Employee monitoring - data protection essentials

Monitoring employees in the workplace can be prompted by legitimate performance management, health and safety, and security motives. However, technology in this space is evolving rapidly. Although this presents sophisticated opportunities and potential cost-effectiveness, there is a serious legal side to employee monitoring that businesses need to be aware of. 

Employee monitoring is increasingly on regulators’ radars, resulting in heavy financial penalties and negative publicity for organisations. Earlier this year, Uber Eats settled a data privacy complaint by one of its drivers because its app, used by drivers to secure work, deployed AI driven facial recognition software for logon credentials. The software contained underlying racial bias, resulting in lock out and loss of work. 

In January, Amazon France Logistique were fined €32m by the French data protection supervisory authority, CNIL for ‘excessive’ employee monitoring in its French warehouse by using scanners to track employees’ productivity and periods of inactivity. 

In the UK, the ICO ordered Serco Leisure (and associated entities) to stop using facial recognition technology and fingerprint scanning to monitor workers’ attendance.

UK guidance

In September 2023, the UK Information Commissioner issued new guidance on employee monitoring, and in August 2023, the Department for Culture Media and Sport produced a report on connected technology concerns, containing a section on workplace monitoring. These publications warn that lines can quickly blur between legitimate employee monitoring and productivity optimisation at one end, and harmful micro mapping of productivity, time, and movement on the other.  

Risks and liabilities from employee monitoring

Overlapping legal provisions come into play when monitoring employees. The key statutory data protection provisions derive from the UK GDPR and Data Protection Act 2018. Employers should understand how to apply the principles, rights, and obligations from this legislation to manage risks. These risks arise from:

• Regulatory scrutiny and enforcement action. The UK Information Commissioner has extensive powers to interview, audit, reprimand and issue enforcement notices. As well as considerable financial powers, being able to issue penalties up to £17.5 million or 4% of annual turnover in the most severe cases.
• Judicial claims for breaches of the UK GDPR/Data Protection Act 2018
• Costly and time-consuming rights requests from employees or other impacted individuals (including claims in the employment tribunal)
• Negative publicity and reputational damage

Our top 10 tips to navigate these risks

Employee monitoring involves navigating both legal and technical challenges. Here are the top 10 issues to consider, along with our tips to manage legal risks:

1. Least intrusive approach: opt for the least privacy intrusive processing methods, consider less intrusive alternative options, and carry out a Data Protection Impact Assessment (DPIA) at the earliest possible stage, to help identify, avoid, and minimise the risks of processing personal data unlawfully. Implement suitable privacy controls and configure software settings to minimize privacy risks. In some circumstances, a DPIA will be a legal requirement, which we can advise on and assist with.
2. Data capture: be mindful of the types of personal data processed, such as location, biometric, and criminal offence data, and the methods of processing used, including analytics and surveillance. Be wary of inadvertent third party or excessive capture of personal data and the capture of special category information, or criminal offence data. Use software with built-in data protection features and watch out for function creep.  
3. Lawful basis: regularly review and document the lawful basis for processing personal data. Consent is often not suitable in employment contexts. Keep monitoring purposes clear and limited.
4. Intended purpose: ensure that the lawful basis aligns with the intended use of the software. Where software can have different purposes, it is important to be clear about the purpose for which you are using it and to take the appropriate compliance measures. For example, if you collect data to ensure employees’ safety, you should not then use it to monitor performance “since it’s there”, without considering the legal and relationship issues that will result.
5. Transparency and consultation: ensure transparency with employees about monitoring practices. Update policies and privacy notices, and use ‘just in time’ notices where appropriate. Inform employees about what data is being collected, how it’s being used, and keep them updated on any changes. We can help draft clear and comprehensive privacy notices.
6. Expectation of privacy: avoid monitoring in areas where employees expect privacy, such as home devices and personal content. Configure software to respect privacy and limit monitoring to necessary areas. We can help you navigate the complexities of privacy expectations and legal requirements.
7. Data protection by design: adopt a ‘data protection by design and default approach’. Ensure you can respond to rights requests, retain data securely only for as long as strictly necessary and limit access to a ‘need to know’ basis. If the supplier stores or has access to the data, a legal requirement for a Data Processing Agreement may be triggered. If the data is being used for key decision-making, carrying significant effects (for example in relation to promotions, pay increases etc), the decision-making process should not be purely automated (unless the employee has consented to it). Employees who ask for human intervention in the decision making should not be disadvantaged. Measures should be taken to ensure fairness and account for any personal circumstances (such as disabilities) which may result in lower performance metrics. We can help you identify and manage overlapping data protection and equality obligations.
8. Context: understand the UK Information Commissioner’s definition of ‘worker’ and the scope of data protection laws internationally. Be aware of international data transfer requirements and ensure compliance with global data protection laws.
9. Overlapping laws: be aware of potential overlapping laws, for example, employment, equality, human rights, health and safety, investigatory powers, and telecommunications.
10. Demonstrate compliance: be prepared to demonstrate your approach and consult with internal legal, risk, and privacy teams, including the Data Protection Officer if appointed. Document compliance efforts and ensure ongoing consultation with relevant teams. 

Our content explained