What can employers do to monitor employees at work? Balancing the right to privacy at work with data protection duties. 

Employers are permitted at law to monitor employees or other workers, but should always ensure that they have a fair and lawful basis for processing workers’ personal data and that any monitoring does not compromise their compliance with relevant data protection laws. Failures to do so could result in potentially serious enforcement action or fines from the ICO, mounting claims from employees and reputational damage to the organisation. 

The wider legal and regulatory framework for monitoring employees involves the right to privacy in the European Convention on Human Rights (as incorporated by the Human Rights Act 1998), the UK GDPR and the Data Protection Act 2018 (DPA 2018) for regulating the processing of personal data, and the Investigatory Powers Act 2016 and the Investigatory Powers (Interception by Business etc. for Monitoring and Record-keeping Purposes) Regulations 2018 for regulating interception of electronic communications. Overzealous or careless monitoring may give rise to claims for constructive dismissal, have implications in terms of unfair dismissal and fairness within the Employment Rights Act 1996, and lead to allegations of discriminatory practice.

What is meant by “monitoring”?

The ICO guidance defines “monitoring workers” to be any form of monitoring of people who carry out work on an organisation’s behalf.

This can include tracking calls and messages, visual (webcam) or audio footage, capturing screenshots, keystroke monitoring, and tracking timekeeping and location.

For the purposes of the guidance, monitoring is not limited to tracking workers on work premises, and can be both during or outside of normal working hours. It applies to monitoring on a systematic basis (e.g. regular tracking of workers’ productivity) and occasional monitoring for a short-term response to a specific need (e.g. installing a camera to detect incidents of suspected theft by employees in the workplace).

Justification for monitoring: reliance on a lawful basis

For monitoring to be legitimate, it should be underpinned by one of six lawful bases under the UK GDPR:

1. Consent – the individual has given clear consent for you to process their personal data for a specific purpose
2. Contract – the processing is necessary for your obligations as an employer under a contract with the worker
3. Legal obligation – the processing is necessary for you to comply with the law (common law or statutory obligations, not contractual obligations)
4. Vital interests – the processing is necessary to protect someone’s life
5. Public task – the processing is necessary to perform a task in the public interest or for your official functions
6. Legitimate interests – the processing is necessary for your legitimate interests or those of a third party and this has been balanced against the rights and legitimate interests of the workers whose personal data will be processed through the monitoring

Processing personal data is lawful where the data subject has given consent to the processing of their personal data for one or more specific purposes. However, consent must be freely given to be valid and must be as easy to withdraw as it is to give. This limit he usefulness of consent as a lawful basis upon which employers can rely, in particular for employee monitoring activities. The ICO has long held the view that the imbalance of power in the employer/employee relationship means consent is not freely given. In practical terms, the requirement that consent can be withdrawn at any time present a further major issue. On withdrawal of consent by any employee subject to the monitoring, an employer relying upon consent as the lawful basis for the processing would be required to stop that processing activity and purge relevant data with respect to that employee. This makes consent both of questionable legitimacy and impractical for an employer to rely upon as a lawful basis for monitoring employees.

With respect to legitimate interests, employers can, for example, monitor samples of business calls if they can justify that it is necessary to provide evidence of business transactions, or for training or quality control. Employers may be able to legitimately monitor emails and messages (to include instant messages on platforms and in chat functions) sent to and from work accounts if this is done as a means to protect corporate information, identify suspicious activity, or enforce policies on acceptable use. CCTV surveillance might also be used if there is a lawful basis to do so, though it carries risks of inadvertently capturing special category data. A legitimate interest assessment (LIA) must be carried out and documented whenever a data controller wishes to rely upon legitimate interests as the lawful basis justifying the processing of personal data. This is in order to balance the legitimate interest they have identified against the rights and legitimate interests of the data subjects whose personal data will be processed.

Data Protection Impact Assessments (DPIAs)

There is no one-size-fits-all approach, and if employers are uncertain as to the best lawful basis to pursue, they may wish to conduct a Data Protection Impact Assessment (DPIA) to establish the correct lawful basis.

