Employee Monitoring - Who's watching you?

Richard Bradley Headshot
Written by Richard Bradley
GDPR Consultant
18/02/2022

The COVID-19 pandemic has been responsible for shifting working arrangements from fixed locations and office hours to remote working, with dispersed teams and flexible working patterns. Changing working environments has led businesses to embrace new ways to monitor their workforce's activity and productivity and ensure work goals are being met. However, with any monitoring or surveillance, there are legal and ethical ramifications which should be considered by employers as it could result in hefty fines and reputational damage. In this blog, we discuss what employee monitoring is, the risks involved for employers, and the legal implications for companies to consider.


What is employee monitoring?

Employee monitoring is the active observation of workers using digital tools to track, monitor, and assess employee attendance, behaviour, and productivity. With remote working becoming commonplace and a shift towards cloud computing platforms, employers are increasingly beginning to embrace workplace monitoring to ensure their business assets remain safe and secure. Monitoring employee performance and productivity are also reasons why employers want to keep an eye on their employees. It can give employers confidence that the work is being done and provide valuable insight into employee performance whilst placing trust in them that they are conducting themselves responsibly.

Monitoring employee performance and productivity are also reasons why employers want to keep an eye on their employees

Risks to consider

There is a plethora of monitoring tools now at the disposal of employers. These can include time, activity or keystroke frequency tracking, to something more specific that utilises webcams or captures text entered. In the right setting, with employees aware and engaged, aspects of these monitoring tools can be useful for tracking productivity, but it is all too easy to cross the line into being intrusive and increasing security weaknesses. There are many examples of appropriate forms of monitoring. These include email analytics programs which track time spent on emails and time monitoring systems such as electronic timesheets and clocking machines. However, making employees use biometrics for a clocking machine without good cause, or requiring clocking-in and out for going to the bathroom, can breach data protection laws. Employers also need to be aware of violating employment law, the Equality Act, and Human Rights Act through excessive or inappropriate employee monitoring.

A man in a business suit under a magnifying glass

In addition to the risks of breaching various laws designed to safeguard individuals, employee monitoring tools can also put your business's security in danger. Keystroke logging tools can pose considerable risks to cyber security by monitoring confidential data and passwords. There are also other considerations businesses need to be wary of when conducting employee monitoring. For example, continuous webcam monitoring could easily capture the personal data of other people living in the house, information that the company is not legally or ethically entitled to collect. This would almost certainly be viewed as excessive and intrusive. If we take a look at work mobile phones, there's a natural need for businesses to track them in case they're lost or stolen. Employers may also monitor the device's usage (such as personal use at company expense or the use of unsafe apps).

Excessively tracking employees, and the presence and accessibility of that data can be a serious vulnerability. This could be exploited by insider threats with the theft of data, acts of espionage, or the exposure of that data. Hackers could also exploit the tracking information businesses hold to blackmail employees and to elicit more sensitive data.

If you're thinking about implementing employee monitoring, to proceed safely and lawfully, you will need to make sure:

  • Employee monitoring is proportionate to the risks and the activity.
  • Only reputable monitoring software is used.
  • Access controls are put in place to prevent misuse of the data.
  • A security professional helps to implement safeguards where monitoring is planned to be large-scale or in any way comprehensive.
  • You enlist the guidance of a data protection specialist who can assist with any legal and ethical questions that may arise from employee monitoring.
Excessively tracking employees, and the presence and accessibility of that data can be a serious vulnerability

Legal considerations

Employee monitoring is not expressly forbidden in law. However, laws including the GDPR and the Human Rights Act place limits and obligations where this takes place. The GDPR requires that the objective underpinning your activity is both fair and lawful in the first instance. Businesses will need to show that there is a real threat that needs to be combatted to use surveillance. Surveillance must be overt unless there is a strong reason to override this. For example, in the case that abuse of a care patient is suspected, the use of hidden cameras to identify the person responsible is justifiable, if it meets the regulations under the Health and Social Care Act. In any case, employees must be told that they could be subject to monitoring. Once you have demonstrated that your activity is fair, you need to show that it's legal. That means that you must not contravene other laws and regulations.

