Workplace surveillance: can your employer spy on you at work?

With CCTV cameras everywhere you go these days, how likely is it that your employer or client is keeping an eye on you?

Basically, quite likely. Employers can monitor staff through a variety of methods – but it must do so in a way that’s consistent with several legal requirements.

Many employers will also choose to monitor phone and IT systems usage by their staff, and in some sectors employers will also use vehicle tracking and CCTV and other methods to monitor their products/goods/premises.

As technology moves on some companies even go as far as implanting their staff with microchips, providing wristband trackers, PC webcam access and screen capturing.

With many office staff working from home during and after the Coronavirus pandemic, we also look at the issue of employers monitoring staff at home. In late 2021, the trade union Prospect, carried out a poll that said 32% of remote workers are now being monitored, an increase from 24% in April 2021; with use of camera monitoring in people’s homes increasing from 5% in April 2021, to 13% in November 2021.

Why might employers want to monitor staff?

Employers may choose to monitor their staff for any of the following reasons:

• To safeguard their employees or members of the public (for e.g. health and safety reasons, prevent violence and theft of belongings)
• To protect business interests (prevent crime, theft or misconduct, or misappropriation of intellectual property and business secrets, by employees or members of the public) and ensure that Company policies are not broken
• To ensure quality of customer services (which can also highlight training needs for their employees) and assess and improve productivity
• To comply with legal and regulatory obligations
• To ensure communications such as e-mails, internet usage and phone calls are only relevant to the business.

Most large employers will have a Social Media Policy which may include monitoring of employees usage of networking websites (on the company’s own social media page or the employees personal one). Many employers will also have an IT and Communications Policy setting out how employees can use their systems (which may include usage of Company owned mobiles and tablets and Bring-Your-Own-device policies), and now increasingly a ‘Use of AI’ policy.

What does UK law say about surveillance?

The laws that cover the area of monitoring include:

• The Regulation of Investigatory Powers Act 2000 (RIPA) and 2016
• The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP)
• The General Data Protection Regulations 2018 and The Data Protection Act 2018 and other amendments– Employers must act in accordance with the GDPR and the DPA and its six key principles.

The implied legal obligation of trust and confidence that exists between an employer and employee is also relevant – Employers shouldn’t act without reasonable and proper cause, in a way which is likely to destroy or damage the relationship of mutual trust and confidence between themselves and their employees.

However, The Human Rights Act 1998 also plays an important role here as it gives individuals a right to privacy and the UK’s laws try to recognise that employees may feel that monitoring by their employer at work is intrusive.

Therefore, employers need to find a balance between an employee’s legitimate expectation to privacy and the Employers interests when they monitor their staff, in any way; there also must be a legitimate purpose for the monitoring.

Because of the need for this balance, the current UK laws distinguish between:

• Targeted monitoring (of one individual) and systematic monitoring (where all employees or groups of employees are regularly monitored in the same way)
• Open and covert monitoring
• The monitoring of already-accessed communications and the monitoring or intercepting of un-accessed electronic communications (e.g. telephone calls, faxes, emails and internet access). An ‘interception’ happens when the contents of the communication are made available to someone other than the sender or intended recipient. The sender and recipient of the communication must consent to the interception for this to be lawful. ‘Interceptions’ are highly regulated under the RIPA and LBP laws (above).

All these monitoring types can be lawful.

Therefore when employers set up monitoring systems they must (to ensure the monitoring is legal):

