Lawful Monitoring In The Workplace

Ruby Ashby

The Information Commissioner’s Office (ICO) has recently commissioned some research into the public’s view on monitoring in the workplace.

The research revealed that 19% of people believe that they have been monitored at work by an employee. 70% of people said that they would find monitoring in the workplace intrusive and only 19% of people said that they would feel comfortable taking a new job if they knew that an employer was monitoring them.

What is classed as lawful monitoring in the workplace?

An employer may monitor its employees to check on the quality and quantity of their work, for health and safety reasons or to meet regulatory obligations. Monitoring could also be used as part of the organisation’s security measures.

An employer may monitor employees in a range of different ways, including (but not limited to):

  • Camera surveillance such as wearable cameras for the purpose of health and safety;
  • Body-worn devices to track the locations of workers;
  • Productivity tools which log how workers spend their time; and
  • Keystroke monitoring to track, capture, and log keyboard activity.

Monitoring and data protection

Data protection law does not completely stop an employer from monitoring its employees. An employer does however need to ensure that they are complying with the relevant data protection laws as well as Article 8 of the Human Rights Act 1998.

To assist employers across the public and private sectors, the ICO has published new guidance giving clear direction on how monitoring in the workplace can be conducted lawfully and fairly.

What should employers be doing?

Employers should always ensure that they have a lawful basis to collect and process the information from monitoring their workers. There are six lawful bases, employers need to ensure that they have identified at least one that is appropriate to the specific processing. A previous blog sets out the six lawful bases and when they would apply.

Employers also need to be careful about what kind of data they are collecting and processing when they are monitoring employees, as the data could be special category data. The UK GDPR defines special category data as personal data relating to:

  • Race or ethnic origin;
  • Political opinions;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Genetic data;
  • Biometric data;
  • Health;
  • Sex life; and
  • Sexual orientation.

If you are processing special category data, not only do you need to identify a lawful basis for the processing, but you also need to ensure that one of the specific conditions within Article 9 of the UK GDPR applies. Article 9 of the UK GDPR is dealt with extensively in a previous blog.

Within the guidance published by the ICO, they have also helpfully set out in real terms what other steps employers should be taking if they are monitoring their employees. These steps include:

  • Making workers aware of the nature, extent, and reasons for the monitoring – this in line with the lawfulness, fairness and transparency principle contained within Article 5(1)(a) of the UK GDPR;
  • Having a clearly defined purpose and using the least intrusive means to achieve it – this in line with the purpose principle contained within Article 5(1)(b) of the UK GDPR;
  • Telling workers about the monitoring in a way that is easy to understand – this is in line with the transparency element of the lawfulness, fairness, and transparency principle;
  • Only keeping the information that is relevant to its purpose – this is in line with the data minimisation principle contained within Article 5(1)(c) of the UK GDPR;
  • Carrying out a Data Protection Impact Assessment for any monitoring that is likely to result in a high risk to the rights of the workers; and
  • Making the personal information collected available to workers if they make a subject access request.

Deputy Commissioner, Emily Keaney, had the following to say about the research and the recently published guidance:

“Our research shows that today’s workforce is concerned about monitoring, particularly with the rise of flexible working – nobody wants to feel like their privacy is at risk, especially in their own home.

As the data protection regulator, we want to remind organisations that business interests must never be prioritised over the privacy of their workers. Transparency and fairness are key to building trust and it is crucial that organisations get this right from the start to create a positive environment where workers feel comfortable and respected.

We are urging all organisations to consider both their legal obligations and their workers’ rights before any monitoring is implemented. While data protection law does not prevent monitoring, our guidance is clear that it must be necessary, proportionate and respect the rights of workers. We will take action if we believe people’s privacy is being threatened.”

How can Nelsons help

Ruby Ashby is a Senior Associate in our expert Dispute Resolution team, specialising in data breach claims, inheritance and Trust disputes and defamation claims.

If you need any advice concerning the subject discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.

Contact us
This article is for information only and does not constitute legal/financial advice. Please contact us for advice tailored to your specific position. Some of the content presented on our website has been generated with the assistance of Artificial Intelligence (AI). We ensure that all AI-generated content meets our high standards for accuracy and relevance.
Contact us today

We're here to help.

Call us on 0800 024 1976

Main Contact Form

Used on contact page

  • Email us