Ensuring staff are conformant to company policy and compliant with the law is of paramount importance to all organisations. And, with an increasingly mobile workforce, hybrid and home working becoming the norm and a blinding array of new technology available, many organisations are considering how they can ‘keep an eye’ on their employees. But, at the same time, organisations need to be vigilant about failing to adhere to data protection regulations and guidelines.
What is the background?
The ICO issued guidance on employee monitoring in October 2023 at a time when an increasing number of people work from home, at least for part of their working week, and the increasing gig economy means that many employees work irregular hours, which needs to be monitored. The Office of National Statistics (ONS) reported that over the period September 2022 to January 2023, 44% of workers declared hybrid or home working. A Forbes survey in 2024 suggested that 63% of workers worked from home at least some of the time. A larger number of staff are also using mobile devices, some as part of ‘bring your own device’ (BYOD) policies. In some cases, employee monitoring is mandatory, such as in financial trading organisations.
Workers expect some level of monitoring as part of employment. They understand that their employer wants to be sure they are at work, being productive, working their contracted hours, not abusing their employer’s assets and not committing theft or fraud. However, as the potential for monitoring becomes ever more sophisticated, concerns have been raised. The BBC has reported that increased employee monitoring is fuelling employee distrust. Parliament has reported on the impact of home and hybrid working, including impacts on workers. And the Trade Union Congress (TUC) has issued guidance for monitoring and offers help for workers who feel unfairly monitored.
What exactly is workplace monitoring?
The ICO defines ‘monitoring employees’ as any form of monitoring of people who carry out work on an organisation’s behalf. This not only includes direct employees but also any person who performs work for an organisation, regardless of the nature of their contract.
Over recent years, advances in technology have resulted in more sophisticated ways by which employers can see what their employees are doing – or not doing. Monitoring can include scrutiny of telephone calls, emails and messages, video and audio surveillance, recording device activity and the tracking of vehicles and dashcam footage. But this can go further. Mobile phone apps can be used for workers to clock on and off when on site, but they can only do so if the GPS on their phone confirms they are where they claim to be. Some services include psychosocial risk detection and management, whereby various psychological and physiological reactions of the monitored employee are measured which are said to be indicative of changes in their perceptions. This, it is claimed, can help reduce fraud, data loss and bribery, and can alert an employer to employees who are struggling with wellbeing or mental health.
How do we establish whether monitoring is lawful?
The United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA2018) set out the requirements for processing personal data. The first data protection principle of the UK GDPR requires that processing must be fair and lawful. The first step for persons processing personal data is to determine the lawful basis for their processing under Article 6 of UK GDPR. It is important to get the lawful basis right first time, as there may be difficulties in changing it later. Often the only potential basis would be ‘legitimate interests’, and in that case an employer should carry out a legitimate interest assessment (LIA) to balance their interests with their employees’ interests, rights and freedoms. To learn more about LIAs and how to conduct them, read our blog on How to Conduct a Legitimate Interest Assessment (LIA).
If an employer decides to use consent as its lawful basis, this brings in the administration of obtaining and recording consent, and the reaction if an employee decides not to give consent. The employer / employee relationship is an imbalanced one, and employees shouldn’t be put in a situation where they have no real option but to consent. A word which crops up frequently in the Article 6 lawful bases is ‘necessary’, so you need to ensure that the data you collect and process is necessary for the purpose you have identified. If it isn’t, processing it is unlikely to be lawful.
Monitoring workers often includes processing special category data, and in that case an employer would need to identify an additional lawful basis under Article 9. All biometrics – such as fingerprints, iris scanning, facial recognition and voice recognition - are special category data if used for the purpose of identifying a particular individual and, therefore, require enhanced levels of justification and protection.
An employer should also ensure that monitoring is lawful in a general, not just data protection sense, making sure that it complies with all other relevant legislation – e.g., the Human Rights Act 2000 and the Regulation of Investigatory Powers Acts 2000 and 2016.
How do we establish whether monitoring is fair?
The guidelines to establish fairness are: whether the employees would reasonably expect the monitoring to take place, and that it is not being conducted in ways that cause unjustified adverse effects on them. It must be proportionate. This can be context-specific, because some workplaces, industries and professions have different expectations than others.
In some circumstances, you must perform a data protection impact assessment (DPIA) before carrying out monitoring. Even if a DPIA is not mandatory, it is highly recommended that one is undertaken anyway. A DPIA will help you consider whether the planned use of monitoring is fair and lawful and provides a methodical approach to assessing risks. It will also record your thought processes and decisions about whether the monitoring you propose is necessary and proportionate, and measures to mitigate the privacy risks involved, to help demonstrate compliance.
A key question to ask is whether there is a less intrusive means of achieving the purpose and if there are any lines of communication that should be exempt from monitoring, such as communications to trade union representatives or calls to workplace health and wellbeing services.
It is always useful to engage with your workforce to gauge their views before proceeding.
How can we be transparent about what we are doing?
Transparency is about being clear with people about how and why you process their information, and it is fundamentally linked to fairness. Fairness and trust start with transparency, and performing monitoring covertly (more of which later) or without prior notification is almost always unfair and could negatively impact trust. Workers have the right to be informed about the collection and use of their information, and the information must be provided in a way that is readily available, accessible and easy to understand.
It is important to remember that you will need to identify the purpose for monitoring and comply with the purpose limitation principle of the UK GDPR. If, for example, an employer has given workers an access card to enter their premises for the purposes of security and crime prevention and has included that purpose in the information provided to them, that would be fair. However, the purpose limitation principle prevents you from then using that information for another purpose, such as determining if somebody was late for work. To also use the information for monitoring timekeeping, you must say so up front.
Can workers object to monitoring?
