- What do we mean by monitoring workers?
- Can we monitor workers?
- How do we lawfully monitor workers?
- How do we identify a lawful basis?
- What if our monitoring involves special category data?
- What about criminal offence data?
- Are there other laws we should consider?
- How do we ensure our monitoring is fair?
- How do we ensure that we are transparent about monitoring?
- How do we demonstrate accountability?
- Do we need to do a data protection impact assessment (DPIA) before we start monitoring?
- Do we have to define our purpose for monitoring workers?
- Do we need to restrict the amount of information we collect when we monitor workers?
- How do we ensure accuracy?
- How long should we keep information obtained from monitoring workers?
- How do we ensure the security of personal information obtained from monitoring workers?
- What must we tell workers about our monitoring?
- Should we discuss the introduction of monitoring with our workers?
- Can we use covert monitoring?
- Can workers request access to their personal information obtained from monitoring?
- Can workers object to being monitored?
- What do we need to consider if we use a third-party provider or an application provided by a third party to carry out monitoring?
- What do we need to consider if we transfer personal information of workers outside the UK?
Workers largely recognise that employers carry out checks on the quality and quantity of their work. Employers may also monitor workers to protect health and safety, or to meet regulatory obligations (eg requirements in the financial services industry). Monitoring can also form part of the security measures an organisation has in place to protect personal information. Increasingly, employers are using data analytics to infer worker performance and wellbeing.
We use the term ‘monitoring workers’ to mean any form of monitoring of people who carry out work on your behalf. This can include monitoring workers on particular work premises or elsewhere, and can include monitoring during or outside work hours. To comply with data protection law, you must do this monitoring in a way that is lawful and fair to workers.
This guidance is not relevant to people recording information in a personal or household context, unless there is professional or commercial activity. For example, you run a business from home. This guidance also covers you if you employ a visiting worker to your household, such as a nanny or gardener, and monitor their activity routinely, or on an ongoing basis. It is also important to note that homeworking does not constitute personal or household processing, and so is also covered by this guidance.
Excessive monitoring can have an adverse impact on the data protection rights and freedoms of workers. Excessive monitoring is likely to intrude into workers’ private lives and undermine their privacy and mental wellbeing. It is not always easy to distinguish between workplace and private information, especially when workers are based at home. Some workers may also use personal devices for work. Monitoring communications between a worker and their union representative or capturing a worker’s personal correspondence both give rise to significant concerns. (See the sections What if our monitoring involves special category data? and Can we monitor emails and messages?.)
As an employer, there may be occasions when you to need to consider sharing personal information you have obtained from monitoring your workers with a law enforcement authority. For example, you may discover suspected criminal activity by a worker, such as fraud or theft. This guidance does not apply to processing carried out for the purposes of law enforcement. Law enforcement authorities are subject to the separate law enforcement regime under Part 3 of the DPA 2018.
This guidance covers systematic monitoring, where an employer monitors all workers or groups of workers as a matter of course. For example, if you use software to monitor productivity. It also applies to occasional monitoring, where an employer introduces monitoring as a short-term response to a specific need. This includes installing a camera to detect suspected theft, or a software package created to monitor workers systematically, but where monitoring functions are not always active, for example taking random screenshots.
Monitoring technologies and purposes may include:
- camera surveillance including wearable cameras for the purpose of health and safety;
- webcams and screenshots;
- technologies for monitoring timekeeping or access control;
- keystroke monitoring to track, capture and log keyboard activity;
- productivity tools which log how workers spend their time;
- tracking internet activity and keystrokes;
- body worn devices to track the locations of workers; and
- hidden audio recording.
The technologies that employers use to monitor their workers have changed rapidly over time and will undoubtedly continue to evolve in sophistication. However, you must follow the data protection principles regardless of technological developments.
Data protection law does not prevent you from monitoring workers, but you must do so in a way which is compliant with data protection requirements. Article 8 of the Human Rights Act 1998 concerns the right to respect for a private and family life. This is increasingly important due to the rise of homeworking. Workers’ expectation of privacy are likely to be significantly greater at home than in the workplace and the risks of capturing information about your workers’ family and private lives (if you monitor them when they are working from home) are higher.
You can monitor workers if you do it in a way which is consistent with data protection law.
