Get in touch

Insights

Nighat Sahi

Published 6 August 2025
B0BEFAB3-7AF0-49F8-86B2-AD99CC6EC993
image

Lucy

Published 6 August 2025

Data Protection and Staff Monitoring:

What’s Allowed and What’s Not

In a post Covid world, where some or all of your employees may be working at least part-time from home, you may feel fully justified keeping an eye on their emails, the websites they visit whilst working and the calls they make. Or you may feel that checking their movements on CCTV is an important part of keeping an eye on things in the workplace.

Of course, monitoring may be valuable for a number of reasons, such as safeguarding or minimising the risk of misconduct. However, employee monitoring falls within the remit of data protection and other laws, and therefore, there are strict rules with which you must comply. If you don’t, you may find yourself facing employee grievances, or worse, claims against you and your businesses or even regulatory fines.

What is classified as employee monitoring?

Employee monitoring covers activities such as:

  • Watching them on CCTV
  • Employee drug testing
  • Fleet vehicle tracking
  • Employee bag searches
  • Checking emails, phone records, websites employees have looked at

What does the law say?

This is a complex area as a number of different statutes and regulations may apply. First and foremost, the Human Rights Act 1998 protects an individual’s right to respect for their private and family life. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (as updated) apply to the handling of personal data. Data protection law covers taking data and images, or samples of hair or bodily fluids for testing.

There are also employment law considerations such as whether monitoring constitutes a breach of the implied term of trust and confidence between employer and employee and whether the monitoring amounts to discrimination or is unfair.

The law doesn’t necessarily prohibit employee monitoring, but it must be done in accordance with strict rules.

So what can I do?

Email, CCTV and other monitoring

It is important to be open and upfront about any employee monitoring, and you should explain to your employees that you will be monitoring them and the extent to which you will monitor them. You should also only be monitoring if you have a specific and legitimate business reason for doing so and you should only use the data for the purpose for which it was obtained. Ensure any monitoring you do is proportionate in respect of the reason for doing so, and not unduly intrusive.

The extent of any monitoring should also be clearly set out in the staff handbook or contract.   

Caution is needed in some circumstances, for example, if you are using CCTV for security and you inadvertently capture something else. Any alternative use (such as in disciplinary proceedings) of the personal data captured in this way will be unlawful under data protection law.

Home monitoring

Whilst it’s not necessarily unlawful to use online surveillance techniques, such as time-tracking software or logging keystrokes, you must still comply with data protection and privacy laws. It’s about balance and finding other, less intrusive ways to monitor performance.

Covert monitoring

Covert monitoring will need good justification and should be discouraged unless absolutely essential. You must not monitor workers everywhere (i.e. in the toilet, for example).

Collecting data

If you are collecting data you must inform your employees as to how that data will be used. Employees have the right to access their data on request (unless a legal exemption applies).

If you capture ‘special category data’ such as health or biometric information, there are additional compliance requirements. You will have to carry out a Data Protection Impact Assessment (DPIA) if you will be carrying out any high-risk monitoring such as covert surveillance or biometric data collection. 

Vehicle tracking

Data collected from a vehicle-tracking device such as the vehicle’s location, speed and movement falls within the remit of data protection because the data links to the driver’s identity.

As with CCTV footage, the data collected using GPS tracking should only be used for the business purpose for which it was originally collected. You should also make sure the employee is aware of the tracking device and has consented to its use. If an employee is allowed to use the vehicle out of working hours, you should not track this use.

Drug testing and employee searches

Data protection law covers drug testing and you must have employee consent for drug testing. Testing will normally only be appropriate where you have a health and safety requirement for a job role which in turn should be clearly set out in the employment contract or staff handbook.

You should also:

  • Limit testing to employees that need to be tested
  • Ensure the tests are random
  • Not single out particular employees for testing unless this is justified by the nature of their jobs

Employee searches

Similarly, you should have a clear policy on searching. Searches should:

  • Respect privacy
  • Be carried out by a member of the same sex
  • Be carried out with a witness present

If a search or drug test is mishandled, an employee may have a claim for discrimination, assault or false imprisonment.

Non-compliance

Failing to comply with the appropriate legislation and regulations can result in high fines and enforcement action such as compliance orders and audits. Equally important, mishandling of employee monitoring can seriously undermine your employee morale and relationship, even resulting in claims of constructive dismissal and discrimination. 

Next steps

As always, careful consideration is required in advance of any staff monitoring. This should include:

  • Having a clear policy that sets out in detail the nature and extent of any monitoring methods, as well as how any personal data collected in these ways will be used.
  • Making sure employees are both aware and consent to any monitoring. Details should be contained in their contract of employment or consent could be obtained by way of express written consent, signed and dated.
  • Carry out data protection impact assessments in advance of any monitoring and regular reviews on audits.
  • Ensure robust data protection systems and procedures, from collection and storage to reviewing and deletion.

If you would like to discuss the above, please call 020 3988 0170 or contact us via our website.

The legal content provided by RSW Law Limited is for information purposes only and should not be relied on in any specific case without legal or other professional advice.

Copyright is owned by RSW Law Limited and all rights in such copyright are reserved.

B0BEFAB3-7AF0-49F8-86B2-AD99CC6EC993

Related articles

image
Employment

Understanding Whistleblowing

Nighat Sahi
image
Employment

What Talent Acquisition Leaders Need to Know

Nighat Sahi
image
Employment

The UK’s Fair Work Agency 

Nighat Sahi