I'll be watching you

A report on workplace monitoring
Report type
Research and reports
Issue date
17 Aug 2018
Annex: Data protection at work: the basics

Employers must ensure that personal data is processed in a fair and lawful way. For example, employers

  • Can only gather and keep information for limited and stated purposes
  • Must tell workers what personal information is being recorded, how it was gathered, why it’s being recorded and who is likely to have access to it and for what reason
  • Must ensure that information kept about individuals is accurate, relevant and up to date and that it is not kept for longer than necessary. They must also ensure that personal information is held securely.
  • Must not reveal personal information to people who do not have a legitimate interest for seeing it, unless individuals have willingly given their employers permission to do so

There are also stronger legal safeguards in place for special categories of data including information about a person’s:

  • Racial or ethnic origin
  • Political opinions
  • Religious or similar beliefs
  • Trade union membership
  • Mental or physical health
  • Sexual orientation or sexual life
  • Alleged or actual criminal offences

Data protection law also gives workers important individual rights, including the right to:

  • Be informed about how any why their personal data is gathered and how it will be used
  • Request an easily accessible copy of the personal information that an employer holds about them. Thanks to the GDPR, the information must be provided free of charge and within 1 calendar month. In limited circumstances, employers can withhold information, for example where the disclosure of information may breach a duty of confidence to someone else, where providing the information would require ‘disproportionate effort’ or whether the information might undermine on-going negotiations between an individual and their employer
  • Ask employers to correct, delete or destroy any information held about them that is factually inaccurate. This could be particularly important in relation to disciplinary records or information held about health

The law also places limits on when employers can use automated decision making in the workplace. Under the GDPR, automated decision-making systems can only be used if it is necessary for the performance of or entering into a contract; if it is authorised by law; or an individual has explicitly consented to it.

Individuals must be told when a decision has been taken solely using automated decision making and have the right to ask for the decision to be reviewed by a person in authority. Organisations using automated decision making should also carry our regular reviews and use appropriate procedures to prevent errors.

These rights could provide important safeguards in the gig economy where employers use algorithms to allocate work and set pay rates. There’s widespread concern these systems can be discriminatory and lead to unfair outcomes.

The Information Commissioner’s Employment Practices Code sets out helpful guidance on how data protection rules affect the workplace13. This Code, however, does not have legal effect.