When deciding whether to monitor workers carefully balance your business interests as an employer and workers’ rights and freedoms under data protection law.
If you carry out monitoring in a way which is unfair, this will impact on their rights and freedoms under data protection law. It will also negatively affect the trust between you and your workers, as well as potentially affecting their mental wellbeing. Just because a form of monitoring is available, does not mean it is the best way to achieve your aims. You must be clear about your purpose and select the least intrusive means to achieve it.
After an employer discovers that a small number of remote workers started later than they recorded on their timesheets, it rolls out device monitoring. This allows senior management to access automatic webcam images and check if workers are at work.
This is likely to infringe data protection law because it is disproportionate, and there are less intrusive ways to check start times.
The employer can achieve the same purpose by checking the times workers log onto the computer system, and then give workers the opportunity to explain any discrepancies.
To lawfully collect and process information from monitoring workers, you must identify a lawful basis. There are six to choose from and you must identify at least one that is appropriate for the type of processing you intend to do.
Monitoring workers often includes capturing sensitive information. This is called ‘special category data’ in the UK GDPR. Because of its sensitivity, special category data requires extra protection. If the nature of your monitoring means that you will collect special category data, or are likely to, you must identify a special category processing condition, as well as a lawful basis. (See the sections on lawful basis and special category data.)
You must also ensure any monitoring is lawful in the general sense. If you are considering monitoring workers, you should consider all the legal implications of any other relevant laws.
A bank monitors all transactions made by every worker to prevent and detect fraud. This does not involve processing special category data. The bank needs to identify a lawful basis, but not a condition for processing.
A bank wishes to monitor all email traffic to address the risk of fraud and protect commercially sensitive information. As well as a lawful basis, the bank should identify a special category condition. This is because monitoring all email traffic could detect special category data, such as emails sent to union representatives or to occupational health personnel.
How you decide which lawful basis applies depends on your specific purpose and the context of the monitoring. You must think about why you want to monitor workers. You must identify which lawful basis best fits the circumstances. We have listed the available lawful bases below, along with some guidance to help you identify the right basis for your circumstances. You can also use our interactive guidance tool to help you. Carrying out a data protection impact assessment (DPIA) may also help you to identify the most appropriate basis.
You must not adopt a one-size-fits-all approach. No one basis is always better, safer or more important than the others. However, some are likely to be more appropriate than others for employers. We highlight some of these below.
Sometimes, more than one basis might apply. You should identify all those that apply, and document them from the start. Try to get it right first time, as you should not change it later without good reason.
The six lawful bases are:
The worker gives consent for you to process their personal data for a specific purpose.
A person must freely give their consent for it to be valid. This means that consent is not usually appropriate in the employment context, due to the imbalance of power between you and your workers. Workers are likely to feel that they have no choice but to give you consent.
Consent must be unambiguous and include an affirmative action. You must:
- give workers the option to withdraw their consent without detriment;
- make this as easy as when they first provided it; and
- keep records of when and how you gained consent, and what exactly workers consented to.
Consent is only appropriate if circumstances mean workers have a genuine choice and control over the monitoring.
The monitoring is necessary for a contract (such as the employment contract) you have with the worker, or because they asked you to take specific steps before entering into a contract.
You should only use this lawful basis if it is necessary for your side of the contract as an employer. Whilst scenarios may exist where the use of employee monitoring is the only way for you to fulfil your side of a contract, these are hard to envisage.
As monitoring is more often for internal business improvement purposes, it’s unlikely that it will be a suitable lawful basis for monitoring workers.
An employer inserts a clause into its employment contracts to say that it employs video surveillance across its premises to monitor productivity and improve efficiency. This would not be sufficient justification to use this lawful basis for such monitoring as there are other less intrusive ways of improving productivity.
The processing is necessary for you to comply with the law.
You can rely on this lawful basis if you monitor workers to comply with a common law or statutory obligation. This does not apply to contractual obligations. In order to rely on this basis you must either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation.
A logistics company needs to monitor driving time, speed and distance to comply with the rules on drivers’ working hours. Legal obligation is appropriate as a lawful basis. The logistics company documents the decision to rely on this lawful basis and signposts to the legislation which applies. The company does not process more information than necessary to fulfil obligations under the rules on drivers’ hours. They also do not use the information for any other purposes.
