Search

How can we help?

Icon

Can an employer monitor employees at work?

Can an employer lawfully monitor their employee, without their knowledge, if they suspect wrongdoing?

Can employers monitor employees?

It’s worth mentioning at the outset that data protection law does not prevent employers from monitoring workers provided this is done in a way that is compliant with data protection laws and principles. However, there is an emphasis on being open and transparent and, as such, covert monitoring is unlikely to be justified.

Can employers covertly monitor employees?

The ICO have stated that covert monitoring of employees will only be justified in ‘exceptional’ circumstances where it is necessary to prevent or detect suspected criminal activity or, similar wrongdoing, like gross misconduct. In all cases employers will have to justify their decisions and, if there’s a less intrusive way of achieving the ultimate goal then the monitoring will not be lawful.

The ICO provide an example of an employer who discovers that a small number of remote workers started later than their timesheets suggested and, as a result, allows senior management to access automatic webcam images to check if workers are at work. This would likely be unlawful as it is disproportionate.  The employer could have checked the times workers logged onto the computer system instead and given employees the opportunity to explain any discrepancies.

Covert monitoring must be targeted to obtain evidence within a set timeframe, limited to the shortest time possible and should not be continued once an investigation is complete.

ICO guidance

The ICO has issued guidance on covert monitoring. It says that employers should have a policy which sets out when covert monitoring may be used.  Monitoring should be authorised by senior management and a data protection impact assessment should be carried out. The employer must be satisfied that there are reasonable grounds for suspecting the criminal activity or gross misconduct and that informing employees about the monitoring would prejudice its prevention or detection.

Covert monitoring must be targeted to obtain evidence within a set timeframe, limited to the shortest time possible and should not be continued once an investigation is complete.

An employer should not use covert monitoring in areas or situations that employees would reasonably consider private, for example CCTV in toilets or monitoring personal emails. This is a more topical point of late with the rise of homeworking where employees have an expectation of privacy in their own homes.

Information obtained through the covert monitoring should only be used for the intended purpose and should be disregarded and destroyed when it is no longer needed unless it reveals something that no employer could reasonably ignore (and which could not be revealed by other means).

The people who are involved in the investigation should be kept limited, with clear rules to limit disclosure of, and access to, information.

Monitoring employees is certainly not popular amongst employees with a report commissioned by the ICO finding that 70% of the public would find it intrusive to be monitored by an employer. Employers should keep in mind that as well as potentially being unlawful, covertly recording employees can have other negative consequences, such as damaging the trust the employee has in the employer and affecting mental wellbeing.

If you any advice in relation to monitoring employees, please do not hesitate to contact our data privacy lawyers.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 27 May 2025
  • Privacy and Data Protection

Extension of UK adequacy: The European Data Protection Board adopts the European Commission’s decision

Earlier this year, the European Commission adopted an extension of the two 2021 adequacy decisions with the UK for a period of six months, until 27 December 2025.

art
  • 21 May 2025
  • Privacy and Data Protection

ICO investigating online platforms and the importance of having a good privacy notice

The ICO has recently reported that it is investigating how social media and video sharing platforms use UK children’s personal information.

art
  • 15 May 2025
  • Privacy and Data Protection

Ashley v HMRC – The High Court clarifies the scope of Data Subject Access Requests

DSARs are very rarely the subject of litigation, and they are even rarer in the High Court, so the case of Ashley v HMRC is a valuable decision for both data subjects and data controllers.

art
  • 29 April 2025
  • Privacy and Data Protection

Use of Personal Devices at Work: Why a Bring Your Own Device Policy is Essential

If you have employees who bring their own devices into the workplace and use said devices to deal with company data, you may want to consider a Bring Your Own Device (“BYOD”) policy.

art
  • 29 April 2025
  • Privacy and Data Protection

Update on the Data (Use and Access) Bill

We will highlight in this article what changes have been made to the DUAB since the early stages of the Bill.

art
  • 06 March 2025
  • Privacy and Data Protection

Recent data breaches and their impact on organisations

Organisations of all sizes are susceptible to data breaches and the damage caused by these breaches, both reputationally and financially, can be very significant.