ICO issues new guidance on monitoring workers

20th October 2023

Employers are increasingly turning to data to gain an insight into their employees’ performance.

The technology available to monitor employee activity is becoming increasingly sophisticated. However, workers have a right to privacy, and employers must ensure that the surveillance is necessary and proportionate to protect the rights and freedoms of workers.

Earlier this month, the Information Commissioner’s Office (ICO) published guidance on how to lawfully monitor workers, which is  compliant with UK GDPR and Data Protection laws.

Our employment and commercial teams are here to advise you on the best way to carry out the monitoring of workers, but here is an overview.

What is monitoring?

Monitoring can take place through a variety of methods, including:

  • Keystroke counting
  • Tracking internet activity
  • Webcams and screenshots
  • Tracking calls
  • Software technology to track activity

Employee surveillance can be carried out overtly, where workers are aware they are being monitored and the reasons why, or covertly, where it is carried out secretly. Covert monitoring will only ever be justifiable in exceptional circumstances.

Failure to carry out lawful monitoring has serious consequences, and the misuse of private information can lead to financial loss and reputational damage for your company.

Can you monitor workers?

Whilst there is nothing preventing employers from monitoring workers, it must be carried out in a manner that is compliant with data protection law.  Workers have a right under Article 8 of the Human Rights Act 1998 to respect for their private and family life. Given the rise in homeworking, the expectation of privacy is likely to be greater at home than in the workplace. The risk of inadvertently capturing information about your workers’ family and private lives is higher when they are working from home.

It is vital that you are clear about your purpose for processing information and choose the least intrusive way of achieving that purpose.

You must identify one or more lawful basis on which to collect and process information relating to your workers, these are:

  1. Consent (the worker gives consent for you to process their personal data for a specific purpose)
  2. Contract (monitoring is necessary for a contract you have with the worker)
  3. Legal obligation (the processing is necessary for you to comply with the law)
  4. Vital interests (the processing is necessary to protect someone’s life)
  5. Public task (the processing is necessary for you to perform a task in the public interest)
  6. Legitimate interest (the processing is necessary for your legitimate interests or those of a third party)

It is recommended that you carry out a data protection impact assessment (DIPA) before you begin any monitoring. Doing so will allow you to consider whether the use of monitoring is fair and helps you minimise risk.

For monitoring to be fair, you must be transparent about how and why you will process your workers’ information and must communicate this to them in a way that is accessible.

Workers can object to being monitored in certain circumstances if they can give a specific reason. You can still proceed with the monitoring, providing you demonstrate legitimate interests which override the interests, rights, and freedoms of the worker.

You must not collect more information than is necessary to achieve your purpose, and any personal information collected through monitoring must be available to workers if they make a subject access request.

You must also have appropriate organisational and technical measures in place to protect personal information being processed.

 Employers must take the following steps to lawfully monitor workers:

  • Make workers aware that you intend to monitor them, the reasons for doing so, and the nature of the monitoring,
  • Identify a defined purpose, and the least intrusive way to achieve that means,
  • Have a lawful basis on which to process workers’ personal data,
  • Communicate clearly about any monitoring,
  • Only keep information that is relevant to the purpose, and
  • For monitoring that is likely to result in a high risk to the rights of workers, carry out a data protection impact assessment.

If your business implements employee monitoring/employee surveillance or has any queries relating to data protection, we’re here to help and provide reassurance.
Contact Natalie Hami Dindar (employment)  on nataliehamidindar@schofieldsweeney.co.uk orSophie Brazier (commercial) on sophiebrazier@schofieldsweeney.co.uk.


We’re here for you – contact us today

0300 124 0406

Contact Us