The processing is necessary to protect someone’s life.
This is for emergencies, where you need to process personal information to protect someone’s life. This lawful basis is very limited in its scope and generally only applies to matters of life and death.
A test pilot is monitored for several important factors, such as heart rate, blood pressure and brain activity. These factors may change in the demanding and dangerous job of test flights. These are vital to make sure the pilot is kept safe. On the other hand, an office worker would not expect to be monitored for these things, as there would be little in their job that would affect these factors. It is likely that another lawful basis for monitoring would be more suitable.
The processing is necessary for you to perform a task in the public interest or for your official functions.
You must have a clear basis in law for the task or function. This is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest that have a clear basis in law. For example, a private organisation or charity working under contract to a public authority to help deliver one of their defined legal functions.
This basis may be appropriate if:
- you are a public authority or your organisation carries out tasks in the public interest; and
- you can demonstrate that monitoring workers is necessary to perform your tasks as set down in UK law.
You should assess the basis in law of the specific monitoring activity. You cannot rely on this basis if you could achieve the same purpose in a less intrusive way.
If monitoring is not necessary for you to perform your public task then you cannot reply upon this lawful basis.
The processing is necessary for your legitimate interests or those of a third party, unless the risks to the workers’ rights overrides them.
This basis is the most flexible and could apply in a wide range of circumstances.
Legitimate interests may not be the most appropriate lawful basis if:
- you are monitoring in ways workers do not understand and would not reasonably expect; or
- it is likely some workers would object if you explained it to them.
You could use the DPIA process help you to assess this. (See the section on DPIAs).
Depending on the work they undertake, and the contexts they work in, workers can reasonably expect different levels of monitoring to fall within the legitimate interest definition
A miner would reasonably expect to wear a tracking device within a mine. This would be due to the dangerous work they undertake, the risks involved in potential accidents and the need to keep track of their location within the mine.
However, an office worker would not reasonably expect to wear a tracking device in an office setting. There is far less risk working day-to-day in an office that a mine and office workers would not reasonably expect such a level of monitoring.
When deciding if the proposed monitoring is appropriate, you must balance your legitimate interests and the necessity of the monitoring against the interests, rights and freedoms of workers, considering the particular circumstances. This is different to the other lawful bases which presume that your interests and those of the worker are balanced.
You can break the key elements of the legitimate interests basis down into a three-part test:
- Purpose test– is there a legitimate interest behind the processing?
- Necessity test– is the processing necessary for that purpose?
- Balancing test– is the legitimate interest overridden by the person’s interests, rights or freedoms?
You should assess each of the tests before processing and document the outcome, so you can demonstrate that legitimate interests applies. You should do this by carrying out a legitimate interests assessment.
Special category data is personal information revealing or concerning:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where used for identification or authentication purposes);
- health or disability;
- sex life; or
- sexual orientation.
It needs more protection because it is sensitive and the risks of harm to the person from its inappropriate disclosure or use are likely to be higher.
When you are planning to carry out monitoring, you should consider whether you are going to capture any of the above types of information.
If the planned monitoring captures this type of information, you must have a special category condition, as well as a lawful basis, before you start the monitoring.
In certain circumstances, your planned monitoring may capture special category data incidentally. You may not plan to collect it, but the nature of the monitoring might make it likely (eg where monitoring may identify emails between a worker and a healthcare provider or a trade union representative). If this is the case, you must identify a condition for processing.
When choosing a condition for processing, think about your purpose for monitoring, as this helps you identify the most appropriate condition. In circumstances where you do not intend to capture special category data, but it's likely that you will do so, you should demonstrate that your purpose for monitoring outweighs the risk of inadvertently capturing special category data. The condition you choose should reflect this purpose. Carrying out a DPIA helps you do both of these things. (See the section on DPIAs.)
If you process, or are likely to process special category data, it is possible that the information you gather may be protected by other laws as well. (See the section Are there other laws we should consider?)
You must only keep the information which is relevant to your purpose for monitoring. This is particularly important because of the higher risks of collecting and using special category data. You should regularly review the information you are collecting and destroy what is not necessary.
If it’s unlikely you’ll capture any special category data, you could document a condition to minimise risks. However, you are not obliged to.
