Employee monitoring has been a practice for decades, but with the increase in remote and hybrid working, it’s become more prevalent, and consequently, methods have evolved.
Despite being common, employee monitoring remains a contentious topic. If not managed properly, it can fray employee relationships and breach compliance laws.
Our guide discusses employee monitoring laws in the UK, the impact on productivity and morale, and how to legally implement monitoring measures.
How to monitor employees working from home
means employees are trusted to work in remote settings—but how can employers be sure they’re fulfilling their work duties?
Because they can’t physically oversee what their staff are doing, employers are reliant on employee monitoring software. The methods and tools available will be discussed further in this piece.
What are employee monitoring laws in the UK?
In the UK, employee monitoring is primarily governed by data protection laws such as the Data Protection Act 2018 and the UK GDPR 2018.
These laws control how personal data is collected, handled and maintained. When monitoring employees, businesses must ensure they’re legally compliant. Failing to comply leads to consequences. Here are key considerations for employers:
There must be a lawful basis for processing personal data
Prior to collecting and processing employees’ data through monitoring, there must be lawful basis, which includes:
- Consent: Workers must have given clear consent for employers to use their information for a specific purpose
- Contract: Necessary for fulfilling an
- Legal obligation: There’s a legal requirement for monitoring
- Vital interests: It’s needed to protect someone’s life
- Public task: The monitoring is needed for tasks that benefit the public
- Legitimate interests: It’s within the legitimate interests of an employer—cannot supersede workers’ rights
Expanding on the above point, there’s also a new lawful basis known as a ‘recognised legitimate interest', which covers processing that’s necessary for one of the following pre-approved purposes:
- Safeguarding “vulnerable” people
- Responding to emergencies
- Preventing or investigating crime
- National security, public security and defence
- Sharing personal information with an organisation that needs it for their public task or function at their request
Employers must follow provisions regarding special category data
Employers monitoring sensitive personal data must satisfy additional requirements. This could be explicit consent, compliance with employment law, or public interest conditions.
What is special category data?
Special category data is extremely sensitive personal information that demands extra protection because of the risk of potential misuse.
What does special category data include?
With reference to its possible misuse, it mostly relates to discrimination. Under UK and the Data Protection Act 2018, it includes information pertaining to the following:
- Racial or ethnic origin
- Political stance
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric data
- Health
- Sexual orientation and a person’s sex life
Conduct a Data Protection Impact Assessment (DPIA)
Implementing employment monitoring has the potential to infringe on employees’ privacy. Therefore, employers must carry out a DPIA. This helps businesses highlight and control risks concerning employee monitoring.
What should a DPIA include?
When conducting a DPIA, employers should ensure it encompasses:
- Description of processing operations: Set out the methods on monitoring and their purposes, including any legitimate interests of the employers or third parties.
- Necessity and proportionality: Establish if the data processing is needed and reasonable in relation to achieving its goals.
- Risk assessment: Assess the possible risk to and freedoms.
- Control measures: Outline steps to sufficiently mitigate identified risks and ensure compliance with data protection laws.
Transparency about the process is key
Clear dialogue between employers and employees regarding monitoring is essential. Staff should be made aware of:
- The reason for the monitoring
- The type of personal data being collected
- The lawful basis for monitoring
- An overview of how the data is processed and stored
The data should be secure and accurate
Personal data collected via the means of monitoring must be accurate and not misleading. Also, stringent measures must be in place to protect employees’ information, including it being restricted to authorised personnel.
Covert monitoring is discouraged
Unless it can be justified with exceptional circumstances, like suspected criminal activity, covert monitoring at work is best avoided—especially in areas where employees would expect privacy, such as toilets.
What types of employee monitoring are there?
Depending on its purpose, employee monitoring comes in several forms and are typically categorised as systematic (continuous monitoring) or occasional (for specific reasons).
Camera surveillance
This could be CCTV or wearable cameras. They’re usually used for security purposes, but it must be necessary, justified and proportionate in relation to its aim. Businesses using camera surveillance must satisfy the following criteria:
- Notify the Information Commissioner’s Office (ICO): Most organisations must register with the ICO and pay the yearly data protection fee.
