Non-covert monitoring at work


Employees are monitored at work in many different ways. Whenever workers are monitored by collecting or using their personal information, the Data Protection Act 1998 (DPA) will apply. This covers CCTV, phone call logging, email and internet monitoring. 


The DPA does not prevent monitoring, but the adverse impact of any monitoring must be “justified by the benefits to the employer and others”. All monitoring must comply with the core data protection principles (see page 60).


Part 3 of the Employment Practices Code covers all forms of workplace monitoring. There is also a new updated ICO data protection Code of Practice, published in May 2015, addressing the use of surveillance cameras and other technology that captures information relating to identifiable individuals, such as body-worn cameras.

Workers must be told the nature, extent and reasons for any monitoring unless, exceptionally, covert monitoring is justified (see above).

In a workplace with a recognised union, there may be a collective agreement governing the use of monitoring. Ideally it should state clearly that the results of monitoring cannot be used for disciplinary or performance purposes, with possible exceptions for gross misconduct or conduct that risks health and safety.


The ICO Employment Practices Code says that employers engaging in monitoring activities should:


• show a good reason for monitoring employees and consider whether alternative approaches or different methods of monitoring might deliver the same benefits and be more acceptable to workers;


• ensure workers know they are being monitored and why; 


• if monitoring is to be used to enforce rules and standards, make sure workers know clearly what these rules and standards are;


• only use information obtained through monitoring for its original stated purpose (which should be explained clearly in a policy). The only possible exception is where it leads to the discovery of an activity that no employer could reasonably be expected to ignore, for example breaches of health and safety rules that put other workers at risk;


• keep information gathered through monitoring secure and not retain it for longer than necessary, or keep more information than is strictly necessary; 


• only allow one or two people access to computer logs or phone recordings, and consider whether these activities should be carried out by security or HR personnel, rather than line managers; 


• not read emails or listen to calls which are clearly personal or private; 


• make sure workers know it may be necessary to check their email accounts or voice mails in their absence;


• target video or audio monitoring only where it is justified, at areas of particular risk, and only use it where workers would not expect much privacy;


• obtain information about a worker’s criminal convictions for monitoring only if justified and only through a certificate from the Disclosure and Barring Service (see page 85); and


• not monitor workers just because a customer imposes a condition requiring this, unless the employer is satisfied the condition is justified under the DPA.