Toggle high contrast

I'll be watching you

A report on workplace monitoring
Report type
Research and reports
Issue date
What needs to change to protect workers from unfair monitoring?

Everyone has a right to a private life, even when they’re at work. But, as we’ve shown, workplace monitoring is widespread and likely to become more so. New technology is making it easier than ever for employers to snoop on their workers.

Workplace monitoring puts rights at risk. In too many workplaces, workers’ rights are being eroded with employers using excessive and intrusive forms of surveillance. As our research highlights, this creates stress and a loss of trust. It undermines staff morale and in some cases, can be demeaning for workers.

Data protection law, recently strengthened by the General Data Protection Regulation (GDPR), places significant limits on when and how employers should use new technology to monitor their staff in and outside the workplace. 

But, too few people know about these rights and how they might apply in their workplace. Many feel unable to challenge employers’ use of surveillance. This could be for fear that they will lose their job or be victimised at work. And employers have been able to get away with illegitimate snooping and relying on the data to dismiss employees.

In this section, we set out the legal protections that already exist. We then consider the policy changes needed to ensure that the right to a privacy in the workplace is respected and that workers are protected from excessive and intrusive surveillance and monitoring.

The policy recommendations include:

  • Trade unions should have a legal right to be consulted on and to agree in advance the use of electronic monitoring and surveillance at work
  • It should be unlawful for employer to victimise or dismiss union members for using social media to build effective workplace campaigns
  • The government has a responsibility to introduce tougher regulation to prevent employers’ use of excessive and intrusive surveillance and to protect people’s right to privacy in the workplace. The government should ensure employers can only monitor their staff for legitimate reasons that protect the interests of workers
  • The government should also ask the Information Commissioner to update the Employment Practices Code to take account of new forms of technology, in consultation with the TUC and the CBI
  • The Code should have legal status and should be taken into account by courts and tribunals in employment cases
  • The Code should clearly state that employers can only use surveillance for legitimate reasons that protect the interests of workers and that employers must consult recognised trade unions and reach agreement before introducing of electronic monitoring and surveillance in the workplace 
     

How does the law protect workers from excessive and intrusive monitoring?

This section considers how far the law protects workers from excessive and intrusive surveillance in the workplace. 

Data protection law and workplace monitoring 

Since 1998, the UK has had data protection rules that set out strict principles on how personal data can be used by organisations, including employers. 

Personal data must be processed in a fair and lawful way. This includes data gathered through workplace surveillance such as: 

  • A person’s image on a CCTV recording
  • Information about a person’s use of a computer or use of emails or the internet at work

Data protection law regulates when and how employers can carry out workplace monitoring. 

Data protection law does not prevent employers from monitoring workers. There are legitimate reasons why employers may wish to monitor their workforce, for example, to prevent theft or make sure people work safely. But excessive or unjustified monitoring of staff can cause stress, a loss of trust and low morale.

If monitoring and surveillance involves collecting, storing or using personal data, it needs to be done in a way that complies with data protection principles and is fair to workers. Safeguards must be put in place before employers decide to introduce workplace monitoring. The ICO Employment Practices Code contains useful guidance.

Before deciding to introduce monitoring arrangements, the guidance recommends that employers should:

  • Be clear about the reason for monitoring staff 
  • Carry out a risk assessment to identify any potential benefits for staff and identify any negative effects monitoring may have on staff. Any adverse impact of monitoring on individuals should be justified by the benefits to the employer and others
  • Consider whether there are less intrusive alternatives which could be used other than surveillance
  • Ensure that staff are aware of any monitoring or surveillance, the reasons for using it and how information can be used
  • If information is gathered for one purpose, e.g. to protect health and safety, not use it for other reasons, for example, to discipline staff

Data protection laws have recently been strengthened by the GDPR that came into effect on 25 May 2018 4 .  The GDPR has the potential to provide increased protection for workers.

Key changes include far more stringent rules when organisations rely on consent to process personal data. Generally, employers will not be able to rely on workers’ consent to process data – due to the imbalance of power in the employment relationship. Employers are required to carry out risk assessments before processing data. 

Perhaps most significantly, the GDPR introduces far heavier penalties for employers that breach the regulations, including a maximum fine of 20 million Euros. The new rules on data protection have for the first time acquired teeth.

For a general summary of data protection law and how it affects the workplace in general, see the annex

Privacy in the workplace is a human right

Everyone has the right to privacy and a family life, even in the workplace. 

These rights are protected by Article 8 of the European Convention on Human Rights forms part of UK law, thanks to the Human Rights Act 1998.

According to the European Court of Human Rights, private life is a broad concept that does not stop at the door of the workplace. For example, under the Convention:

  • Workers have a reasonable expectation of privacy when using the phone at work, especially if employees have not been warned them their telephone might be bugged 5
  • Monitoring of work emails can breach employees’ rights to privacy, particularly where employers do not have a workplace policy6
  • Employers must be able to justify surveillance of employee communications, especially if this involves reading employees’ private emails or online messaging.  They should also explore any less intrusive alternatives 7
  • Covert surveillance at work can only be justified in exceptional circumstances 8

Monitoring email, internet and phone use

Employers have no legal obligation to allow staff to use the phone, email or internet at work for personal reasons. However, good employers trust staff with some private use during working hours, as long as it does not interfere with their work.

To comply with data protection rules, employers must tell staff of any plans to monitor email or internet use and the reasons for doing so. Employees should have a clear understanding of when monitoring will take place, why information is being gathered and how it will be used.

