What legal grounds do employers have to monitor staff?

Rosie McArdle explains the pitfalls businesses face when using surveillance technology to keep tabs on employees, particularly when working from home

Employee monitoring technology is becoming more common and consequently more controversial in the workplace. Indeed, the news that Amazon will begin deploying a new AI video camera unit to its delivery vans and warehouses to monitor staff has sparked concerns that companies are taking excessively intrusive steps to monitor their workers.

However, employee monitoring is not unique to Amazon – thousands of companies now use monitoring software to record employees’ web browsing and active work hours, using the kind of tools built for corporate offices in employees’ phones, computers and homes to provide oversight of staff working from home. But some employees think this new corporate surveillance has further blurred the lines between their work and personal lives. 

To ensure that employees meet their responsibilities without being put under constant scrutiny, it’s vital that businesses are aware of the legal implications of monitoring their staff. In the UK, employers are allowed to monitor both the websites staff look at on company devices and their keystrokes, though in both cases employees must be told they are being monitored. 

Crucially, employers must operate in compliance with the rules and principles set out in the General Data Protection Regulation (GDPR). Under GDPR compliance, any processing of personal data must have a specific, explicit and legitimate purpose. A legitimate purpose for monitoring employees may be, for example, to safeguard the security of personal data while employees are working remotely. It can also be to guarantee compliance with legal obligations or to ensure an employee is carrying out their responsibilities outlined in their employment contract. Once a legitimate purpose is identified, the employer must ensure that any personal data collected is only processed for that purpose. 

This approach – termed data minimisation – is an important consideration for employers. Companies will need to assess whether the collection of employees' data is proportionate to the purpose. GDPR rules state that certain data may be analysed to minimise both personal data processing and data risks.

Employers must also assess and document the legal grounds and reasoning for data monitoring. Relevant legal grounds may include: that the processing of personal data through monitoring is necessary for the performance of the employment contract; it is necessary for compliance with employers’ legal obligations; or for legitimate interests pursued by the employer where these are not overridden by the employees' rights and freedoms.

To help document and mitigate some of the risks of potential employee monitoring, businesses can carry out a data protection impact assessment (DPIA). A DPIA describes the nature, scope, context and purposes of the data processing. It must assess the necessity, proportionality and compliance measures undertaken, while identifying any risks to the individual and how processing data will help mitigate those risks.

Failure to follow GDPR principles can lead to complaints or investigations from the Information Commissioner’s Office, potentially resulting in serious fines. It is influential in protecting an employee’s data rights and clarifies what companies must do to safeguard them. In severe cases, staff may even use covert surveillance or micromanagement to make a case for constructive unfair dismissal.

Given the potentially complex legal framework that employers must navigate to covertly monitor their employees’ activity, businesses should consider less intrusive ways to keep track of employee productivity without increasing stress and potentially distrust among staff. 

Ensuring that managers have regular contact with employees through scheduled team and one-to-one calls is a valuable way of keeping track of employees’ activities and identifying potential concerns, while manual time recording via timesheets can provide a granular way of tracking activity without the legal complexity. Managing this process effectively and fostering a culture of trust around employee monitoring will pay dividends for employers in the long run, especially with working from home likely to remain widespread long beyond the pandemic.

Rosie McArdle is a senior associate at LexLeyton