There are 10 conditions for processing special category data. Five of these require you to meet additional conditions and safeguards set out in Schedule 1 of the DPA 2018. (See what are the conditions for processing). You should also carry out a DPIA before you begin.
Below, we discuss some of the conditions for processing special category data which may be relevant in the context of monitoring workers.
You can only rely on this condition if workers have control and choice over the monitoring. Explicit consent is not specifically defined by the UK GDPR but is similar to the lawful basis of consent. If you want to rely on this condition, you must ensure that workers provide explicit consent in a clear statement (whether written or oral). Explicit consent cannot be implied. To rely on this condition, you must ensure workers have a genuine option, with no negative impact (either actual or perceived) for withholding explicit consent. This is unlikely in most employment circumstances. As with the lawful basis of consent, this is not usually appropriate in the employment context due to the imbalance of power between you and your workers. There may be some limited circumstances where it can apply.
An employer wants to introduce an access control system which uses workers’ biometric data to sign them into work devices. They have carried out a DPIA and established the necessity and proportionality of this method. They offer a feasible alternative (such as PIN codes) to workers who withhold explicit consent. This does not negatively impact those workers. Therefore they can rely on explicit consent as their condition for processing
In most scenarios, it is unlikely that workers will have full control or choice over the monitoring you’re planning to use. This means you are unlikely to be able to rely on explicit consent.
Employment, social security and social protection (if authorised by law)
This condition may be relevant if you are monitoring to ensure the health, safety and welfare of workers. Your purpose must be to comply with employment law or social security and social protection law. You must identify the legal obligation or right in question, either by referring to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you could refer to a government website or to industry guidance that explains generally applicable employment obligations or rights.
This condition does not cover processing to meet purely contractual employment rights or obligations. If you are relying on this condition, you must also meet the associated condition set out in Part 1 of Schedule 1 of the DPA 2018. This condition requires you to have an appropriate policy document in place.
Substantial public interest (with a basis in law)
To rely on this condition, you must be clear that the monitoring is necessary in the public interest and with a basis in law. You must also justify the processing of special category data to achieve your purpose.
To meet this condition, you must demonstrate the wider substantial public benefit and basis in law for your processing. You must also identify a relevant substantial public interest condition as set out in Part 2 of Schedule 1 of the DPA 2018. You must also have an appropriate policy document in place for almost all of these conditions.
A bank uses CCTV to detect and prevent crime. As footage may capture special category data about workers and customers, the bank relies on ‘reasons of substantial public interest’, and it meets the public interest condition ‘preventing or detecting unlawful acts’.
Similar to special category data, data protection law gives extra protection to personal information about offenders or suspected offenders regarding criminal activity, allegations, investigations or proceedings. Article 10 of the UK GDPR restricts the processing of criminal offence data. You must only process criminal offence data if the processing is either under the control of official authority or authorised by domestic law (schedule 1 of the DPA 2018.) If you are monitoring workers to detect criminal activity, you must identify a specific condition for processing in schedule 1 of the DPA 2018.
This guidance aims to help you comply with data protection obligations when monitoring workers. Any monitoring you undertake must be lawful and fair. There are other laws that you should also consider when monitoring workers, outside data protection. These include, but are not limited to, the Human Rights Act 1998, Equalities legislation and investigatory powers regulations.
- Human Rights Act 1998
- Equality Act 2010
- Section 75 Northern Ireland Act 1998
- The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-Keeping Purposes) Regulations 2018
- Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
- Equality and Human Rights Commission
- IPCO – Investigatory Powers Commissioner's Office
Fairness is a key data protection concept. It means you should only monitor workers in ways they would reasonably expect and not in ways that cause unjustified adverse effects on them.
In some circumstances you must carry out a DPIA before carrying out monitoring. Even if you are not required to carry one out, you should still do so. The results of a DPIA will help you consider whether the planned use of monitoring is fair, for example by considering the risks of unjustified or adverse processing involved in installing CCTV systems in your business premises.
Workers report thefts from staff changing rooms. The employer considers installing CCTV in the changing rooms for the purpose of detecting and preventing thefts. The adverse effect of filming workers when they would reasonably expect privacy means this monitoring is unfair.
