Data Protection and Employee Monitoring Practices - WHITE PAPER

Employee monitoring is both a necessary and important practice for employers. It can be conducted for various reasons, such as to monitor performance, prevent fraud or protect trade secrets. However, engaging in employee monitoring practices or introducing a new piece of monitoring technology triggers data protection responsibilities. Monitoring can pose significant risks to employee privacy where it is excessive or is not underpinned by a reasoned and proportionate business interest.  

Employees may be monitored as a result of active measures such as telephone and email monitoring or the use of CCTV in the workplace. Employers may also adopt software or devices that process data passively, such as keystroke logging data or using smartphones as an instrument to collect vehicle (and vehicle operator) data. Passive processing has been facilitated by increasingly sophisticated infrastructure, applications and devices. An array of technologies that observe, track and evaluate the actions and even behaviours of employees are now at the disposal of employers. These pose significant privacy risks as they are capable of collecting, processing and storing greater volumes of data than ever before. 

Employers must ensure that their monitoring practices are compliant with national and EU data protection law. In particular, under the GDPR, all personal data processing must conform to the key principles of; lawfulness, fairness and transparency; purpose specification; data minimisation; accuracy; storage limitation; integrity and confidentiality, as well as complying with key data protection requirements.

Additionally, under the Human Rights Act 1998, the compatibility of employee monitoring will be assessed for its compatibility with the fundamental right to privacy under Article 8 of the ECHR. The ECtHR rulings on employee monitoring offer insights into how to balance employee privacy rights with business interests, and the factors which influence whether monitoring is deemed to violate the right to privacy or not.

This white paper will provide an overview of common employee monitoring practices and their data protection and privacy risks. It will provide guidelines for meeting data protection principles under GDPR and for reducing the privacy impacts of monitoring. The balancing of interests will be discussed in the context of the case law of the ECtHR.