Monitoring employees: how can organisations avoid infringement of data subject rights?

Monitoring employees using technology is on the rise as technology continues to become more accessible, not only in terms of availability, but also due to cost. Workplace monitoring often involves the processing of personal data and this is not always obvious to employers, and this can lead to systems being introduced without considering the implications either from an employment or a data protection perspective.

With many employees working remotely from home or in a hybrid office/home location, organisations are increasingly monitoring the activities of their employees, with the intention of assessing productivity/performance and compliance with their employment terms, or to protect against legal, reputational or technology system risks.

In addition to telephone, email, and internet use, monitoring may extend to social media activity, attendance at online meetings, physical location, and use of vehicles. Methods of monitoring employees will vary according to the organisation and the extent of its technological capabilities and could include: spot checks within the organisation without reference to particular individuals; specific checks on individuals; monitoring the content of all calls or emails; monitoring internet or device use through keystrokes or mouse clicks; webcam recording; screenshots of employees’ screens; the use of dashcams in vehicles; monitoring timekeeping through access control; using biometric data (such as fingerprints or facial recognition) or swipe cards for time and attendance control; and CCTV and video surveillance to monitor employees’ activities generally.

Which laws govern employees’ rights?

There is no one specific law which permits or prohibits the monitoring of employees; rather, various laws and rights have come into place to govern its use. These include:

• The General Data Protection Regulation (UK GDPR). Under the UK GDPR, the data protection principles provide that personal data must be: processed lawfully, fairly and in a transparent manner; collected and processed only for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary; be accurate and kept up to date; be kept for no longer than is necessary where there may be identification of data subjects; and be processed in a way that ensures appropriate security and protection.
  Further, individuals have the right to be informed that they are being monitored, the right of access to information obtained on them as a result of monitoring, and the right to object to being monitored. There are also specific rules that apply where automated decisions are being made.
• The Data Protection Act 2018 (DPA 2018). This expands upon the rights and protections given by UK GDPR.
• The European Convention on Human Rights (ECHR). Under Article 8, an individual has a right to respect for private and family life and correspondence. This is incorporated into UK law by the Human Rights Act 1998.
• The Employment Rights Act 1996 and the case law relating to unfair dismissal.
• The duty of trust and confidence implied into an employee’s contract of employment.
• The Equality Act 2010, which protects employees from discrimination.

What are the risks if employers get it wrong?

Infringement of data subject rights can be extremely costly for organisations. The Information Commissioner’s Office (ICO) has authority to impose fines of up to £17.5m or 4% of worldwide turnover, whichever is greater, and there are also the costs of any regulatory investigations and/or court proceedings. Enforcement action by the ICO is likely to generate public interest and may result in an organisation suffering reputational damage, losing existing customers and/or future business, and seeing its share value fall.

Infringement of data subject rights may also lead to claims by employees for unfair dismissal and/or discrimination.

What should organisations do?

Policies and processes: Organisations should ensure that they have the necessary policies and processes in place to manage the risks relating to employee monitoring. Such policies will include data protection policies, , and policies relating to the use of technology, CCTV, and social media.

Communication with employees: Covert monitoring in the workplace will only be justifiable in exceptional circumstances. Employers should ensure that employees are told about the monitoring the organisation intends to carry out and how data collected may be used (see below). The relevant staff should receive training in order to know, understand and be able implement the organisation’s employee monitoring programme in a compliant way.

Consider the data protection implications.: Relevant questions will be: What is the lawful basis for processing? Is a Data Protection Impact Assessment needed? What do the employees need to be told, and when and how? What are the considerations for security and access to data? How intrusive is the monitoring method? Is any special category data being used (including biometric data)? What is the impact of monitoring on employees? Is the monitoring justified?

Be familiar with and comply with the ICO’s 2023 guidance on monitoring employees: This guidance was produced to assist employers with complying with their obligations under the UK GDPR and DPA 2018 when they monitor employee activity and, should there be an issue, being able to demonstrate compliance with this guidance is likely to be useful.

How can a specialist lawyer help?

Whilst monitoring employees can have advantages, its introduction needs to be planned and considered from both an employment and data protection perspective. The law is complex, and consideration of the impact on employees and communication with them will be key. A specialist lawyer will be able to advise on the organisation’s risk profile and how best to minimise risks.

If you have questions or concerns about the monitoring of employees or data protection impact assessments, please contact Emma Loveday-Hill.