DPIAs should be applied to any new potentially high risk data processing activity a business is considering. Article 35 UK GDPR requires employers to undertake DPIAs to assess the necessity and proportionality of planned data processing where it implements new programs, systems or processes, or makes changes to existing ones, and the processing is likely to result in a “high risk” to individual’s “rights and freedoms”. DPIAs should therefore be undertaken in advance of any new employee monitoring since this is likely to amount to “high risk” processing with respect to the rights and interests of the employees being monitored. DPIAs are mandatory in certain situations such as anticipated use of automated processing, which may be relevant to some forms of monitoring activities. DPIAs allow the employer to document the specific need for monitoring and why the form of monitoring proposed is proportionate to meeting this need.

The ICO guidance distinguishes between monitoring and “excessive monitoring”, which can have an adverse impact on workers’ freedoms and data protection rights, being action which is likely to pry into their private lives and infringe their privacy and wellbeing. The guidance sets out “higher risk” types of monitoring such as keystroke monitoring, in respect of which a DPIA should be carried out.

Special Category Data and Criminal Conviction Data

Any monitoring that will capture “special category data” under the UK GDPR (i.e. personal information revealing or concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life and sexual orientation) demands extra attention, and employers must identify a special category processing condition under Article 9 of the UK GDPR on top of the lawful basis. There are 10 conditions for processing special category data, five of which require an employer to meet additional conditions and safeguards set out in Schedule 1 of the DPA 2018.

Similarly, Article 10 of UK GDPR restricts the processing of criminal offence data by employers unless authorised by domestic law. Employers must therefore identify a specific condition under Schedule 1 of DPA 2018 for processing criminal convictions data. Again, specific safeguards must be in place for an employer to rely on these conditions.

Under the DPA 2018, there are specific conditions which permits employers processing special category or criminal convictions data where the processing is necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment or where there is a reason of substantial public interest for them doing so, such as preventing or detecting unlawful acts.

Covert monitoring

The ICO guidance sets out that it will be difficult to justify covert monitoring in most circumstances. Where it is contemplated, it should be subject to a DPIA and authorised by senior management. The employer should be satisfied that there are grounds for suspecting criminal activity (or an equivalent, such as gross misconduct) and that informing workers about the monitoring would prejudice its prevention or detection.

Covert monitoring should be targeted to obtain evidence for a specific purpose within a set timeframe, limited to the shortest time possible. It should not be continued once an investigation is complete. An employer should not use covert audio or video monitoring in areas where workers would reasonably expect to be private, such as toilets or changing rooms, nor should it use covert monitoring to capture communications that workers would reasonably expect to be private, such as personal emails. Any use of covert monitoring must balance the employer’s interests against those of the workers affected by it. It must be justified and proportionate.

Right to privacy at work

Article 8(1) of the ECHR enshrines a right to respect for one’s “private and family life, his home and his correspondence”, caveated by the fact that any infringement on the right must go no further than necessary and be sufficiently important to obtain a legitimate aim. Whilst this compels employers to provide workers with a degree of privacy at work, for Article 8 to be engaged, an employee needs to have a reasonable expectation of privacy with regard to their communications. If the employee can demonstrate this, the Court examines whether the employer’s interference is both legally justified and proportionate:

• In Halford v United Kingdom [1997] 24 ECHR 32, the ECtHR found that tapping a police inspector’s office telephone calls violated her right to privacy under Article 8. The Court considered that the absence of any warning the employee’s calls might be monitored, coupled with the fact one of the office telephones had been marked for private use, created a reasonable expectation of privacy and public authorities must guarantee workers some degree of privacy in the workplace.
• In Bărbulescu v Romania (Application no. 61496/08) [2017] ECHR 742, despite an employer’s very strict policies against personal internet usage, Mr Bărbulescu’s dismissal for personal use of the internet at work (on Yahoo Messenger) was not upheld by the Grand Chamber of the ECtHR because, in part, “an employer’s instructions cannot reduce private social life in the workplace to zero” by implementing an overly-restrictive policy. It was also noted that Mr Bărbulescu had not been notified sufficiently in advance about communications being monitored; the extent of monitoring; and the prospect that his employer could access the content of communications.
• Garamukanwa v United Kingdom (70573/17) [2019] 6 WLUK 109 was distinguished from Bărbulescu because, in this case, the employee had been put on notice for a year due to allegations of harassment, with subsequent communications being passed from police to his employer. The Court found that the employee could not have reasonably expected his communications, after being put on notice, to remain private.