In short, yes. Employees can object to you collecting and processing their personal information from monitoring in certain circumstances. Specifically, a worker can object where the lawful basis is public task (for the performance of a task carried out in the public interest or for the exercise of official authority vested in the employer) or legitimate interests. The objection must identify specific reasons why they are objecting to monitoring, and these reasons should be based on the employee’s particular situation. However, the right to object isn’t an absolute right, and the objection can be refused if it can be demonstrated that compelling legitimate interests for the processing overrides the interests, rights and freedoms of the worker.
Other employee rights would include the right to make a data subject access request (DSAR), where the employer must provide the personal information they hold about them, including any monitoring, unless an exemption applies. It may be challenging to respond to a DSAR if the monitoring system collects large amounts of information or it is mixed with the personal information of third parties. This is especially the case if the systems used do not store information in a way that makes personal information readily retrievable.
What if monitoring involves automated decision making?
Tools for monitoring workers have become increasingly sophisticated, with automated processes (sometimes known as people analytics) used for security purposes, managing performance, and monitoring sickness and attendance. Such systems are used to improve organisational efficiency and policy conformance. These tools can process large amounts of data in real time, which they use to make predictions, inferences and decisions about employees on both an individual and a collective level. The UK GDPR has provisions on solely automated decision-making with legal or similarly significant effects, including profiling.
The legislation defines solely automated decision-making as a decision made by automated means without any meaningful human involvement. It can also involve profiling, where employers use information from a number of sources to make inferences about future behaviour or make personal evaluations of employees.
UK GDPR Article 22 restricts employers from carrying out solely automated decision-making that has legal or ‘similarly significant effects’ on employees, such as something that affects legal rights (e.g., a right to work). Similarly significant effects are more difficult to define, but are likely to include decisions that significantly affect someone’s financial circumstances (e.g., changes to a worker’s pay) or affect a worker’s employment (e.g., dismissal). It is also unfair to disadvantage workers who ask for human intervention in decision-making.
And, of course, employers must be transparent about automated decision-making and include it in their information to employees up front.
Can we carry out covert monitoring?
Covert monitoring means carrying out monitoring in a way that is designed to ensure workers are unaware of it taking place, and it is unlikely that covert monitoring can be justified in most circumstances. But there may be exceptional circumstances, such as preventing or detecting suspected criminal activity or gross misconduct.
For transparency, employers should outline in their policies the types of behaviours that are not acceptable and the circumstances in which covert monitoring might occur. Covert monitoring should only be authorised by senior management, and it is essential to carry out a DPIA first. There needs to be sufficient grounds for suspecting criminal activity or gross misconduct and that informing workers about the monitoring would prejudice its prevention or detection.
Covert monitoring should be targeted to obtain specific evidence within a set timeframe, limited to the shortest time possible. Covert audio or video monitoring should not be carried out in areas where workers would reasonably expect privacy, such as toilets or changing rooms, or to capture communications that workers would reasonably expect to be private, such as personal emails or phone calls.
Getting the balance right
If an employer is considering the implementation of workplace monitoring, it is essential to obtain specialist advice to help with data protection compliance, including conducting a DPIA, because it may involve areas of compliance and technologies with which they are not familiar.
As with all personal data processing, monitoring employees must be both necessary and proportionate. However, there is more than data protection compliance at stake. Monitoring employees can jeopardise the delicate balance of trust between employer and employee. There are some types of routine monitoring with which employees are perfectly happy, because workers understand their purpose and do not feel that they are intrusive. But when monitoring is not transparent or when complex and opaque new technology is implemented, the risk is always there that precious trust will be eroded.
There is a view among some data protection commentators that if it is lawful, then it is ethical. However, perhaps a more prudent approach with employee monitoring should be that just because we can do something, it doesn’t mean we should…
Handy guide to different types of monitoring
How URM can Help
Performing workplace monitoring that balances the needs of your organisation, the maintenance of trust with its employees, and GDPR compliance can be difficult to navigate without assistance and, in many cases, will be almost impossible to achieve without support. Drawing upon nearly 2 decades of experience helping organisations to comply with DP legislation, URM can offer you a range of GDPR consultancy services to help ensure any workplace monitoring you perform, and your processing practices in general, are fully adherent to the regulatory requirements. For example, our large team of GDPR consultants can conduct a gap analysis of your existing processing against the requirements of the Regulation, and help you establish and implement a prioritised remediation plan. For ongoing GDPR consultancy support, our fully flexible virtual data protection officer (DPO) service will enable you to access an entire team of data protection practitioners, each with their own specialist area of expertise.
URM can also support you in completion of more specific compliance activities, such as helping you to produce a record of processing activities (ROPA), and perform data transfer impact assessments (DTIAs) and DPIAs. Meanwhile, if your organisation receives data subject access requests (DSARs), we can help you compliantly respond by providing our GDPR DSAR redaction service.
To enhance your own understanding of the GDPR and UK data protection regime in general, URM regularly delivers a range of data protection-related training courses, all of which are led by an experienced data protection practitioner. Our courses on conducting DTIAs, DPIAs, and on responding to DSAR requests, will teach you how to perform these key compliance activities, thereby expanding your professional skillset and enabling you to significantly contribute to your organisation’s maintenance of data protection compliance. To gain an industry-recognised DP qualification, we also regularly deliver a BCS Foundation Certificate in Data Protection (CDP) course, which will fully prepare you to take the BCS invigilated exam.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM’s blog explores the first formal European response to the DPDI Bill, and how the Bill may jeopardise the UK’s adequacy status when it reforms the UK GDPR.
This blog considers at high-level various possible legal ramifications of using Chatbots, especially ChatGPT, concerned with data protection risks.
URM discusses an interview with the Information Commissioner, John Edwards, and the background of the penalty fine imposed on the Ministry of Defence (MOD).