Monitoring employees almost always involves collecting personal data – whether that’s CCTV footage, system access logs, browser history, location data or recorded calls – so it must comply with the UK GDPR and the Data Protection Act 2018, which set out strict rules on what data can be collected and how it must be processed.
Under the GDPR, employers must follow the seven core data protection principles, ensuring that personal data is:
- processed lawfully, fairly and transparently
- collected for a specific and legitimate purpose
- limited to what is necessary
- accurate and up to date
- only kept for as long as necessary
- stored securely
- capable of being evidenced through accountability measures.
What is purposeful and lawful monitoring?
Before any monitoring takes place, employers must identify a specific purpose and a lawful basis. Common bases include; complying with a legal obligation, performing a contract, protecting vital interests, or pursuing a legitimate interest. Legitimate interest is the most flexible but still requires employers to demonstrate that the monitoring is necessary and does not impinge the employees’ rights.
While consent is possible, it’s rarely reliable in employment due to the power imbalance between employer and employee.
Special category data
The monitoring of biometric systems or browsing history revealing religious or political views – captures special category data, which is subject to even stricter rules. Employers must meet an additional condition, such as protecting health and safety or demonstrating substantial public interest.
Fairness and transparency
The monitoring must be something employees would reasonably expect. Covert monitoring is only justified in exceptional circumstances, such as serious crime, and even then, must be tightly limited.
The monitoring must be something employees would reasonably expect. Employers must also provide clear privacy information, explaining what data is collected, why, who can access it, and how long it will be kept. Early staff engagement helps build trust and reduces the risk of complaints later.
Data minimisation, accuracy and security
Employers should collect only what is necessary, guard against “function creep”, ensure systems are reliable, and keep data secure through restricted access, encryption and proper training.
Further reading
- The UK GDPR and Data Protection Act 2018
- Being monitored at work: workers’ rights: Overview – GOV.UK
If you enjoyed this blog then perhaps you’d like to sign up to our monthly newsletter. We’ll keep you updated on what’s new in employment law.
The team at Hunter Law is here for you. We can handle your HR issues, finesse your policies, and keep you up-to-date on evolving legislation. Please get in touch with our legal team, we’d love to help.
