Monitoring UK Employees: How Can Organizations Avoid Violations?

Monitoring employees using technology is on the rise in the U.K. as technology continues to become more accessible, not only in terms of availability but also due to cost. Workplace monitoring often involves the processing of personal data, and this is not always obvious to employers; this can lead to systems being introduced without considering the implications from either an employment or a data protection perspective.

With many employees working remotely from home or in a hybrid office/home location, organizations are increasingly monitoring the activities of their employees to assess their productivity/performance and compliance with their employment terms or to protect against legal, reputational, or technology system risks.

In addition to telephone, email, and internet use, monitoring may extend to social media activity, attendance at online meetings, physical location, and use of vehicles. Methods of monitoring employees will vary according to the organization and the extent of its technological capabilities and could include: spot checks within the organization without reference to particular individuals; specific checks on individuals; monitoring the content of all calls or emails; monitoring internet or device use through keystrokes or mouse clicks; webcam recording; screenshots of employees’ screens; the use of dashcams in vehicles; monitoring timekeeping through access control; using biometric data (such as fingerprints or facial recognition) or swipe cards for time and attendance control; and closed-circuit TV (CCTV) and video surveillance to monitor employees’ activities generally.

Which Laws Govern Employees’ Rights?

There is no one specific law that permits or prohibits the monitoring of employees; rather, various laws and rights have come into place to govern its use. These include:

• The General Data Protection Regulation (U.K. GDPR). Under the U.K. GDPR, the data protection principles provide that personal data must be: processed lawfully, fairly, and in a transparent manner; collected and processed only for specified, explicit, and legitimate purposes; be adequate, relevant, and limited to what is necessary; be accurate and kept up-to-date; be kept for no longer than is necessary where there may be identification of data subjects; and be processed in a way that ensures appropriate security and protection. Further, individuals have the right to be informed that they are being monitored, the right of access to information obtained on them as a result of monitoring, and the right to object to being monitored. There are also specific rules that apply where automated decisions are being made.
• The Data Protection Act 2018 (DPA 2018). This expands upon the rights and protections given by the U.K. GDPR.
• The European Convention on Human Rights (ECHR). Under Article 8, an individual has a right to respect for private and family life and correspondence. This is incorporated into U.K. law by the Human Rights Act 1998.
• The Employment Rights Act 1996 and the case law relating to unfair dismissal.
• The duty of trust and confidence implied in an employee’s contract of employment.
• The Equality Act 2010, which protects employees from discrimination.

What Are the Risks if Employers Get It Wrong?

Infringement of data subject rights can be extremely costly for organizations. The Information Commissioner’s Office (ICO) has authority to impose fines of up to 17.5 million pounds or 4% of worldwide turnover, whichever is greater, and there are also the costs of any regulatory investigations and/or court proceedings. Enforcement action by the ICO is likely to generate public interest and may result in an organization suffering reputational damage, losing existing customers and/or future business, and seeing its share value fall.

Infringement of data subject rights may also lead to claims by employees for unfair dismissal and/or discrimination.

What Should Organizations Do?

• Examine policies and processes: Organizations should ensure that they have the necessary policies and processes in place to manage the risks relating to employee monitoring. Such policies will include data protection policies and policies relating to the use of technology, CCTV, and social media.
• Communicate with employees: Covert monitoring in the workplace will only be justifiable in exceptional circumstances. Employers should ensure that employees are told about the monitoring the organization intends to carry out and how data collected may be used. The relevant staff should receive training in order to know, understand, and be able to implement the organization’s employee monitoring program in a compliant way.
• Consider the data protection implications: Relevant questions will be: What is the lawful basis for processing? Is a data protection impact assessment needed? What do the employees need to be told, and when and how? What are the considerations for security and access to data? How intrusive is the monitoring method? Is any special category data being used (including biometric data)? What is the impact of monitoring on employees? Is the monitoring justified?
• Be familiar with and comply with the ICO’s 2023 guidance on monitoring employees: This guidance was produced to assist employers with complying with their obligations under the U.K. GDPR and DPA 2018 when they monitor employee activity; should there be an issue, being able to demonstrate compliance with this guidance is likely to be useful.

Emma Loveday-Hill is an attorney with Keystone Law in London. © 2025 Keystone Law. All rights reserved. Reposted with permission of Lexology.