To help ensure fairness, the employer instead decides to install CCTV to monitor the door outside the changing room. This will narrow the scope of any investigation of further thefts and act as a deterrent. They also install signs to inform workers of its presence and the purpose of the camera. As this in itself poses a risk to the information rights and freedoms of workers, the operation of the CCTV is time limited to the duration of the investigation, and the company destroys any information not relevant to the investigation.
An employer uses a software tool to monitor how long workers spend using a case management system. They use the monitoring reports to assess the performance of workers. The reports do not take into account the reasonable adjustments some workers have, which mean they work outside of the system for some tasks. Unless the employer takes into account the work done outside the system, the monitoring is unfair and inadequate.
Transparency is about being clear with workers about how and why you process their information. It is fundamentally linked to fairness. Building trust with your workers starts with transparency. Monitoring conducted without transparency is unfair and could negatively impact trust relationships. Workers have the right to be informed about the collection and use of their information, and you must tell workers about monitoring in a way that is accessible and easy to understand. (See the section about privacy information.)
Apart from in very exceptional circumstances where covert monitoring is justified, you must inform workers about any monitoring. (See the section on covert monitoring.)
The principle of accountability makes you responsible for complying with the UK GDPR and says you must demonstrate your compliance. Putting in place appropriate policies, procedures and measures helps you demonstrate accountability. These must be proportionate to the risks, which vary depending on your type of worker monitoring, the level of intrusion and the technology you use.
You should make sure overall responsibility for monitoring workers rests at the highest senior management level. If you have a data protection officer (DPO), you must make sure they are closely involved in any plans to monitor workers. You should brief any workers involved in processes that are used for monitoring workers on data protection law and their roles within it.
DPIAs are an important accountability tool. Completing a DPIA helps you to identify and minimise the risks of any monitoring activity you might plan. The DPIA process includes a step where you can discuss your plans to introduce monitoring with workers. This helps to shape your plans and build trust with workers. When carrying out a DPIA you should also consider anyone else captured by your monitoring plans, such as customers, members of the public or household members, if your workers are based at home.
You must carry out a DPIA before undertaking any processing likely to cause high risk to workers’ and other people’s interests. You should use our screening checklists and read our detailed DPIA guidance to help you decide.
Examples of high risk processing can include:
- processing biometric data of workers;
- keystroke monitoring of workers;
- monitoring that may result in financial loss (such as performance management); or
- using profiling or special category data to decide on access to services.
If you have a data protection officer (DPO), you must seek and record their independent advice on the outcome of the DPIA before making any final decisions.
If, following your DPIA, you decide to go ahead with your proposed monitoring, you must provide information about it to your workers before you begin monitoring.
You should carry out a DPIA even if there is no specific high risk as it is a flexible and scalable tool which can assist your decision-making. If you decide to proceed without carrying out a DPIA, you should document your decision.
If you have carried out a DPIA which identifies high risk that you cannot reduce, you must consult the ICO before going ahead with the monitoring.
Yes. Purpose limitation is a key principle of data protection law. You must be clear about the purpose for monitoring. For example, you may decide to monitor email traffic for security purposes, or use CCTV for site safety purposes. However, you should not monitor workers ‘just in case’. You must document why you are monitoring workers and what you intend to do with the information you collect.
If the monitoring is to enforce your organisation’s policies, make sure these are clearly set out. You should regularly bring the policies to the attention of workers. The policy or policies should also outline the nature, purpose and extent of any monitoring.
An employer has acceptable usage rules for using the internet. They document these rules in a policy which is made known and accessible to all workers affected. Either in this policy, or linked from this policy, the employer sets out privacy information which explains:
- how they monitor these rules;
- how they use the information obtained from the monitoring; and
- the safeguards in place for the workers being monitored.
You should consider that workers base their expectations of privacy on practice, as well as policy. Excessive monitoring set out in a policy does not make it lawful, just because it is documented.
An employer has a policy which imposes a ban on personal calls, but in practice, they overlook a limited number of personal calls. The employer cannot rely on the policy to justify carrying out monitoring.
You can set systems so that workers cannot access the internet or applications without accepting certain conditions. This can reduce the need for some types of monitoring.
An employer minimises the risks of unacceptable usage by blocking some websites (personal email, social media sites and entertainment sites). This means they can minimise unacceptable usage rather than monitor for it.
