Search

How can we help?

Icon

Can an employer monitor employees at work?

It’s recently hit the news that an employer in Jersey breached data protection requirements when it covertly monitored an employee’s car during working hours after having concerns that the employee was not carrying out their duties.

This brings up the question of whether an employer can lawfully monitor their employee, without their knowledge, if they suspect wrongdoing?

Can employers monitor employees?

It’s worth mentioning at the outset that data protection law does not prevent employers from monitoring workers provided this is done in a way that is compliant with data protection laws and principles. However, there is an emphasis on being open and transparent and, as such, covert monitoring is unlikely to be justified.

Can employers covertly monitor employees?

The ICO have stated that covert monitoring of employees will only be justified in ‘exceptional’ circumstances where it is necessary to prevent or detect suspected criminal activity or, similar wrongdoing, like gross misconduct. In all cases employers will have to justify their decisions and, if there’s a less intrusive way of achieving the ultimate goal then the monitoring will not be lawful.

The ICO provide an example of an employer who discovers that a small number of remote workers started later than their timesheets suggested and, as a result, allows senior management to access automatic webcam images to check if workers are at work. This would likely be unlawful as it is disproportionate.  The employer could have checked the times workers logged onto the computer system instead and given employees the opportunity to explain any discrepancies.

Covert monitoring must be targeted to obtain evidence within a set timeframe, limited to the shortest time possible and should not be continued once an investigation is complete.

ICO guidance

The ICO has issued guidance on covert monitoring. It says that employers should have a policy which sets out when covert monitoring may be used.  Monitoring should be authorised by senior management and a data protection impact assessment should be carried out. The employer must be satisfied that there are reasonable grounds for suspecting the criminal activity or gross misconduct and that informing employees about the monitoring would prejudice its prevention or detection.

Covert monitoring must be targeted to obtain evidence within a set timeframe, limited to the shortest time possible and should not be continued once an investigation is complete.

An employer should not use covert monitoring in areas or situations that employees would reasonably consider private, for example CCTV in toilets or monitoring personal emails. This is a more topical point of late with the rise of homeworking where employees have an expectation of privacy in their own homes.

Information obtained through the covert monitoring should only be used for the intended purpose and should be disregarded and destroyed when it is no longer needed unless it reveals something that no employer could reasonably ignore (and which could not be revealed by other means).

The people who are involved in the investigation should be kept limited, with clear rules to limit disclosure of, and access to, information.

Monitoring employees is certainly not popular amongst employees with a recent report commissioned by the ICO finding that 70% of the public would find it intrusive to be monitored by an employer. However, cases like the one in Jersey show that there will be situations where an employer feels, rightly or in many cases wrongly, that covert recording is necessary. Employers should keep in mind that as well as potentially being unlawful, covertly recording employees can have other negative consequences, such as damaging the trust the employee has in the employer and affecting mental wellbeing.

If you any advice in relation to monitoring employees, please do not hesitate to contact our data privacy lawyers.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 10 December 2024
  • Corporate and M&A

The value of cyber security for mergers and acquisitions

Developing a robust cybersecurity strategy is essential to ensuring value retention, securing sensitive data, minimising risks and a seamless transfer during and after the merger or acquisition.

Pub
  • 10 December 2024
  • Privacy and Data Protection

UK Data Protection: What happened in 2024 and what’s in store in 2025?

It’s been a year of political change and uncertainty for data protection. Join our data protection webinar, where we will discuss the implications of the Data Protection and Digital Information Bill not passing and the upcoming Digital Information and Smart Data Bill from the King’s Speech, which will affect existing laws.

art
  • 03 December 2024
  • Privacy and Data Protection

Data Use and Access Bill – how will it impact businesses and their dealings with Data Protection?

Clearly documenting and regularly reviewing data protection policies and procedures is paramount to demonstrating compliance with the UK GDPR. It is essential that such policies are communicated within an entity and staff are regularly trained on these.

art
  • 02 December 2024
  • Litigation and dispute resolution

The Era of AI

In this recent case, the First-Tier Tribunal gave a stark warning to litigants about use of AI in litigation.

Pub
  • 26 November 2024
  • Privacy and Data Protection

Key FAQs on Data Subject Access Requests (DSARs)

Understanding Data Subject Access Requests (DSARs) is crucial for businesses. In this podcast, Lucy Densham Brown and Jacob Montague, members of the Data Protection team, have narrowed down the top frequently asked questions we receive regarding DSARs.

art
  • 18 November 2024
  • Privacy and Data Protection

FAQs – Privacy Documentation

Clearly documenting and regularly reviewing data protection policies and procedures is paramount to demonstrating compliance with the UK GDPR. It is essential that such policies are communicated within an entity and staff are regularly trained on these.