Employers monitoring their staff should carefully consider guidance from the UK Information Commissioner's Office (ICO) to ensure they comply with data protection laws.
Key takeaways
- Research shows that 70% of the public would find it intrusive to be monitored by an employer, and 19% believe they have been.
- The ICO issued new guidance on employee monitoring in October 2023.
- Key principles for employee monitoring are transparency, lawful basis, proportionality, data minimisation and security.
- The ICO’s advice covers types of monitoring, including electronic communications, video, in-vehicle and information from third parties.
- Introducing employee monitoring involves several steps, from establishing clear guidelines to explaining how monitoring data will be used.
- Consequences of non-compliant staff monitoring include fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
The ICO issued new guidance on employee monitoring in October 2023, outlining key principles employers must follow.
- ICO findings
- Key principles for employee monitoring
- Types of employee monitoring
- How to introduce employee monitoring
- Consequences of non-compliant staff monitoring
ICO findings
Research commissioned by the ICO revealed that 70% of the public would find it intrusive to be monitored by an employer, and almost one in five (19%) believe they have been.
Of those who believe they have been monitored, timekeeping and access were the most common practices at 40%, followed by emails, files, calls or messages at 25%.
The ICO recognises that employers have a legitimate interest in monitoring to protect their business and ensure employees are working productively. However, the public body also emphasised that poeple have a right to privacy and any monitoring must be justified and proportionate.
In 2023, Amazon France Logistique was fined a substantial €32 million (£27 million) by France's data watchdog, CNIL, for "excessive" surveillance on warehouse workers. The fine resulted from detailed tracking of employee activities through handheld scanners, including recording interruptions in their work, requiring workers to justify every break or pause.
A. Key principles for employee monitoring
- Transparency: Employees must be aware of the nature, extent and reasons for any monitoring.
- Lawful basis: There must be a lawful basis for processing employee data, such as consent, legitimate interest or legal obligation.
- Proportionality: Monitoring should be proportionate to the legitimate interest it seeks to protect.
- Data minimisation: Employers should only collect the data required for the monitoring purpose, and delete it when it is no longer needed.
- Security: Employers must take appropriate measures to protect the security of employee data.
B. Types of employee monitoring
The ICO's guidance also covers specific types of monitoring, such as:
- Covert (hidden): If employees are unaware they are being monitored, it is generally only justified in exceptional circumstances, such as where there is a risk of serious harm to the business or individuals.
- Electronic communications: For example, employee emails and internet use.
- Video and audio: For example, CCTV and other video and audio recording devices.
- In-vehicle: For example, company cars.
- Information from third parties: For instance social media or credit reports.
C. How to introduce employee monitoring
The new guidance provides clear information on how monitoring can be conducted lawfully and fairly, and foster trust and respect among employees.
Being transparent with your staff about monitoring is important for maintaining a positive work environment. By following the steps below and being open and honest about monitoring practices, you can cultivate trust and cooperation, where employees understand the need for monitoring and are comfortable with its implementation.
- Establish clear monitoring policies and guidelines: These should outline the reasons for monitoring, the types that will occur, and be easily accessible to all employees.
- Explain why monitoring is needed: Ensure they understand that it's not about invading their privacy but about ensuring compliance, security, and productivity. Be honest about the risks your organisation faces.
- Involve staff in the monitoring process: Whenever possible, ask staff for their input and feedback. This can help create a sense of ownership and cooperation.
- Respect privacy and legal requirements: Ensure your monitoring activities comply with all applicable laws and regulations. Stay abreast of privacy laws like the General Data Protection Regulation (GDPR), and ensure your monitoring practices don't violate them.
- Explain how monitoring data will be used: Will it be used for performance evaluations, security purposes, or something else? This can alleviate concerns about misuse.
- Clearly outline the consequences of violations: Consistently enforce monitoring policies, and let staff know the potential outcomes of breaches.
- Respect employee rights: Remind staff that, as the 'data subject', they have the right to express concerns or request clarification about the monitoring process. Let them know who to contact usually your data protection officer).
- Seek legal counsel: If you're unsure whether your monitoring practices are compliant, consult with legal experts. Seeking advice can help you navigate the complexities of data privacy and employment laws.
D. Consequences of non-compliant staff monitoring
The ICO can investigate complaints about employee monitoring and take enforcement action against employers found to be in breach of data protection laws. This can include fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
Employee monitoring compliance: FAQs
What are the GDPR rules for employee monitoring?
It must be lawful, fair and transparent; data must only be used for stated reasons; data collection should be limited to what’s necessary; information must be protected using features like access controls; and it shouldn’t be stored for longer than required.
What rights do employees have regarding monitoring?
They have GDPR rights, including to be informed, of access, to rectification of inaccuracies, to erasure (where applicable) and to object if monitoring isn’t justified.
When could covert monitoring be allowed?
In cases like criminal investigations – in which case, it must meet strict legal requirements.
Want to learn more about GDPR?
Our Essentials Library contains e-learning content designed to help organisations meet fundamental compliance requirements. If you are looking for focused training, our Data Protection and GDPR Training Package offers a complete solution for your compliance programme. Courses in the libraries include:
- General Data Protection Regulation (GDPR) Training Course
- Data Protection Training Course
- Information Security Training Course
- Cybersecurity Training Course
We've created a comprehensive GDPR compliance roadmap to help you navigate the compliance landscape. If you would like to access leading insights and compliance tips, you can browse our free resources by topic to find guides, modules, compliance bites and more.
Explore our collection
Written by: Emmeline de Chazal
Emmeline is an experienced digital editor and content marketing executive. She has a demonstrated history of working in both the education management and software industries. Emmeline has a degree in business science and her skillset includes Search Engine Optimisation (SEO) and digital marketing analytics. She is passionate about education and utilising her skills to encourage greater access to e-learning.