You can only change your purpose for monitoring if:
- your new purpose is compatible with your original purpose;
- you get consent; or
- you have a clear obligation or function set out in law.
Yes. The data minimisation principle means you must not collect more information than you need to achieve your purpose. It is closely linked to purpose limitation. Monitoring technologies and methods have the capability to gather wider categories and larger amounts of information than may be necessary to achieve your purpose. This risks ‘function creep’, where information is used for wider purposes than the original intention. This can happen gradually over time, so you should review how you monitor workers regularly to prevent this. Similarly, you must not collect more information than is necessary, just in case it might prove useful to you in the future.
An employer collects office ethernet connection data to monitor the use of workspaces and ensure there is sufficient capacity for workers. They should not re-use this information for performance management purposes without identifying a new lawful basis and establishing the necessity and proportionality of this new purpose.
- take all reasonable steps to ensure the personal information you gather through monitoring workers is not incorrect or misleading as to any matter of fact;
- if necessary, keep personal information updated;
- take reasonable steps to correct or erase personal information as soon as possible if you discover that it is incorrect or misleading; and
- carefully consider any challenges by workers to the accuracy of any information you gathered through monitoring.
This particularly applies if you are using the information to make potentially adverse decisions about workers. For example, if you use monitoring information in performance reviews.
You should consider the following points:
- Equipment or systems malfunction can cause information collected through monitoring to be misleading or inaccurate (eg a computer system resetting to the wrong time zone).
- Information can also be misinterpreted or even deliberately falsified.
- Data analytic tools can make incorrect inferences about workers.
You should ensure that workers can see and, if necessary, explain or challenge the results of any monitoring. You should do this within, or alongside, disciplinary or grievance procedures and performance reviews or appraisals.
You must not keep personal information obtained from monitoring workers for any longer than is necessary for your particular purpose or purposes. You should base any retention period you set on business need. You should review it regularly, and take into account any professional guidelines or legal obligations. You should not retain information just in case you find a purpose for it in the future. You must ensure you have a retention schedule and delete any information you collect from monitoring workers in line with your schedule. The UK GDPR doesn't specify retention periods. However, you should be able to justify any retention periods that you set, and be able to link these to the reasons why you have obtained the information.
Security is a key principle of data protection law. You must have appropriate organisational and technical measures in place to protect any personal information you collect through monitoring.
- assess the data security risks of any monitoring and use this to decide the security measures you need to put in place; and
- restrict access to the information to only those who need access. Take care to identify the most appropriate person or people to access the information you collect. You should properly train them to handle information obtained from monitoring.
If you decide to outsource your monitoring activities to a data processor, you should remember that as the controller, you are responsible for compliance with data protection law. This includes what the processor does with the information.
Processors also have their own set of security obligations under data protection law. (See the section on third parties.)
Similarly, if you are using commercially available monitoring tools, or the monitoring functionalities which are available on communication and collaboration tools – you are still responsible for compliance with data protection. In particular, you should still consider the security and access controls on any information you collect. You should not assume the tool has the appropriate level of protection built-in. (See the section on commercially available tools.)
You must make sure workers are aware of how and what personal information you are collecting during any monitoring You could set up a system to ensure workers remain aware that monitoring is taking place. For example, through your organisation’s intranet or signage in areas subject to monitoring. You should regularly review your monitoring practices and you must keep privacy information up-to-date. You must also tell workers when you introduce changes.
It is unfair to workers if you are unclear on whether you are monitoring them. Not providing workers with clarity around monitoring risks damaging trust between you and your workers. Similarly, if you are monitoring workers, uncertainty over the reason for doing so can have a negative effect. This might adversely impact the work of your organisation, as well as infringing the data protection rights and freedoms of workers. Making sure workers understand any monitoring builds trust and ensures you comply with workers’ right to be informed.
See the section on transparency and informing workers about monitoring workers.)
- For more details on what information you must provide, see our guidance on the right to be informed.
If you are planning to introduce monitoring, you should seek and document the views of your workers or their representatives (such as trade unions), unless there is a good reason not to. If you decide not to, you should record this decision along with a clear explanation. Seeking the views of workers as part of your planning process is a good way of being transparent and building trust with your workers. You can then address any feedback or questions in advance which helps you build good employment relationships and meet your obligations to protect workers’ data protection rights and freedoms.
