The data protection laws in the UK are currently governed by the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR).

Since COVID-19 and the general evolution in working practices over the last few years, in particular the increase in home and hybrid working, employers may well be considering how they can ensure that employees remain efficient and are working appropriately and effectively while away from the office.

One of those methods involves employers considering to what extent they monitor their employees. In this article we explore what areas employers may consider monitoring, the legal position regarding monitoring and practically what steps employers should take to ensure they remain complaint.

Are employers entitled to monitor the activities of their employees?

The Data Protection laws do not give employers the express right to monitor the activities of their employees or workers, however, nor are they prohibited from doing so. Instead, as the various methods of monitoring have developed over recent years, so has the regulatory framework governing their use.

In addition, employers need to keep in mind that excessive monitoring may intrude in workers’ private lives and they must take into account that workers’ expectations of privacy are likely to be significantly higher at home than in the workplace.

What are the differing types of monitoring employees commonly considered by employers?

There are a number of methods by which employers might seek to monitor their employee’s use of electronic systems in the workplace, these can include:

• Email content and traffic. There are numerous computer programs that can search the content of emails sent by an employee, checking for key “danger” words or destination addresses. Even if deleted from a user’s terminal once sent, emails are retained on a computer’s hard disk long after an employee has left an employer and may also be retrievable using specialist software.
• Internet use. Programs are used to monitor and block employees’ use of different sites. It is possible for the employer to see which websites have been visited by employees.
• Telephone use. Some employers monitor employees’ usage of their telephone systems in terms of volume and cost. Employers regularly conducting client business over the telephone may also record samples of telephone conversations to:

• Assess employee performance.
• Ensure quality control.
• Ensure no unlawful acts are carried out where there are strict regulatory requirements in place (such as in the financial services sector).

• There are different levels of monitoring that can be carried out with regard to these, for example:
• Spot checks within the organisation without reference to particular individuals, monitoring which sites are visited and how often, the number of email messages sent or received, calls or length of calls received or made.
• Specific checks on individuals, monitoring all of the points above.
• Monitoring the content of calls or emails, whether on an individual or random basis.

In addition, employers may use CCTV and video surveillance in their workplaces and surrounding areas to monitor employees and their activities more generally, or pass swipes and biometric data to ensure, for example employees are complying with policies on hybrid working and attending the office on the number of days stipulated.

Is there any current guidance available for employers wanting to implement employee monitoring?

The UK GDPR does not set out rules explicitly for employers to comply with while monitoring employees. However, the ICO has provided guidelines for employers to follow based on the seven principles of the UK GDPR. This guidance covers:

1. Legitimate Purpose
An employer may monitor the employee only to the extent that is necessary to achieve the outcome intended by the employer, for example, to ensure employees are using company resources safely, wisely and efficiently for the productivity of the company.

2. Adequacy
Monitoring should not be intrusive and should be reasonable dependent on each situation.
Employers must intend to limit their exercise of monitoring employees to the extent of achieving the legitimate purposes.

3. Lawfulness & fairness
An employer should be able justify the reasons for monitoring their staff members.
The employees should also be informed in advance of the monitoring measures in place.

4. Up to date details
The employer must keep the monitoring activities documented in full in the company policies and ensure that they are regularly reviewed and up to date.

5. Safe storage & limitation
The ICO states that any information recorded should be done so safely and the employer should not store the information for longer than necessary and erased as soon as possible.

6. Integrity and confidentiality
Any information recorded should be available only to people who need to access it for the designated purpose. The employers should have systems and policies in place to protect information from damage, loss or theft.

7. Accountability
Finally, the employer would be responsible for ensuring that monitoring the activities of the employees and the recording of any information is appropriate for the business.

How do employers apply this current guidance in practice?

Applying the above principles to an employment relationship scenario, the employers should:

1. Be cautious not to monitor private messages belonging to employees, which would go beyond what is strictly necessary.
   2. Consider alternate measures, for example, training programs or a short-term monitoring activity instead of monitoring employees for a long-term if the intended outcome can be achieved through alternate systems.
   3. Use appropriate methods of monitoring for the required purpose. If installing CCTV cameras will achieve that purpose, then do not adopt additional methods of monitoring, as this is likely to fall outside the scope of the ‘Adequacy’ principle.
   4. Use automated software to check for specified words being entered by the employees on the systems (including emails or Google Search). This may help the employers limit the monitoring to be less intrusive.
   5. Carry out ‘impact assessment’ to assess if monitoring the employees and any adverse impact that they may face is proportionate to the benefits achieved by the business.

Future developments

On 12 October 2022, the ICO launched a consultation on Employment Practices: monitoring at work draft guidance. This guidance will replace the section of the Employment Practices Code that considers monitoring at work.

The guidance will cover both systematic monitoring, where an employer monitors all workers or groups of workers as a matter of course as well as occasional monitoring, where an employer introduces monitoring as a short-term response to a specific need.

The draft guidance makes the following general points:

• The UK GDPR and the DPA 2018 do not prevent monitoring. They set out a framework for the collection and use of personal data. Employers must balance the level of intrusion caused by monitoring against the needs of the employer, workers.

• Employers must make workers aware of the nature, extent and reasons for the monitoring unless exceptional circumstances mean that covert monitoring is necessary.

• Employers must be clear about their purpose for monitoring. They must not use the information collected for a new purpose unless it is compatible with the original purpose in most circumstances.

• Employers must carry out a data protection impact assessment (DPIA) for any monitoring that is likely to result in a high risk to the rights of workers and other people captured by the monitoring. Employers should keep this under review. Where a DPIA is not mandatory, employers should consider completing one anyway for good practice. The process will help them make risk-based decisions and to meet their data protection obligations.

The guidance considers how employers can lawfully monitor, automated tools in monitoring processes, different types of monitoring (telephone calls, emails and messages, video and audio, vehicles and dashcams) as well as the use of biometric data. The consultation on this draft guidance closes on 11 January 2023.

For further information on GDPR, please contact our Employment Group on 01276 854663 or employment@herrington-carmichael.com.