Table of Contents
In our digital world, employee monitoring is becoming increasingly common. Many employers use various tools to monitor staff, including computer, email and telephone monitoring and CCTV systems. Whilst employers may have legitimate reasons for workplace monitoring, they must do so in compliance with the General Data Protection Regulation (GDPR). This article will explore when staff monitoring becomes unlawful under the GDPR.
Why Should My Business Understand Data Law?
The Information Commissioner’s Office (ICO) acts as a referee for GDPR and data protection law violations. As such, unlawful staff monitoring can lead to an ICO investigation and potential financial penalties of up to £17.5m. Understanding your data privacy obligations is key to remaining compliant with the law.
With this in mind, let us explore some instances of unlawful employee monitoring below.
Monitoring Without a Legitimate Basis
The GDPR requires your business to have a ‘legitimate basis’ for processing personal data. A legitimate basis means you must have a valid and lawful reason to monitor staff, including ensuring compliance with legal obligations or preventing fraud.
Alternatively, repeated instances of suspected staff theft may constitute a lawful reason for placing CCTV cameras in appropriate locations (alongside relevant warning signage).
However, if you subject staff to excessive monitoring without a legitimate basis, you are likely breaching the GDPR. Again, you need a legitimate reason to justify systematic monitoring practices.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Excessive Monitoring
One of the main principles of the GDPR is that businesses should only collect personal data necessary for a specific need. It follows that your company cannot obtain more personal information than necessary for the purpose of your staff monitoring.
For example, if your organisation places a camera in the cash room to deter and detect staff theft from the cash box, the CCTV camera only requires visual imagery (no sound). This is because CCTV cameras with sound in the workplace can easily pick up private conversations unrelated to the purpose of the CCTV system (i.e. prevention of theft).
Lack of Transparency
The GDPR requires your business to be fully transparent about its data collection practices. In practice, this means that you must inform your employees about the types of personal data collected and the purpose and means of doing so.
For example, many companies with CCTV cameras on the premises should have a CCTV policy outlining the original purpose and scope of the video surveillance system. You should also be transparent about using CCTV through appropriate warning signage near the relevant cameras and avoid covert monitoring.
Failure to Carry Out a Data Protection Impact Assessment
The GDPR and ICO encourage businesses in the UK to carry out a Data Protection Impact Assessment (DPIA) concerning collecting personal data, particularly where it involves monitoring individuals.
As staff monitoring constitutes a high-risk processing activity, you are required to produce a risk assessment of the risks involved with such monitoring. Most DPIAs will note the following points:
- that you have assessed all risks associated with your staff monitoring activities;
- you have implemented any appropriate measures to mitigate those risks; and
- that you will continuously monitor the collection and use of such data (usually at least once a year).
Failure to carry out a DPIA when carrying out high-risk processing activities (such as staff monitoring) increases the potential for an ICO investigation and a fine for GDPR violation.
Key Takeaways
The GDPR restricts your ability to monitor staff to a proportionate level. While you can monitor staff or your workplace to some extent, you must have a legitimate basis for doing so. Likewise, excessive monitoring or doing so without being transparent to your employees can potentially lead to a violation.
If you need help ensuring safe staff monitoring techniques, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
It is good practice to carry out and continuously review your Data Protection Impact Assessment. This is because they help demonstrate GDPR compliance and a desire to avoid excessive monitoring.
Your company can monitor all activities on a computer if it does so proportionately and informs staff of it doing so (usually through a written policy) beforehand. Failure to notify staff of this practice upfront may constitute a GDPR violation due to a lack of transparency.
We appreciate your feedback – your submission has been successfully received.