- Offer clarity: Visible signs must be displayed informing staff and the public that they’re being recorded.
- Limit locations: As mentioned, where employees can expect privacy, camera surveillance is not permitted.
- Intended purpose: If the CCTV was installed for security purposes, then it typically cannot be used for employee monitoring.
Timekeeping and access control
Timekeeping and access control are tools overseeing attendance and access to certain areas of work premises. Systems use a variety of credentials to establish identity for entry and clocking in:
- Biometrics: Fingerprints or facial recognition
- Digital tokens: Fobs or mobiles apps
- PIN codes: Keypads for specific access
Keystroke logging
Keystroke logging, sometimes referred to as keylogging or keystroke monitoring, is a form of digital surveillance. It uses employee monitoring software to record every key that’s pressed, providing a detailed log of everything typed.
Internet activity
Tracking internet activity enables employers to monitor how company networks and devices are used. Such measures are in place to promote better and safeguard data, but it must be balanced with meeting data protection laws.
Should managers monitor employee email and internet usage?
Whether employers elect to monitor their and internet usage is at their discretion. However, should they opt to do so, it must comply with relevant laws and respect their staff’s privacy.
Productivity tools
Much of monitoring employees is for the purposes of preserving productivity. Employee monitoring software may be used to measure output. For example:
- Activity and idle tracking: Tools that monitor mouse movement and keyboard strokes.
- Time tracking and timesheets: Used for project management and provide an overview of resources used for certain clients and tasks.
Does employee monitoring increase productivity?
Certain elements of monitoring employees can bring about positive results concerning productivity. However, much of the increase in output is short-term and carries a risk that has long-term implications.
Performance can be hampered when employees feel as though their privacy is encroached or they’re not trusted. Also, as employees become savvier, they may use methods like ‘key jamming’ to bypass keystroke monitoring, distorting actual metrics.
FAQs: What is employee monitoring?
Is it legal to monitor employees?
Provided employers have a lawful basis, like “legitimate interests”, and the monitoring is needed to achieve a certain business objective, then employee monitoring will be legal. However, employers should consider employees’ right to privacy under the Human Rights Act 1998.
Do employers need employee consent to monitor them?
In the context of employment, consent is seldom “freely given”; employers may be able to rely on legitimate interests. Employers must conduct a Legitimate Interests Assessment (LIA) to demonstrate that the lawful basis applies.
Can employers monitor remote or work-from-home staff?
Yes, but the expectation of privacy is higher when an employee is in their own home. Employers should focus on measuring outputs rather than constant activity—the latter can be considered excessive, and in some cases, unlawful.
What are the rules for CCTV in the workplace?
Employers should have clear signs informing staff and visitors that CCTV is in operation. Placement is key; CCTV mustn’t be installed in private areas like toilets or changing rooms. If employers install CCTV for security purposes, they cannot then decide it’s for monitoring performance.
Is covert monitoring ever allowed?
In exceptional circumstances, secret monitoring is allowed. This could be an investigation into suspect criminal activity or serious malpractice. Should employers use covert methods, it must be targeted, time-limited and overseen by senior management.
What documents do employers need to stay compliant?
Employers will need an Employee Privacy Notice that outlines what data is collected and processed, an Acceptable Use Policy (AUP) defining how IT and emails are to be used, and a Data Protection Impact Assessment (DPIA)—a compulsory assessment for high-risk monitoring like biometrics or keystroke logging.
Can employees see collected data?
Under the GDPR, employees can submit a Subject Access Request (SAR) to see any personal data that’s been collated via monitoring.
Conclusion: What is employee monitoring?
Evidently, employee monitoring is a complex issue. Whilst many business owners may argue it’s necessary for their organisation’s success, they must recognise the risks of breaching data protection laws and eroding their employees’ trust.
Get on top of employee monitoring compliance with Peninsula
You want what’s best for your business, and so do we. But when it comes to monitoring employees, managing compliance and protecting working relationships is difficult.
Let Peninsula ensure you’re compliant and committing to a positive relationship with your staff, all whilst achieving your company’s goals.
