The ICO exists to empower you through information.

Specific data protection considerations for different ways or methods of monitoring workers

Share Download options

Pages

Format

In detail

What do we need to consider if we want to monitor workers remotely and when they are working from home?  

The rise in remote and home working in recent years has led to an increase in monitoring workers remotely, in particular if they are working from home. This is because employers want to secure their systems and manage remote workers.

If you are monitoring workers remotely, you should keep in mind that workers’ expectations of privacy are likely to be higher at home than in the workplace. The risks of capturing family and private life information are higher as you can inadvertently capture it. You should factor this risk into any type of monitoring of remote workers you intend to implement. You should do this as part of a DPIA. This is especially important if you are considering implementing any of the forms of monitoring discussed below.

What if commercially available tools are part of our monitoring?

You may choose commercially available tools or services to provide you with the capability to monitor your workers. For example, you may procure a tool that helps to monitor your workers, gathers information about them or helps to store the information (ie a cloud storage provider).

In most of these cases, you are the controller for this processing activity and the third party is a processor. This is because you are deciding the means and purposes of the processing.

As a controller, your data protection responsibilities state that you must:

  • comply with the data protection principles;
  • ensure that workers and other people who may be captured can exercise their rights regarding their personal information;
  • choose an appropriate processor who will provide sufficient guarantees that they will implement appropriate technical and organisational measures to ensure their processing meets data protection requirements; and
  • meet accountability obligations, such as carrying out DPIAs and adopting a ‘data protection by design and default’ approach.

You must determine the controller and processor relationships before you begin to process personal information or implement monitoring.

As part of the procurement process, you must make sure that the provider gives sufficient information about their tool or service so you can carry out your responsibilities. You must do this through a written contract or service agreement between the controller and processor.

In some cases, the third party you are procuring from may use personal information collected by you for their own purposes. In this case, it is likely that the third party would become a controller for this processing.

Further reading

Can we monitor telephone calls?

It is not usually proportionate to monitor or record the content of calls in all cases. You could monitor business calls if it is necessary to provide evidence of business transactions, or for training or quality control purposes.

Example

A customer service call centre monitors helpline calls for training and quality control purposes. Workers are made aware of this through a policy which is regularly brought to their attention. Customers are informed during calls and are signposted to detailed privacy information.

 

Example

A finance company is legally required by a regulator’s rules to record calls. The company limits recording to strictly what is required by those rules.

You may have a business need to monitor usage, for example to detect calls to numbers you would not routinely expect workers to call. You could consider using itemised call records rather than recording call content. If the itemised call record alone is insufficient, you can assess whether you can use it to strictly limit and target any further monitoring. If you decide to change the way you monitor calls as a result of information you gather during call monitoring, you should revisit your DPIA and carefully consider the implications of increased levels of monitoring.

Example

A recruitment agency suspects workers are sharing commercial secrets with a competitor. The employer uses itemised call records to narrow down those under suspicion and then uses these records to target any further monitoring accordingly.

You must make sure you inform workers of any call monitoring in your privacy information. You should also include this in any other relevant internal documents, such as your employment handbook, codes of conduct and guidance. You should ensure workers understand the purpose and extent of any monitoring.

You should not routinely monitor personal calls. You might want to use information about personal calls for billing or in exceptional circumstances (eg suspected criminal activity). You should have a policy for personal calls and make sure workers are aware of this.

Workers base their expectations of privacy on practice as well as policy. So if you tolerate a number of personal calls, you cannot rely on a policy banning them to justify carrying out this type of monitoring.

Don’t forget that worker’s expectations of privacy are significantly higher at home or outside the workplace. You should factor this in to your DPIA.

Monitoring calls also inevitably involves collecting information about people who make calls to, or receive calls from the organisation, as well as about workers themselves. You must tell these people that you are recording the call and why. A recorded message is good practice. Where this is not possible, you must instruct workers to inform callers that calls may be recorded and to explain the reason why. You can then provide the rest of the privacy information (eg retention periods, individual rights available, and details of any data sharing) by other means. For example, you could email the caller a copy of your privacy information or provide a link to it on your website. Any information you collect is likely to be personal information and you could disclose it in response to a SAR. You should make sure workers know that you may release call recordings to people, if requested.

Further reading

Can we monitor emails and messages?