Employers should take into account the considerations set out by the ECtHR in Bărbulescu, when assessing whether monitoring employees’ communications is proportionate under Article 8, summarised as:

1. Has the employee been clearly informed in advance that monitoring may occur, as well as the extent and nature of such monitoring?
2. What extent of monitoring is being undertaken, and what is the degree of intrusion into the employee’s privacy? For example, is the monitoring limited in time; is the employer tracking only the flow of communications or also their content? Are all or just some communications monitored, and is the monitoring restricted in terms of duration and those with access?
3. Does the employer have valid reasons to justify the extent and nature of monitoring?
4. Could the employer’s objectives be achieved through less invasive methods that do not require unrestricted access to the content?
5. What are the consequences for the employee being monitored?
6. Does the employee have adequate measures in place to prevent communications being accessed?

Data Protection Principles

Any monitoring of employees must comply with the data protection principles set out in Article 5 of the UK GDPR. In particular:

• Lawfulness, fairness and transparency. Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
• Purpose limitation. Personal data must be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• Data minimisation. Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
• Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
• Storage limitation. Personal data which is kept in a form which permits identification of data subjects must be kept for no longer than is necessary for the purposes for which the data is processed.
• Integrity and confidentiality. Personal data must be processed in a manner that, through use of technical or organisational measures, ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
• The controller is responsible for, and must be able to demonstrate, compliance with the other data protection principles set out above.

Fairness—a core principle of data protection

Employers should only monitor workers in ways they would reasonably expect and not using methods that give rise to unjustified adverse effects on them. Being transparent with your workers about how and why you process their information is intrinsically linked to fairness and not doing so risks undermining the implied term of trust and confidence in the employment contract.

For example, be clear about monitoring device activity (web browsing and application use). Are workers allowed to use work devices for any personal use (and on what terms), or is there an expectation they use personal devices for work? Following the ICO guidance, if there is an expectation for the latter, employers should ensure they do not capture workers’ private use of their device.

Workers have a right to be informed about the way their data is collected, stored and used, so employers should communicate how their data is processed in an accessible way. The employee privacy notice is the primary means by which an employer communicates this information to employees. The employee privacy notice is therefore key in communicating and providing transparency to employees as to any monitoring an employer intends to carry out. If you plan to introduce any new monitoring, involving workers in this process will help to cultivate trust.

If you use AI tools for monitoring, remember that these tools may incur bias if they are trained on biased data. See our article this month addressing key considerations for AI in the workplace.

Complications of Hybrid Working

Given the prevalence of remote working and workers’ greater expectations for privacy in the home than in the workplace, it is increasingly important for employers to appreciate and navigate the challenges inherent in distinguishing between personal and work information.

This is especially the case where workers use personal devices for work purposes, as employers run the risk of inadvertently capturing personal communications, or those between an employee and a union representative—overstepping the bounds of appropriate data processing.

The risks of getting it wrong, and practical steps to take

Sanctions for inappropriate monitoring and for the infringement of data subject rights include regulatory fines (up to £17.5m / 4% of worldwide turnover of the preceding year, whichever the greater), incurring costs associated with regulatory investigations, court proceedings, internal management time and spend, and reputational damage.

Employers can mitigate these risks with these practical points:

• Always monitoring with a clear purpose, and by selecting the least intrusive means to achieve it (e.g. network-level data monitoring over accessing the content of messages)
• Consider whether there is a legal ground for processing the data, which goes beyond “consent”. Is a DPIA required, and if so, what would the outcome be?
• Ensure your technology policy informs employees about monitoring and its purpose, and if CCTV is used as part of employee monitoring, have a CCTV-specific policy.
• Update your employee privacy notice to provide information about monitoring to employees.
• Consider how you can promote transparency as regards monitoring (e.g. can employees mark emails as personal or private on the system? Are employees supplied with sufficient notice that monitoring may be taking place?)
• Ensure clear records of processes followed and the purpose/desired outcomes of actions are kept.

As a rule of thumb, do not monitor “just in case” or store collected data for longer than is absolutely necessary based on the business need, and carry out a DPIA where you have concerns over monitoring or are implementing any new form of monitoring activity.

Communicate clearly to employees how and why you are monitoring, and always select the least intrusive method to achieve your purpose from the tools available to your business.

As ever, speak with us if you have any concerns or questions over any of the issues discussed in this article.