Workplace surveillance: what you need to know

No one wants to feel that they are not trusted or that they are being watched. While the relationship between an employer and employee is intended to be one based upon mutual trust and confidence, the digitisation of the workplace has brought a whole host of new ways for employers to monitor their employees.

Why Monitor?

In many workplaces monitoring employees is standard practice. Reasons for monitoring can vary greatly.  There are situations where companies monitor their employees to protect them. For example, if work is being carried out in a dangerous environment it is vital to ensure that safe working practices are being followed. In some areas of work, employers may have a legal or regulatory need to carry out some monitoring.  In the majority of cases, employers simply want to ensure that their employees are getting on with the job they are paying them to do.

Types of monitoring

There are a number of ways that monitoring can take place in the workplace such as via recording on CCTV cameras, checking an employee’s emails, checking phone logs, recording phone calls or checking websites employees have visited.

The legal framework

There is no one data privacy law in the UK, which specifically governs monitoring of employees. There is no express permission given anywhere allowing monitoring nor is there anything preventing it. Along with the development of the various ways in which monitoring can take place the legal framework which governs its use has also had to develop.

  • Article 8 of the European Convention on Human Rights provides for the right to respect for family life.
  • Electronic forms of workplace surveillance involve the processing of personal data are regulated by the General Data Protection Regulation (GDPR).  This sets out the principles with which the data controllers must comply when processing personal data and which are relevant and any monitoring undertaken by an employer.
  • The Investigatory Powers Act 2016 and Regulations 2018 governs the interception of electronic communication during transmission.
  • There is also the duty of trust and confidence that is implied into an employee’s contract, this is important as employer’s monitoring may constitute a breach of this duty, depending on the circumstances. 

Whatever your reasons for monitoring employees you must be clear that they are proportionate. Once you have taken the decision to monitor your employees then it is essential that you make them aware that this is taking place.

Policies and Procedures

Before embarking on any monitoring you must ensure that you have appropriate policies and procedures in place. This type of information is normally included in an email or electronic communications policy, either within an employee handbook or as part of the employees contract of employment.  This policy should be given to employees at the start of their employment and employees should be asked to state that they have read the policy and accept its terms. Your policies and procedures need to be clear in telling employees if they are being monitored and what counts as a reasonable amount of personal email, telephone calls and time spent on the internet.  If personal telephone calls or emails are not allowed then this should be made clear. If there are certain websites that are not allowed to be accessed, this should also be stated.

In addition, the GDPR requires employers to carry out an impact assessment in order to identify any negative effects the monitoring may have on employees. You should also consider whether there are any other options to monitoring that are less invasive and that the monitoring is justified.

Employment Practices Code

Part 3 of the Information Commissioner’s Employment Practices Code contains guidance on monitoring at work.  It makes clear that employees should be able to understand when they can be monitored on the basis of information given to them by the employer. Although failure to comply with the codes recommendations is not unlawful, parts of the code can be taken into account in the event of enforcement action being considered. The principles of Employment Practices Code are that employees should be made aware of the circumstances in which the monitoring may take place, the nature of the monitoring and how any information obtained through monitoring will be used. They should also be informed of what safeguards are in place; simply telling them verbally is unlikely to be sufficient. The code states that employees need have a clear understanding of:

  • the information that is likely to be obtained
  • why it is being obtained
  • how it will be used
  • who, if anyone, the information will be disclosed to

Be clear

Even  where you can justify monitoring employees’ activities, it is always advisable to try and strike a balance between a legitimate need to run your business and respect for your employees’ private information and activities. It is often the case where employers allow their employees some freedom to use the phone, internet and email for occasional personal use If a half way approach is taken to allowing access to the internet then the rules of this approach should be clearly set out in the company policy in order to avoid any problems.

In Scarlett and another v Gloucester City Council ET/1401395/12 two employees were dismissed for using the internet for personal reasons during work hours. The employment tribunal held the dismissal to be unfair on the basis that there was an informal custom that employees could make personal use of the internet outside of core hours. The employees had not tried to disguise their internet use from their managers and the firms ICT policy allowed personal use if employees adhered to other requirements of the policy relating to internet misuse.

CCTV Monitoring

If there is CCTV monitoring then you must be sure that the employees are aware of this and they are given the reasons for the monitoring. This can be done quite easily by displaying signs to say where the locations of the cameras are.  Any signs need to be clear, visible and readable and contain details of the person in charge of the surveillance and who to contact about the scheme including information such as their website address, telephone number or email address.  Where possible the CCTV monitoring should be targeted at the areas of particular risk and only in areas where expectations of privacy are low.  If covert monitoring is being considered then this should only be authorised in circumstances where there are grounds to suspect a criminal activity is taking place. It is only in rare circumstances that covert monitoring can be justified.

In City and County of Swansea v Gayle UKEAT/0501/12  covert surveillance was put in place to monitor an employee who regularly took time off during working hours to play squash. When it was confirmed, the employee was dismissed.  During the unfair dismissal hearing, the tribunal found that the employer had breached Article 8 by putting the employee under covert surveillance. Following an appeal to the EAT they found that the surveillance was proportionate on the basis that the employer was entitled to know where the employee was during paid hours and the employee should not expect such things to be private


While you do have the right to monitor many activities at work, the data protection law is clear about the rules and circumstances in which monitoring can be carried out.  Be transparent with your employees about the reasons for monitoring and the benefits it can bring while also identifying any negative affects the monitoring may have by carrying out an impact assessment. If employees are aware of the intention to monitor from the outset then this overcomes any expectations of privacy on their part.  Be sensitive to the fact that employees may understandably feel concerned about monitoring so try and strike a fair balance between an employee’s expectation to privacy and your own commercial interests.

Go to Top