As an employer you might consider monitoring emails and messages sent to and from work accounts. You may intend to:

  • protect corporate information;
  • use it for data security (see our guidance on data loss prevention for more information);
  • identify suspicious activity; or
  • enforce any acceptable usage policies you may have.

By messages, we mean instant messages available on some applications and the chat functions in collaboration tools.

You must be clear about your purpose for monitoring emails and messages and make sure any monitoring is necessary and proportionate to your purpose. You must inform workers of the purpose of any monitoring.

If you are considering monitoring emails and messages, you must complete a DPIA. This is because it poses a high risk to workers’ data protection rights and freedoms and is likely to capture special category data. You should complete a DPIA even where this is not a requirement, as this is good practice. A DPIA helps you to assess risk, plan properly and demonstrate accountability.

It would be difficult to justify monitoring the content of emails and messages if monitoring network data traffic would meet your purpose. You must notify workers in advance, such as in relevant policy documents, if you may monitor content in exceptional circumstances. You must not access content unless there you have a clear policy in place explaining the circumstances where such monitoring may take place.

Before monitoring emails and messages, you should consider the following questions:

  • If network data monitoring alone is not sufficient, can you use the network data record to narrow the scope of the monitoring (eg to restrict your checking of email content to those sent to rival organisations)?
  • What risk does any monitoring pose to the common law duty of confidence owed to workers or customers?
  • Are there any lines of communication that you will not monitor (eg emails from workers to trade union representatives)?
  • Have you banned personal use of the system? Even a ban would not entirely justify accessing the content of personal messages. You should only investigate workers who breach any ban by looking at network data first rather than content.
  • Does your system enable workers to mark emails as personal or private?

Are systems for recording information about emails and messages reliable and accurate?

Can we use video or audio surveillance to monitor workers?

Using CCTV has been common in organisations for many years. However, the quality, technology and possibilities have improved over time. It is possible to accidentally capture special category data through CCTV.

For example, there are CCTV systems which:

  • can capture both video and audio;
  • use facial recognition; or
  • work in conjunction with AI to assess productivity or undertake emotional analysis of the people being recorded.

Remember that when you are planning your monitoring, if you believe that it is likely that you will capture special category data, you must carry out a DPIA.

We have covered call recording above. However, many organisations also have video surveillance with audio capability, or have recording devices available in meeting rooms and many video conferencing apps also have the capability to record audio. Using audio recording, particularly where it is continuous, is considered more privacy intrusive than purely visual recording. You will therefore require a much greater justification if you use it. You should switch off by default any capability to record audio. You should only use it in exceptional circumstances, for example by a trigger switch. Continuous audio and video recording can be highly intrusive and you are unlikely to be able to justify it in most circumstances.

You should target any monitoring at areas of particular risk and confine it to areas where expectations of privacy are low. You are only likely to be justified in using continuous video or audio monitoring of workers in rare circumstances.

If you are considering using video or audio monitoring, you must:

  • complete a DPIA, as this will help you assess whether the benefits justify the adverse impact;
  • consider why this monitoring is necessary for the intended purpose as part of your DPIA;
  • make sure you inform workers about the extent and nature of the monitoring, and why you are carrying it out; and
  • ensure that you make anyone else caught by the monitoring, such as visitors or customers, aware of its operation and why you are carrying it out.

You should also consider the right of access. If a worker or any other person captured by the monitoring makes a SAR, you may need to be able to redact third parties from the footage.

You are unlikely to be able to justify covert monitoring in usual circumstances. (See the section on covert monitoring.)

Using video technology with facial recognition technology comes with higher risks to data protection rights and freedoms than standard video technology. This is particularly the case if you use facial recognition to make inferences about a person’s likely behaviour, emotional state or intentions. There are also concerns about the accuracy of facial recognition technologies, particularly for people from ethnic minority groups.

Facial recognition technology uses biometric data. Biometric data is unique to each person, it cannot be changed. Biometric data is special category data if you are using it to identify individual workers. If you are using facial recognition technology as part of your monitoring, then you are using special category data and must have an appropriate lawful basis and condition for processing. 

If you are considering using facial recognition technologies, you must carry out a DPIA because they present a high risk.

Further reading

Can we monitor work vehicles?

