Everyone has a right to a private life, even when they’re at work. But, as we’ve shown, workplace monitoring is widespread and likely to become more so. New technology is making it easier than ever for employers to snoop on their workers.
Workplace monitoring puts rights at risk. In too many workplaces, workers’ rights are being eroded with employers using excessive and intrusive forms of surveillance. As our research highlights, this creates stress and a loss of trust. It undermines staff morale and in some cases, can be demeaning for workers.
Data protection law, recently strengthened by the General Data Protection Regulation (GDPR), places significant limits on when and how employers should use new technology to monitor their staff in and outside the workplace.
But, too few people know about these rights and how they might apply in their workplace. Many feel unable to challenge employers’ use of surveillance. This could be for fear that they will lose their job or be victimised at work. And employers have been able to get away with illegitimate snooping and relying on the data to dismiss employees.
In this section, we set out the legal protections that already exist. We then consider the policy changes needed to ensure that the right to a privacy in the workplace is respected and that workers are protected from excessive and intrusive surveillance and monitoring.
This section considers how far the law protects workers from excessive and intrusive surveillance in the workplace.
Since 1998, the UK has had data protection rules that set out strict principles on how personal data can be used by organisations, including employers.
Personal data must be processed in a fair and lawful way. This includes data gathered through workplace surveillance such as:
Data protection law regulates when and how employers can carry out workplace monitoring.
Data protection law does not prevent employers from monitoring workers. There are legitimate reasons why employers may wish to monitor their workforce, for example, to prevent theft or make sure people work safely. But excessive or unjustified monitoring of staff can cause stress, a loss of trust and low morale.
If monitoring and surveillance involves collecting, storing or using personal data, it needs to be done in a way that complies with data protection principles and is fair to workers. Safeguards must be put in place before employers decide to introduce workplace monitoring. The ICO Employment Practices Code contains useful guidance.
Before deciding to introduce monitoring arrangements, the guidance recommends that employers should:
Data protection laws have recently been strengthened by the GDPR that came into effect on 25 May 2018 4. The GDPR has the potential to provide increased protection for workers.
Key changes include far more stringent rules when organisations rely on consent to process personal data. Generally, employers will not be able to rely on workers’ consent to process data – due to the imbalance of power in the employment relationship. Employers are required to carry out risk assessments before processing data.
Perhaps most significantly, the GDPR introduces far heavier penalties for employers that breach the regulations, including a maximum fine of 20 million Euros. The new rules on data protection have for the first time acquired teeth.
For a general summary of data protection law and how it affects the workplace in general, see the annex
Everyone has the right to privacy and a family life, even in the workplace.
These rights are protected by Article 8 of the European Convention on Human Rights forms part of UK law, thanks to the Human Rights Act 1998.
According to the European Court of Human Rights, private life is a broad concept that does not stop at the door of the workplace. For example, under the Convention:
Employers have no legal obligation to allow staff to use the phone, email or internet at work for personal reasons. However, good employers trust staff with some private use during working hours, as long as it does not interfere with their work.
To comply with data protection rules, employers must tell staff of any plans to monitor email or internet use and the reasons for doing so. Employees should have a clear understanding of when monitoring will take place, why information is being gathered and how it will be used.
Employers should also adopt a workplace policy that:
Employers may want to use CCTV or video surveillance for security reasons, such as theft, vandalism or threats to the safety of their staff.
Before introducing CCTV surveillance, employers should carefully consider whether this type of monitoring is justified, or whether the same results could be achieved by using other, less intrusive methods. Continuous CCTV monitoring of workers will rarely be justified.
If employers use CCTV surveillance that records the activities, staff should be told where and why it’s being carried out.
CCTV surveillance should be targeted at areas only where particular risks have been identified and should not be used in areas where staff have a legitimate expectation of privacy. This includes, for example, toilets, changing rooms and private offices.
Covert monitoring should only be used in very exceptional circumstances. Employers must have genuine reasons to suspect that criminal activity is taking place and that telling staff about the monitoring would put the investigation at risk.
The Code of Practice published by the Information Commissioner’s Office (ICO) says that it will be rare for covert monitoring of workers to be justified. It also makes clear:
While the European Court decisions and data protection laws are welcome, UK courts have been far more reticent to recognise workers’ right to privacy in the workplace. As a result, employers have been able to get away with snooping on their workforces and using the information gathered to decide whether to sack people. 9
For example, the Employment Appeal Tribunal (EAT) has decided:
And as our research suggests, most workers are not aware of the law, their rights or the Information Commissioner’s Code. The TUC is also concerned that the standards set out above are not complied with or are simply ignored in too many workplaces.
Workers’ ability to rely on data protection rules in the workplace depends on their confidence to challenge management. We found that workers in higher paid positions (in occupational groups ABC1) were more likely to think they could challenge and stop forms of workplace monitoring that they were uncomfortable with than lower paid workers (in occupational groups C2DE) by some margin (42 per cent compared to 33 per cent). Again, trade union organisation is vital.
We are therefore calling for better regulation and enforcement to ensure that workers’ rights to privacy and dignity at work are respected.
Our research shows that vast majority of workers (79 per cent) say employers should be legally required to consult their workforces and reach agreement before using surveillance.
Trade unions are critical to ensuring workers have a voice and the power to speak up over how technology is used in their workplace. Where trade unions are organised, they regularly negotiate agreements on workplace monitoring to ensure that new technology is used to improve the quality of working life – and not lead to the exploitation of working people.
Trade unions should have a legal right to be consulted on and to agree in advance the use of electronic monitoring and surveillance at work.
Unions should also be able to take advantage of new technologies to recruit and organise working people and to campaign on workplace issues. Union members should have a right not to suffer detriment including dismissal for using social media to build effective workplace campaigns.
The TUC is campaigning for new rights to extend collective bargaining coverage so that more workers can have a genuine say over their working lives. But many working people cannot currently benefit from union representation. The government therefore has a responsibility to introduce tougher regulation to prevent employers’ use of excessive and intrusive surveillance and to protect people’s right to privacy in the workplace.
In summary, the government should:
Want to hear about our latest news and blogs?
Sign up now to get it straight to your inbox
To access the admin area, you will need to setup two-factor authentication (TFA).