Employers can monitor employees, but must do so lawfully and proportionately. The rules come from the Data Protection Act 2018, the UK GDPR, the Human Rights Act 1998, and the Regulation of Investigatory Powers Act 2000 (RIPA).
Types of Workplace Monitoring
- CCTV and video surveillance
- Email and internet monitoring
- Phone call monitoring or recording
- GPS tracking of company vehicles
- Keystroke logging and screen monitoring
- Social media monitoring
- Access control systems (door badges, fingerprint scanners)
Key Legal Requirements
- Lawful basis — you need a valid reason under GDPR (usually "legitimate interests" with a balancing test against employee privacy rights)
- Transparency — employees must be told what monitoring takes place, why, and how the data will be used. Covert monitoring is only justified in exceptional circumstances (e.g., suspected criminal activity)
- Proportionality — the monitoring must be proportionate to the aim. Blanket surveillance of all employees when investigating one person is unlikely to be proportionate
- Data Protection Impact Assessment (DPIA) — required for systematic monitoring of employees
- Privacy policy — your employee privacy notice must cover monitoring activities
Best Practice
- Have a clear monitoring policy in your employee handbook
- Tell employees what you monitor and why before monitoring starts
- Only collect the minimum data needed
- Limit who can access monitoring data
- Set retention periods and delete data when no longer needed
- Consider less intrusive alternatives first
Our policy team can draft a compliant monitoring policy. Get advice.