The ICO exists to empower you through information.


This guidance discusses the monitoring of workers by employers, and how this interacts with data protection. It is primarily aimed at employers. The guidance aims to:

  • help provide greater regulatory certainty;
  • protect workers’ data protection rights; and
  • help employers to build trust with workers, customers and service users.

The guidance provides clarity and practical advice to help employers to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). It assumes some knowledge of data protection, but provides links to other pieces of key data protection guidance, if you want to find out more information.

We use the term ‘worker’ throughout this guidance only to refer to someone who performs work for an organisation. Business models have changed in the last decade, with the rise of the gig economy. This guidance captures these relationships too. It is aimed at all circumstances where there is an employment relationship or otherwise a relationship between an organisation and a person who performs work for the organisation, regardless of the nature of the contract.

To help you understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative requirements

Must refers to legislative requirements.

Good practice

Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.

Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.