Yes. However, if you allow workers to use the work vehicle for private use, you will rarely be able to justify monitoring during private use

Example

An employer provides workers with company cars which they are allowed for private use. Company cars are tracked during working hours for business reasons. The employer uses a tracking system which the driver can disable so it does not monitor driver activity when they are not working.

You must inform workers and passengers of any vehicle monitoring.

Some employers are obligated by law to use tachographs in vehicles to record information about driving time, speed, and distance to ensure the rules on drivers’ working hours are followed. In this scenario, you can rely on the lawful basis of legal obligation.

You may be using vehicle telematics (also known as ‘black boxes’) across your fleet for vehicle insurance policies. These use technology to track and record driver behaviour to calculate insurance premiums. Telematics data which records the activities of drivers is personal information and is subject to data protection law. If your insurer is handling driver information, they also have data protection obligations.

It is harder for you to justify driver monitoring, such as monitoring driver behaviour and driving style, or using cameras or audio. This is due to the higher risk to worker’s privacy and the privacy rights of any passengers. You must carry out a DPIA as this type of processing would be considered high risk. You should consider whether less intrusive methods could achieve your purpose and document this assessment as part of your DPIA.

If you are considering the use of any monitoring tool which uses analytics to make inferences, predictions, or decisions about drivers, you must carry out a DPIA as this presents a high risk.

Further reading

Can we use dashcams to monitor our workers?

Dashcams and other cameras can be an efficient way to protect drivers, passengers and assets, and can help to reduce insurance costs. However, images captured of any identifiable person is personal information and is therefore subject to data protection law.

Dashcams may be intrusive and can impact on the data protection rights and freedoms of workers and other people, especially if you use them in places that people would not reasonably expect. Outward facing cameras or dashcams can capture recordings of other motorists or pedestrians outside of the vehicle. Inward facing systems can capture the driver and any passengers within a vehicle. Dashcams with audio recording capabilities present higher risk, and so you should switch off any capability to record audio by default. You should only trigger audio recordings in exceptional circumstances.

Example

A taxi has outward and inward facing cameras for the safety of drivers and passengers. This is not continuous. The driver can disable this when they are off duty. The audio feature is switched off by default and only triggered in exceptional circumstances, such as if a passenger behaves in a threatening way.

Further reading

  • If as an employer you are using, or considering using, dashcams on your vehicles, you should read our guidance on surveillance in vehicles for more detailed information.

What if we supply a product or service to another organisation and they ask us to monitor our workers?

You cannot justify monitoring workers solely because your customer makes it a condition of business.

As an employer, you must still comply with data protection law. You must be certain that any monitoring required by a customer is necessary and proportionate, and that you inform workers.

Ultimately the decision about whether the monitoring requested by the customer is appropriate rests with you.

Example

An insurance company wishes to monitor an organisation’s workers to ensure they are billing correctly for workers’ hours and services. They propose monitoring the workers’ computer activity, with reports generated for individual workers. The insurance company would need to justify why this level of monitoring is necessary and consider lower risk alternatives, such as aggregated reports where individual workers are not identifiable.

The employer would need to consider their data protection obligations before the insurance company carried out any monitoring of their workers. If the employer is not confident the monitoring requested by the insurance company meets their obligations under data protection law, they should refuse the monitoring and discuss alternatives with the insurance company.

Further reading

Can we monitor time and restrict access?

Many employers have measures in place to record and restrict access to work premises and equipment. Uses may include:

  • controlling access to buildings or areas of buildings (eg server rooms);
  • controlling access to IT and other systems (eg retail cashier systems, or online platforms which connect workers with clients);
  • recording who is on site for fire safety purposes; or
  • recording attendance for payroll purposes.

These measures can form an important part of your security measures and provide an audit trail. However, they may also pose a risk to workers’ data protection rights and freedoms because of the level of knowledge and control they give you over workers’ activities and movements.  

You must be clear about your purpose for recording information about your workers’ access and activities. You must not use the information for a different purpose unless:

  • it is compatible with your original purpose;
  • you obtain consent; or
  • you have a legal obligation to do so.

Many employers use methods such as pin numbers and swipe cards to control access and record attendance. If you are using, or considering introducing, biometrics to control access, see the section on biometrics and access and time data.

Example

An employer restricts access to a server room to certain workers for security purposes to protect equipment and information. They manage this by a swipe card access control system which records the entrance and exit times of the workers who have the right permissions to enter. This means if equipment is stolen or interfered with, or there is unauthorised access to information, records kept by the system enable them to identify workers who had access at the time.