• Carry out an ‘impact assessment’ to justify the use of CCTV/monitoring – which identifies the purpose behind the monitoring and likely benefits and adverse impacts; look at alternative ways in which the purpose might be achieved; look at the obligations that will arise from monitoring e.g. notifying employees, managing data, subject access requests (SAR) by staff; whether the decision is justifiable (compared to the adverse effects the employees may experience)
• Tell staff the nature, extent and reason for the monitoring that may take place. Staff don’t lose their right to personal privacy when they walk through their Employer’s doors and this must be balanced with the Employers right to ensure their employees aren’t engaging in misconduct
• Ensure the monitoring is related to the business and the equipment being monitored is partly or wholly provided for work
• Be clear what levels of privacy an employee can or cannot expect when using their employer’s systems to make personal communications, and when using restrooms or break areas that are monitored
• Provide an unrecorded telephone line for employees to use in emergencies if all other telephones are routinely recorded/monitored
• Be clear what levels of email/internet/phone usage by the employee for personal reasons is permitted and what is not
• Provide written policy statements about the monitoring
• Explain how the employer will use the information obtained via monitoring. An employee may be aware that CCTV cameras exist, for example, but this won’t justify an Employer using CCTV footage in a disciplinary process if the employee was never told the footage could be used for that purpose. For example – an employee is entitled to assume the CCTV will be used for security purposes only, unless they’re told otherwise
• Ensure that those involved in doing he monitoring are aware of their confidentiality obligations
• Explain how the information will be stored and processed in accordance with the GDPR and the Data Protection Act, and who has access to this information
• Allow employees to voice any concerns they have, in confidence, and ensure they are given the chance to explain or challenge any footage used as part of a disciplinary process.

If Employers wish to monitor employees when they are working at home, the Information Commissioner’s Office advises that Employers must tell employees if they are being monitored.  They must also tell staff why they are being monitored, and the extent of that monitoring.

Employers can now choose from a plethora of surveillance systems that monitor their employees’ work, through taking screenshots, to tracking log-in times and keystrokes. While it will be legitimate for Employers to monitor and test their network for cyber security reasons, if Employers do not tell their staff that they are using productivity tracking systems, they are basically breaking the law.

Targeted monitoring

Generally, monitoring should only be carried out by an employer in an open and systematic way, unless targeted and/or covert monitoring is justified.

Targeted/covert monitoring will usually only be justified in exceptional circumstances, where there are grounds to suspect criminal activity or serious malpractice by the employee in question and the monitoring is necessary to prevent or detect this crime or malpractice, where no other method is feasible.

Such monitoring should be only carried out within a set timeframe and as part of a specific investigation and that the risk of intrusion on ‘innocent’ workers is considered, e.g. the surveillance must be narrowly targeted and impact on as few people as possible. Such monitoring should also be mentioned as a possibility in the employers’ data protection or privacy policy. This monitoring would usually then lead to a disciplinary hearing where the employer believes the employee has breached company policies.

If this targeted monitoring provides information inadvertently of other malpractice by other workers, this evidence should not be used against those workers unless it is a case of serious gross misconduct. Where the misconduct is minor in nature, use of the ‘secret’ footage to discipline workers will generally not be allowed.

Personal data collected through monitoring must be for legitimate purposes and cannot be used for any other purpose than originally intended.

Surveillance of staff outside of the workplace may also be acceptable if the employer can demonstrate it was ‘justifiable’ (they have credible reasons to suggest an employee is involved in wrongdoing or breaching company policies) and ‘proportionate’ (the employer did not go any further than was necessary in its use of surveillance).

Basically, any monitoring that’s done by the employer must be proportionate to the issue the employer seeks to address.

With the GDPR becoming law on 25th May 2018, the Information Commissioner’s Office have confirmed that covert monitoring of employees can only be justified in exceptional circumstances when informing the employee involved would prejudice the prevention or detection of a crime.

Case studies

In a 2014 case, Atkinson v Community Gateway Association, the Employment Appeal Tribunal held that the Employer accessing an employee’s emails, in the course of a disciplinary investigation into the employee’s conduct, didn’t amount to an unjustified interference with the employees’ private life – the employee didn’t have a reasonable expectation of privacy in circumstances where he had sent emails from his work account in breach of the e-mail policy (which he himself had drafted and was responsible for enforcing!) and the emails were not marked ‘personal/private’.

The fact that Mr Atkinson had used the email system in breach of the Association’s email policy was discovered as a result of its legitimate investigation into his conduct. Employers should bear in made that staff may have a reasonable expectation of privacy at work if the Employer doesn’t have an ‘Email and Internet Use Policy (or similar) which is made known to all staff.

