Skip to content

When Does Staff Monitoring in the UK Become Unlawful Under the GDPR?

Table of Contents

In our digital world, employee monitoring is becoming increasingly common. Many employers use various tools to monitor staff, including computer, email and telephone monitoring and CCTV systems. Whilst employers may have legitimate reasons for workplace monitoring, they must do so in compliance with the General Data Protection Regulation (GDPR). This article will explore when staff monitoring becomes unlawful under the GDPR.

Why Should My Business Understand Data Law?

The Information Commissioner’s Office (ICO) acts as a referee for GDPR and data protection law violations. As such, unlawful staff monitoring can lead to an ICO investigation and potential financial penalties of up to £17.5m. Understanding your data privacy obligations is key to remaining compliant with the law.

With this in mind, let us explore some instances of unlawful employee monitoring below.

Monitoring Without a Legitimate Basis

The GDPR requires your business to have a ‘legitimate basis’ for processing personal data. A legitimate basis means you must have a valid and lawful reason to monitor staff, including ensuring compliance with legal obligations or preventing fraud.

Alternatively, repeated instances of suspected staff theft may constitute a lawful reason for placing CCTV cameras in appropriate locations (alongside relevant warning signage).

However, if you subject staff to excessive monitoring without a legitimate basis, you are likely breaching the GDPR. Again, you need a legitimate reason to justify systematic monitoring practices.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Excessive Monitoring

One of the main principles of the GDPR is that businesses should only collect personal data necessary for a specific need. It follows that your company cannot obtain more personal information than necessary for the purpose of your staff monitoring.

For example, if your organisation places a camera in the cash room to deter and detect staff theft from the cash box, the CCTV camera only requires visual imagery (no sound). This is because CCTV cameras with sound in the workplace can easily pick up private conversations unrelated to the purpose of the CCTV system (i.e. prevention of theft).

The best way to ensure GDPR compliance is to collect the minimum amount of personal information necessary for your staff monitoring and to avoid collecting private data.

Lack of Transparency

The GDPR requires your business to be fully transparent about its data collection practices. In practice, this means that you must inform your employees about the types of personal data collected and the purpose and means of doing so.

For example, many companies with CCTV cameras on the premises should have a CCTV policy outlining the original purpose and scope of the video surveillance system. You should also be transparent about using CCTV through appropriate warning signage near the relevant cameras and avoid covert monitoring.

Your business must warn staff about the nature and purpose of data collection to avoid falling foul of GDPR transparency rules.

Failure to Carry Out a Data Protection Impact Assessment

The GDPR and ICO encourage businesses in the UK to carry out a Data Protection Impact Assessment (DPIA) concerning collecting personal data, particularly where it involves monitoring individuals.

As staff monitoring constitutes a high-risk processing activity, you are required to produce a risk assessment of the risks involved with such monitoring. Most DPIAs will note the following points:

  • that you have assessed all risks associated with your staff monitoring activities;
  • you have implemented any appropriate measures to mitigate those risks; and
  • that you will continuously monitor the collection and use of such data (usually at least once a year).

Failure to carry out a DPIA when carrying out high-risk processing activities (such as staff monitoring) increases the potential for an ICO investigation and a fine for GDPR violation.

Key Takeaways

The GDPR restricts your ability to monitor staff to a proportionate level. While you can monitor staff or your workplace to some extent, you must have a legitimate basis for doing so. Likewise, excessive monitoring or doing so without being transparent to your employees can potentially lead to a violation. 

If you need help ensuring safe staff monitoring techniques, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

How can a Data Protection Impact Assessment help my business?

It is good practice to carry out and continuously review your Data Protection Impact Assessment. This is because they help demonstrate GDPR compliance and a desire to avoid excessive monitoring.

Can my business monitor email content and internet use?

Your company can monitor all activities on a computer if it does so proportionately and informs staff of it doing so (usually through a written policy) beforehand. Failure to notify staff of this practice upfront may constitute a GDPR violation due to a lack of transparency.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards