
| Information Commissioner’s Office (ICO) | The UK’s independent regulatory body responsible for enforcing data protection laws and handling complaints. |
| Consent | A voluntary agreement from employees allowing their personal data to be monitored under specific conditions. |
| Covert Monitoring | Surveillance conducted without the employee’s knowledge, which is only permitted in exceptional and legally justified circumstances. |
| Data Retention | The period for which employers store employee data before securely deleting or anonymising it. |
| Subject Access Request (SAR) | A formal request by an employee to access the personal data an employer holds about them. |
Author
Founder and Managing Director Anne Morris is a fully qualified solicitor and trusted adviser to large corporates through to SMEs, providing strategic immigration and global mobility advice to support employers with UK operations to meet their workforce needs through corporate immigration.
She is a recognised by Legal 500 and Chambers as a legal expert and delivers Board-level advice on business migration and compliance risk management as well as overseeing the firm’s development of new client propositions and delivery of cost and time efficient processing of applications.
Anne is an active public speaker, immigration commentator, and immigration policy contributor and regularly hosts training sessions for employers and HR professionals
