Keeping Employee Monitoring Compliant

Posted by

Matt Green

on 07 Nov 2023


Employers monitoring their staff should carefully consider the UK ICO's guidance to ensure they comply with data protection law.

Keeping Employee Monitoring Compliant

The UK Information Commissioner's Office (ICO) issued new guidance on employee monitoring in October 2023, setting out a number of key principles that employers must follow.

Research commissioned by the ICO reveals that 70% of the public would find it intrusive to be monitored by an employer, and almost one in five (19%) believe an employer has monitored them.

Of those who believe they have been monitored, monitoring timekeeping and access was the most common practice at 40%, followed by monitoring emails, files, calls or messages at 25%.

  1. Key principles for employee monitoring
  2. Types of employee monitoring
  3. How to introduce employee monitoring
  4. Consequences of non-compliant staff monitoring

The ICO recognises that employers have a legitimate interest in monitoring their employees to protect their business and ensure that employees are working productively. However, the ICO also emphasised that employees have a right to privacy and that any monitoring must be justified and proportionate.

Recently, Amazon France Logistique was fined a substantial €32 million (£27 million) by France's data watchdog, CNIL, for what was deemed an "excessive" level of surveillance on warehouse workers. The fine resulted from detailed tracking of employee activities through handheld scanners, including recording interruptions in their work, requiring workers to justify every break or pause.

Free GDPR Training Presentation

A. Key principles for employee monitoring

  1. Transparency: Employees must be aware of the nature, extent and reasons for any monitoring.
  2. Lawful basis: Employers must have a lawful basis for processing employee data, such as consent, legitimate interest or legal obligation.
  3. Proportionality: Monitoring should be proportionate to the legitimate interest it seeks to protect.
  4. Data minimisation: Employers should only collect the data they need for the purpose of monitoring and should delete it when it is no longer needed.
  5. Security: Employers must take appropriate measures to protect the security of employee data.

B. Types of employee monitoring

The ICO's guidance also covers specific types of monitoring, such as:

  • Covert monitoring: Monitoring where employees are unaware that they are being monitored is generally only justified in exceptional circumstances, such as where there is a risk of serious harm to the business or individuals.
  • Electronic communications monitoring: Employers can monitor employee emails and internet use, but they must have a clear and legitimate reason for doing so.
  • Video and audio monitoring: Employers can monitor employees using CCTV and other video and audio recording devices, but they must have a clear and legitimate reason for doing so, and they must inform employees of the monitoring.
  • In-vehicle monitoring: Employers can monitor employees who drive company vehicles, but they must have a clear and legitimate reason for doing so, and they must inform employees of the monitoring.
  • Monitoring through information from third parties: Employers can monitor employees using information from third parties, such as social media or credit reports, but they must have a clear and legitimate reason for doing so, and they must inform employees of the monitoring.

Free GDPR Self-assessment Questionnaire

C. How to introduce employee monitoring

The new guidance provides clear information on how monitoring can be conducted lawfully and fairly, as well as opening trust and respect among employees.

Being transparent with your staff about monitoring is important for building trust and maintaining a positive work environment. By following these steps and being open and honest with your staff about monitoring practices, you can create an environment of trust and cooperation where employees understand the need for monitoring and are comfortable with its implementation.

  1. Establish clear monitoring policies & guidelines: Create a set of well-defined policies and guidelines that outline the reasons for monitoring and the types of monitoring that will occur. These policies should be easily accessible to all staff members.
  2. Explain why monitoring is needed: Ensure they understand that it's not about invading their privacy but about ensuring compliance, security, and productivity. Be honest about the risks your organisation faces.
  3. Involve staff in the monitoring process: Whenever possible, ask staff for their input and feedback. This can help create a sense of ownership and cooperation.
  4. Respect privacy & legal requirements: Ensure that your monitoring activities are in compliance with all applicable laws and regulations. Be aware of privacy laws like GDPR, and ensure your monitoring practices don't violate these rules.
  5. Explain how monitoring data will be used: Will it be used for performance evaluations, security purposes, or something else? This can alleviate concerns about misuse.
  6. Clearly outline the consequences of policy violations: And consistently enforce them. Staff should know the potential outcomes if they breach the monitoring policies.
  7. Respect employee rights: Remind employees that they have the right to express concerns or request clarification about the monitoring process as the ‘data subject’. Let them know who to contact should they wish to access the data collected (this is usually your data protection officer).
  8. Seek legal counsel: If you're unsure whether your monitoring practices are compliant, consult with legal experts to ensure that your monitoring practices are compliant with all relevant laws and regulations. Legal advice can help you navigate the complexities of data privacy and employment laws.

D. Consequences of non-compliant staff monitoring

The ICO can investigate complaints about employee monitoring and take enforcement action against employers who are found to be in breach of data protection law. This can include fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.

GDPR Personal Data Desk Aid

Want to learn more about GDPR?

We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, get priority access to our free online learning portal and other exclusive benefits.

GDPR Training Presentation

The fines for GDPR breaches represent up to 4% of your global annual turnover or EUR 20 million, whichever is the highest. So it is critical to ensure your organisation understands and adheres to GDPR.

Our free GDPR Training Presentation is fully editable, presents the key points in plain English and is packed with practical activities to accelerate learning.

Download your free training aid

Related Articles

How to Deal with a Data Breach

9 Steps to Deal With a Data Breach

The ICO never shies away from issuing penalties. It's one thing to know this and another to be on the receiving end....

Continue reading
Appointing a Data Protection Officer

Appointing a Data Protection Officer

We explain how to decide if you need a DPO, what their responsibilities should be and the key priorities they should...

Continue reading
How to Avoid Common Data Breaches

How to Avoid Common Data Breaches

Every year, companies trip up and breach GDPR, some paying eye-watering fines. We look at the most common GDPR breaches...

Continue reading