The employer does not use information about workers’ access and exit times for any other purposes (eg for performance evaluation).

Further reading

What if we are monitoring to prevent data loss or detect malicious traffic?

You are likely to have a number of technical solutions in place to monitor and ensure the confidentiality, availability, and integrity of personal information. These can include solutions such as firewalls to monitor for, or to prevent, external threats, as well as internal monitoring, such as data loss prevention solutions.

You should consider the least invasive means possible when selecting solutions to protect against data loss or external threats. You should complete a DPIA. This will help you to assess the risk and identify if less intrusive methods might achieve your purpose.

Monitoring network traffic may be high risk, particularly if you carry out analysis of the data to make inferences about workers. (See the section on automated tools.)  

As an alternative to more detailed traffic monitoring, you could consider blocking suspicious incoming or outgoing traffic or redirecting the worker to a portal where they may ask for a review of the decision to block traffic.

Can we monitor device activity?

Developments in technology have led to an increase in the availability and affordability of monitoring tools with the capability to process large amounts of information. This can be particularly intrusive if workers are using their own devices.

Some employers use certain tools to record workers’ activities on a range of different devices – including those used by workers personally, such as laptops and handheld devices, as well as network devices, such as routers and firewalls.

This section focuses on the monitoring of devices that an employer may consider for:

  • tracking workers’ activity and productivity;
  • ensuring policies and procedures are followed; and
  • tracking visits to applications and websites.

This is not an exhaustive list. (See the section What if we are monitoring to prevent data loss or detect malicious traffic?)

Device activity monitoring can include capturing workers’:

  • web browsing;
  • emails and messages;
  • documents;
  • use of applications;
  • screen captures;
  • webcam captures; or
  • keystroke monitoring (this is classed as behavioural biometric data where a worker is identifiable because of their unique manner and rhythm of typing).

Device activity monitoring is likely to capture excessive amounts of workers’ personal information. This could potentially include special category data, such as emails about health conditions and emails to union representatives. You are particularly unlikely to be able to justify capturing webcam shots or footage.

If you are considering capturing the computer or device activity of workers, there are several factors to take into account:

  • You must be clear about your purpose, and fully document your justification for carrying out device monitoring, including what consideration you gave to using less intrusive means. If you can achieve your aim in a less intrusive way, you must do so.
  • You must identify a lawful basis and, where special category data is involved, identify a condition for processing.
  • You must carry out a DPIA before undertaking any processing likely to cause high risk to workers’ and other people’s interests. You could use our screening checklists and read our detailed DPIA guidance to help you decide if this is likely to be the case.
  • Even where not mandated, you should carry out a DPIA as the process can assist with your risk assessment and planning.
  • You must consider discussing the proposed device monitoring with workers or their representatives. A representative sample of workers involved in assessing the necessity of monitoring and the accessibility of any policies around this should guide your plans. Involving workers where risks may be high can help to address risks, concerns and help to build trust.
  • You must inform workers about device monitoring, including how you are using it for making decisions which affect them.
  • You could consider making aggregated analytics reports. These can identify trends without identifying individual workers.
  • You could consider banning the private use of work devices and blocking problematic websites. However, remember that even with such a policy in place, it would be difficult to justify accessing a worker’s personal communications.

You should ensure that when workers are using their own personal devices for work, you are not capturing their private use of their device.

Checklist

☐ We are clear about our purpose and collect no more personal information than we need to achieve it.

☐ We have carried out a DPIA that fully addresses our monitoring of emails and messages. It fully explores any impact on the rights and freedoms of workers and other individuals whose personal information may be captured by the monitoring.

☐ We distinguish between network data and content. We only access content in exceptional circumstances and we notify workers in advance.

☐ We have identified a lawful basis and a special category condition where appropriate.

☐ Where required, we have an Appropriate Policy Document in place.

☐ We have an acceptable usage policy in place, and we regularly bring this to workers’ attention.

☐ We have informed workers of the nature, extent, and justification for any monitoring.

☐ We have a retention policy in place. We regularly bring this to the attention of workers, who know what to do with messages that need to be retained for business reasons.

You can also view and print off this checklist and all the checklists of this guidance on our checklists page.