In early 2018, two important decisions have been given by the European Court of Human Rights (ECHR):

In Antovic and Mirkovic v Montenegro, the ECHR ruled that it was a breach of two professor’s privacy rights under Human Rights regulations, to install surveillance cameras in student auditoriums (for the said purpose of protecting property and people and also monitor teaching). The ECHR said that ‘private life’ may include professional activities taking place in a public context (the auditorium), and the employer lacked sufficient justification for the monitoring as there was no evidence that property or people were at risk

In the Spanish case of Lopez Ribalda and Others v Spain, the ECHR found that the use of hidden video cameras in a supermarket to monitor suspected thefts by employees, violated their privacy rights under Article 8 of the European Convention of Human Rights.

In 2009, after seeing irregularities between levels of stocks and sales that amounted to 20,000€ over several months, the supermarket installed both visible CCTV cameras throughout the store and also concealed cameras behind their cashiers desks. Five employees were subsequently dismissed, after the surveillance cameras detected them stealing (or them helping other employees or customers to steal). The employees said their data protection rights and rights to privacy had been breached by the use of covert recordings.

The Spanish courts disagreed and said the dismissals were fair as the covert surveillance was justified. The ECHR disagreed and said the Spanish Courts had failed to strike a fair balance between the employees’ right to privacy and the employer’s right to safeguard its business – they hadn’t told staff about the installation of the covert CCTV cameras, and all staff were monitored without time limit.

The ECHR felt that the covert surveillance was an intrusion into their private life, as the cashiers couldn’t avoid being filmed as they were required to report to work. The ECHR said that to comply with the data protection legislation the employees must ‘explicitly, precisely and unambiguously’ be informed of the monitoring and the purpose of the monitoring.

However, the Spanish Government appealed against this decision and in November 2019, the ‘Grand Chamber’ of the ECHR heard the case; and said that the Employer’s use of the covert surveillance was justified in this case because:

• The scale of the theft and number of employees involved was considerable
• The monitoring only took place for a short period of time and the covert cameras were in a public area of the supermarket, where there wouldn’t be an expectation of privacy
• Only a few people could view the footage and the footage was only used to monitor the theft
• There were no less intrusive ways of catching who the thieves were.

In October 2020, the Swedish fashion retailer, H&M, received a fine of €35.3million from Germany’s data protection watchdog for the unlawful monitoring of employees in their service centre in Nuremberg, Germany (under GDPR laws).  This is believed to be the second largest fine that a single company has received under EU GDPR laws.

Since 2014 H&M supervisors at the service centre had been keeping extensive records of the personal circumstances of their employees – personal stories about holidays, information on absences and diseases and symptoms, family problems and religious details.  Some of this information was recorded digitally and could be accessed by up to 50 managers.  The data was highly detailed and was used to assess individual performance and create profiles of employees.

In 2019, there was a data breach at the company which meant that the records were accessible for 2 hours, across the whole company.  On investigating the data breach, the excessive information gathering was discovered.

The German data watchdog, in Hamburg, concluded the monitoring was not proportionate and did not comply with the GDPR obligations that the company had.  H&M has accepted that it will also need to pay a considerable amount of damages to its employees and has issued an “unreserved apology” to the affected staff.

If you need help you can contact the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. They have an Employment Practices Code (Section 3 covers Monitoring at Work). With the introduction of the GDPR in 25th May 2018, guidance issued by European data protection advisory body, the Article 29 Working Party (WP29), suggests that:

• the use of technologies for keystroke logging, tracking mouse movements, enabling webcam access or screen capturing are likely to be disproportionate and unlawful in most circumstances
• the use of vehicle telematics to collect data about an employee’s location and driving behaviour for performance management purposes is likely to be disproportionate and unlawful (except to demonstrate compliance with legal obligations regarding driving time, speed and distance such as tachographs).