You should involve workers during the early planning stages. This can potentially avoid complaints from workers at a later stage, allows you to consider potential issues before they arise, and helps to build trust with workers. You should do this as part of your DPIA.
Covert monitoring means carrying out monitoring in a way designed to ensure workers are unaware that it is taking place. It is unlikely that you will be able to justify covert monitoring in most usual circumstances. However, there may be exceptional circumstances where you might be able to justify this. For example, if covert monitoring is necessary to enable you to prevent or detect suspected criminal activity or gross misconduct.
You should outline in your organisational policies the types of behaviours that are not acceptable and the circumstances in which covert monitoring might take place.
If you are considering monitoring workers covertly, there are several factors to be aware of:
- Covert monitoring should only be authorised by senior management.
- You must carry out a DPIA.
- You should be satisfied that there are grounds for suspecting criminal activity (or an equivalent, such as gross misconduct) and that informing workers about the monitoring would prejudice its prevention or detection.
- You should strictly target the covert monitoring at obtaining evidence within a set timeframe, limited to the shortest time possible.
- You should not continue the covert monitoring after the investigation is complete.
- You should not use covert audio or video monitoring in areas where workers would reasonably expect to be private, such as toilets or changing rooms.
- In most circumstances, you should not use covert monitoring to capture communications that workers would reasonably expect to be private, such as personal emails.
- If you are considering using a private investigator to collect information on workers covertly, you must have a contract in place that requires them to only collect information in a way that satisfies your obligations under data protection law. See our guidance on controllers and processors for further details.
- You must only use information gathering through covert monitoring for the purpose intended. You should disregard and destroy any other information unless it reveals something that no employer could reasonably be expected to ignore and where there is no other way to achieve this purpose.
- You should limit the number of people involved in the investigation to only those who really need to be involved.
- You should set clear rules limiting disclosure and access to the information you collect.
- Remember workers’ data protection rights. For example, if a worker submits a subject access request, you may have to disclose the personal information obtained from monitoring. You should deal with requests on a case-by-case basis.
Ultimately, you should balance the interests of the employer and the worker. However, you should be able to justify every decision you make to carry out any covert monitoring.
You must make the personal information you collect through monitoring available to workers if they make a subject access request (SAR), unless an exemption applies.
It may be challenging to respond to a SAR if the monitoring system you use collects large amounts of information, or contains the personal information of third parties. This is especially the case if the systems you use do not store information in a way that makes personal information readily retrievable. You should factor in how easy it is to retrieve information when considering what type of monitoring system you plan to introduce. You should do this in your DPIA.
Yes, workers can object to you collecting and processing their personal information from monitoring in certain circumstances. Specifically, a worker can object where the lawful basis you are relying on is:
- public task (for the performance of a task carried out in the public interest or for the exercise of official authority vested in you); or
- legitimate interests.
The worker must give specific reasons why they are objecting to you collecting and processing personal information through monitoring. The reasons should be based on their particular situation.
However, this isn’t an absolute right and you can refuse to comply with the objection if:
- you can demonstrate compelling legitimate interests for the processing, which override the interests, rights and freedoms of the worker; or
- the processing is for the establishment, exercise or defence of legal claims.
If you are deciding whether you have compelling legitimate interests which override the person’s interests, you should consider the reasons why the worker has objected to the monitoring. If they object on the grounds that the monitoring is causing them substantial damage or distress, the grounds for their objection will have more weight. To decide, you must balance the worker’s interests, rights and freedoms with your own legitimate interests. To continue with the monitoring, you must demonstrate that your legitimate grounds override those of the worker.
If you are satisfied you do not need to comply with the request, you must let the worker know. You should document and thoroughly explain your decision. You must inform them of their right to make a complaint to the ICO. You must also tell them of their ability to seek to enforce their rights through a judicial remedy.
You can also refuse to comply with an objection if it is:
- manifestly unfounded; or
A worker sends different requests to you on a regular basis with the stated intention to cause disruption. This may be manifestly unfounded.
What do we need to consider if we use a third-party provider or an application provided by a third party to carry out monitoring?
If you decide to carry out monitoring of your workers, you must ensure that this is done fairly and lawfully. You are responsible for deciding how and why the monitoring takes place, including the use of any particular technology or service to do so.