Employers should also adopt a workplace policy that:

  • Makes clear the extent and type of private use which is allowed
  • Clearly specifies any restriction on internet material which can use, view or copy, including for example materials which may be considered offensive as it contains racists language or nude or derogatory images
  • Spells out any restrictions on what materials can be sent, for example sending or receiving sexually explicit material and bans on offensive statements based on race, sex, sexuality, disability, age or religion

CCTV and video surveillance

Employers may want to use CCTV or video surveillance for security reasons, such as theft, vandalism or threats to the safety of their staff.

Before introducing CCTV surveillance, employers should carefully consider whether this type of monitoring is justified, or whether the same results could be achieved by using other, less intrusive methods. Continuous CCTV monitoring of workers will rarely be justified.

If employers use CCTV surveillance that records the activities, staff should be told where and why it’s being carried out.

CCTV surveillance should be targeted at areas only where particular risks have been identified and should not be used in areas where staff have a legitimate expectation of privacy. This includes, for example, toilets, changing rooms and private offices.

Covert monitoring

Covert monitoring should only be used in very exceptional circumstances. Employers must have genuine reasons to suspect that criminal activity is taking place and that telling staff about the monitoring would put the investigation at risk.  

The Code of Practice published by the Information Commissioner’s Office (ICO)  says that it will be rare for covert monitoring of workers to be justified. It also makes clear: 

  • Covert monitoring must only be used as part of a specific investigation and must stop once the investigation is complete
  • If audio or video equipment is to be used, it must not be used in places such as toilets or private offices

Surveillance at work and unfair dismissal protection

While the European Court decisions and data protection laws are welcome, UK courts have been far more reticent to recognise workers’ right to privacy in the workplace. As a result, employers have been able to get away with snooping on their workforces and using the information gathered to decide whether to sack people. 9

For example, the Employment Appeal Tribunal (EAT) has decided:

  • Covert surveillance of an employee’s home who was suspect of fiddling time sheets, was not disproportionate 10
  • Filming of an employee in public did not breach his right to a private life 11  .  The employee had been seen at a sports centre when he was supposed to be at work but had not clocked out. Because he had acted fraudulently he had no right to privacy
  • It was fair for an employer to dismiss an individual because of derogatory comments they had made about the employer on social media, even though the comments were posted two years before the dismissal took place. The employer had also found evidence on social media that the individual had consumed alcohol whilst on standby 12

The reality in the workplace

And as our research suggests, most workers are not aware of the law, their rights or the Information Commissioner’s Code. The TUC is also concerned that the standards set out above are not complied with or are simply ignored in too many workplaces. 

Workers’ ability to rely on data protection rules in the workplace depends on their confidence to challenge management. We found that workers in higher paid positions (in occupational groups ABC1) were more likely to think they could challenge and stop forms of workplace monitoring that they were uncomfortable with than lower paid workers (in occupational groups C2DE) by some margin (42 per cent compared to 33 per cent). Again, trade union organisation is vital.

We are therefore calling for better regulation and enforcement to ensure that workers’ rights to privacy and dignity at work are respected.

Key recommendations

Our research shows that vast majority of workers (79 per cent) say employers should be legally required to consult their workforces and reach agreement before using surveillance.

Trade unions are critical to ensuring workers have a voice and the power to speak up over how technology is used in their workplace. Where trade unions are organised, they regularly negotiate agreements on workplace monitoring to ensure that new technology is used to improve the quality of working life – and not lead to the exploitation of working people.

Trade unions should have a legal right to be consulted on and to agree in advance the use of electronic monitoring and surveillance at work.

Unions should also be able to take advantage of new technologies to recruit and organise working people and to campaign on workplace issues. Union members should have a right not to suffer detriment including dismissal for using social media to build effective workplace campaigns.

The TUC is campaigning for new rights to extend collective bargaining coverage so that more workers can have a genuine say over their working lives. But many working people cannot currently benefit from union representation. The government therefore has a responsibility to introduce tougher regulation to prevent employers’ use of excessive and intrusive surveillance and to protect people’s right to privacy in the workplace.  

In summary, the government should:

  • Ensure employers can only monitor their staff for legitimate reasons that protect the interests of workers
  • Ask the Information Commissioner to update the Employment Practices Code to take account of new forms of technology:
    • Any revised Code should be the subject of detailed consultation with the TUC and the CBI
    • The Code should have legal status and should be taken into account by courts and tribunals in employment cases
    • The Code should clearly state
      • Employers can only use surveillance for legitimate reasons which protect the interests of workers
      • Employers must consult recognised trade unions and reach agreement before introducing of electronic monitoring and surveillance in the workplace
  • Strengthen unfair dismissal rules to safeguard individuals from excessive surveillance, both at work and through social media, by requiring courts and tribunals to take data protection rules and the ICO’s Code of Practice into account when deciding if a dismissal is lawful
  • Work with the ICO to ensure that workers’ rights to privacy at work are properly enforced

 

  • 4 The EU General Data Protection Regulation was implemented in the UK through the Data Protection Act 2018
  • 5 Halford v United Kingdom [1997] IRLR 471
  • 6 Copland v United Kingdom (2007) 45 EHRR 37 
  • 7 Barbulescu v Romania [2017] IRLR 1032 
  • 8 Lopez Ribalda v Spain (App nos. 1874/13 and 8567/13, 9.1.18). 
  • 9 Philippa Collins, ‘The Inadequate Protection of Human Rights in Unfair Dismissal Law’ (2017) Industrial Law Journal 
  • 10 McGowan v Scottish Water [2005] IRLR 167
  • 11City and County of Swansea v Gayle UKEAT/0501/12
  • 12 BWB v Smith - UKEAT/0004/15 
Enable Two-Factor Authentication

To access the admin area, you will need to setup two-factor authentication (TFA).

Setup now