Understanding best practice when monitoring employees

The aim of this short article is to highlight some of the key areas to be considered before monitoring employees use of emails, internet and telephone systems, with a view to providing some good practice recommendations.

Many employers will recognise that monitoring employees use of email and internet can be useful in terms of dealing with performance issues or investigating disciplinary matters. However, the reality is that employers can only monitor employees in certain circumstances and with clear policies and methods in place.

The legal issues involved with monitoring employees is complex because there is no one data privacy law in the UK which governs or consolidates the legal framework within which an employer can monitor its staff. Instead, the rules and regulations relating to monitoring of employees need to be considered in light of various regulatory frameworks.

This article aims to focus on monitoring within the framework of the General Data Protection Regulations (“GDPR”) and Data Protection Act 2018; but care should also be taken in relation to other regulations, such as under the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-Keeping Purposes) Regulations 2018, as different obligations will need to be considered.

For any employers considering the use and implementation of monitoring technologies, it would be recommended to follow good practice measures in line with GDPR:

  1. Carry out a data privacy impact assessment (“DPIA”) to assess the necessity and proportionality of the monitoring activities. On the basis that employee monitoring is likely to amount to “high risk” processing, the GDPR requires a DPIA to be carried out for any new programs, systems, or processes or makes changes to existing ones; or where it results in an automated decision or involves large scale processing of either special categories of data or publicly accessible areas;
  2. Ensure that monitoring complies with all data protection principles and particularly fair, lawful and transparent processing. This would mean ensuring that you have a legal basis upon which to process such information and providing your employees with detailed information about the monitoring activities through privacy notices and appropriate policies. The provision of information to employees regarding the monitoring activities will be key to supporting the use of monitoring within the workplace;
  3. Ensure proportionality of any processing being undertaken. If you have carried out a DPIA then this issue should already have been considered and dealt with but ensure proportionality of any monitoring. By proportionality we mean balancing the need to carry out the monitoring against the impact that this could have on the employee’s private life, and whether the means of monitoring are proportionate;
  4. Make sure that only a limited number of staff will have access to the information obtained through monitoring;
  5. With regards to email monitoring, encourage staff to mark emails as “personal” and avoid monitoring those emails marked as personal. Also ensure that monitoring is limited to address or heading of emails unless it is necessary for a legitimate reason to examine the content; and
  6. Make certain that you have appropriate policies and procedures in place to support monitoring such as an IT and Communications Policy and Social Media Policy.

Contributing Advisors

Myles CulmerDirector, BDO Advisory Services