You should not assume that packages you purchase are compliant with data protection law. Before you begin any monitoring activity, you must ensure the system or application is compliant with data protection law, and that you have any necessary contracts are in place. A DPIA will help you consider the impact that processing activities may have on your workers. (See the section on DPIAs.) If you or your provider are using automated decision-making techniques (AI) to process worker data, you should take additional considerations into account. (See our section on automated decision-making.)
If you use another organisation to carry out this monitoring on your behalf, and they only work to your written instruction, it is likely that they will be a processor.
A company pays a third party to supply a system that provides salary and pension contributions and processes expenses. The payroll provider processes personal information about the company’s workers and provides weekly reports to the company on the time worked by each staff member. The provider is a processor and the company is the controller. The company must ensure the payroll provider is compliant with data protection law.
You are responsible for making sure your processor is competent to process the personal information in compliance with data protection law. You must have a contract (or other legal act) in place so both parties understand their responsibilities and obligations.
You must make sure any third party provider you use processes personal information in compliance with data protection law. You should not assume that any third party software has been designed with data protection in mind.
If your monitoring involves AI and automated decision-making, or automated decision-making by itself, there are additional considerations that you or your provider should take into account. (See the section on automated decision-making.)
A DPIA will help you to address these issues as well as considering the impact your monitoring may have on your workers. (See the section on DPIAs.)
Data protection law restricts the transfer of personal information to countries outside the UK or to international organisations. These restrictions apply to all transfers, no matter the size or how often you carry them out. We refer to these as restricted transfers.
The rules for international transfers apply if:
- you are agreeing to send personal information, or make it accessible, to a receiver which is located in a country outside the UK; and
- the receiver is legally distinct from you as it is a separate company, organisation or person. This includes transfers to another company within the same corporate group.
However, if you are sending personal information to someone employed by you, or by your company or organisation, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal information outside your company or organisation.
If you are making a restricted transfer, you must make sure the transfer is covered by either:
- adequacy regulations – this is where another country has been assessed as providing ‘adequate’ data protection;
- appropriate safeguards – before you rely on one of these you must carry out a transfer risk assessment to be sure workers’ information will have protection essentially equivalent to the UK data protection regime; or
- an exception – if you are making a restricted transfer that is not covered by UK adequacy regulations or an appropriate safeguard then you can only make the transfer if it is covered by an exception.
A UK company uses an outsourced human resources service in India provided by its parent company. The UK company passes information about its workers to its parent company in connection with the HR service. This is a restricted transfer, so the UK company must ensure there are adequate safeguards in place.
If you use a processor based outside the UK, the rules on international transfers apply. Data protection law restricts the transfer of personal information to countries outside the UK or to international organisations.
A UK company uses a USA based software application to monitor workers. The application provider hosts the personal information in the USA and is a processor. This is a restricted transfer, and the UK company must ensure it is covered by appropriate safeguards. The UK company must ensure the application provider provides all relevant information to ensure compliance with data protection law.
If you are sending personal information about workers overseas, read our guidance on:
□ We have checked that the monitoring of workers is necessary for the purpose we have identified. We are satisfied there is no other reasonable and less intrusive way to achieve that purpose.
□ We have considered whether we need to do a DPIA and either completed one or documented the reason we considered one wasn’t required.
□ When making our DPIA decision, we have considered seeking the views of workers and representatives and either done this or documented our decision not to.
□ We have identified a lawful basis for monitoring workers.
□ Where required, we have identified an appropriate special category condition for monitoring workers if we’re likely to capture any special category data as part of our monitoring.
□ We have documented what personal information we are processing when we monitor workers.
□ Where required, we have an appropriate policy document in place.
□ We have included specific information about monitoring workers in our privacy information so that workers are aware of any monitoring taking place. We have made sure that this information is readily accessible to workers.
□ We have considered whether the risks associated with monitoring workers affects our other obligations around data minimisation, security, and appointing Data Protection Officers (DPOs) and representatives.
□ We have considered data protection issues as part of the design and implementation of monitoring systems and practices, including where we use external suppliers for monitoring technology, and where we use the functionalities built into communication and collaboration work tools.
□ Where necessary, we have considered the rules for international transfers.
You can also view and print off this checklist and all the checklists of this guidance on our checklists page.