A business man playing video games at work

The activity must be necessary to achieve the fair and legal objective. That simply means that if you can achieve your objective in a less intrusive way, then you must do so. For instance, HR will need to know certain health information in order to uphold the rights of employees. However, that data shouldn't make its way into shared folders accessible by managers or be used for anything other than those essential purposes without the meaningful and active permission of the employee. Be careful around permission though, as it is rare for consent to be a valid basis for processing employee data due to the imbalance of power between the employer and the employee.

Data Protection Impact Assessments (DPIAs) allow you to identify and document the objective, benefits, challenges, risks, and lawful implications of your intended processing. A balance of interests test (which may be part of your DPIA) will assist in resolving inherent conflicts between the interests of employees, the public interest, and those of the employer. For many cloud-based tracking solutions, you'll need to ensure you choose a GDPR compliant hosting location such as the UK, EU, or one of the jurisdictions considered adequate by the ICO. Many of the tools will process data globally by default but will allow you to restrict the data to a specified region.

Several employers are facing challenges regarding employee monitoring. These include warehouse operators using trackers to monitor employees. For example, in 2018 Amazon were granted patents for wristbands that would track their warehouse employees' movements and productivity to ensure orders were being fulfilled. It is unclear whether Amazon has yet to implement the technology, however, it raises concerns around workers' privacy rights. These are aspects which would be seen as excessive by employees and regulators, and in most instances are best avoided.

A man in a monitoring centre with futuristic maps up on his screen

Device monitoring dos and dont's

It's advised you tread carefully if you are thinking about implementing device monitoring into the workplace. Here are some tips on the dos and don'ts of device monitoring to ensure you stay on the right side of the law and comply with employee's privacy rights:

  • Use robust security settings (strong passwords and encryption rather than 6-digit pins).
  • Inform employees of device monitoring beforehand and maintain their trust. Use specific user-agreements to demonstrate this. Employees are more likely to be receptive to workplace monitoring if they've been consulted on the idea beforehand.
  • Do not allow location history to be viewed unless there is an overwhelming need such as when a device has been reported lost or there is a credible suspicion of unlawful behaviour or behaviour that poses a threat to the company.
  • Complete a DPIA prior to commissioning employee monitoring and revisit it throughout the project. This is essential for identifying any conflicts with legislation, risks, the views and interests of employees, and for demonstrating compliance with the legal requirement of “data protection by design and default”.
  • Use tests, pilots, and staff surveys prior to the introduction of device and employee monitoring schemes.

Case Study

€35 million Fine for Excessive Employee Monitoring


In 2020, the Hamburg DPA fined H&M €35m under the GDPR after it was found to have breached employee privacy. The fine was the largest of its kind since the implementation of the GDPR in the EU. It was reported H&M team leaders were monitoring staff by recording informal interviews after a period of sick leave and collecting data about their personal lives. The data was regularly updated and digitally stored where it could be accessible by up to 50 other managers within the company. The reason for storing this data was to create staff 'profiles' which sat alongside performance evaluations to guide H&M on employment decisions concerning those individuals.

This case demonstrated H&M's neglect for employee data protection and highlighted a violation of employee privacy. This highlights the wider issue of employee monitoring and why you need to be certain that it's necessary, lawful, fair, and that the employee knows about it. Companies who abuse employee monitoring could be in breach of data protection laws and risk facing substantial fines.


Conclusion

Employers must consider whether employee monitoring is an effective way to manage their workforce beyond the basic means of trust. Employee monitoring is not just about the use of technology and shouldn't be underhanded. Any monitoring which is unduly intrusive will be considered unlawful and the penalties incurred from inappropriate monitoring can be severe under data protection law. It can easily breach an individual's rights to privacy, therefore if organisations are to consider monitoring their workforce, they must have a written policy in place, ensure they are not in breach of data protection laws, and consult with employees on how and why employee monitoring will be implemented.

Get help with your data protection obligations

Bulletproof's experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packages.

Learn more

Related resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

For more information about how we collect, process and retain your personal data, please see our privacy policy.