Workplace Monitoring: How Far Can You Go?

Workplace monitoring to detect or investigate misconduct is not a new concept. Many employers will at some point have engaged in a review of email and internet records for this purpose.

Is it still permitted under the new Data Protection Act 2018 (GDPR)?

In short, yes. However, you need to give due consideration to the following in order for it to be lawful:

1. What lawful basis are you relying upon for processing the data?
Pre-GDPR, many employers relied on consent as the lawful basis for monitoring, normally through generic contractual or policy statements. There are very limited situations where such consent will be appropriate following GDPR and reliance on the legitimate interests of the employer may be more appropriate.

Legitimate interests can only be relied upon where the processing is necessary for the purposes of the legitimate interests pursued by the employer and these do not override the interests or fundamental rights of the individual.

In terms of necessity, you should keep in mind the following:
• Geographical – Only monitor in specific places. Monitoring sensitive areas such as religious places, toilets and break rooms should be prohibited.
• Data-oriented – Personal electronic files and communications, even if on company systems, should not be monitored.
• Time-related – Sampling rather than continuous monitoring.

You may be of the mindset that staff should have no expectation to privacy at work or on equipment and systems owned by the employer and your internal policies may well state this. As an employer you do not have ‘free rein’ on monitoring your workforce. Systematic, excessive and unjustified monitoring will likely fall foul of data privacy rules and other legal protections. Proportionality is key in determining lawfulness.

2. Have you carried out a data protection impact assessment (DPIA) and does this support the use of monitoring?
Before monitoring is undertaken, you should consider this in detail including carrying out a DPIA. The purpose of a DPIA is to:
• Identify the purpose behind the monitoring and the benefits likely to be delivered/achieved.
• Identify any adverse impact of the arrangement on the individuals being monitored.
• Consider suitable alternatives to monitoring or testing.
• Consider the obligations arising from monitoring or testing.
• In light of the above, decide whether the monitoring or testing is justifiable.
• Identify the lawful basis for processing the data.

3. Have you provided notice to/informed your staff members that monitoring may be carried out?
You need to be transparent about the way they process data and should provide notice to staff that monitoring may be carried out i.e. through an email, policy, Privacy Notice etc. Your staff need to have a clear understanding of what the monitoring specifically entails.

Sometimes it is possible to undertake covert monitoring i.e. where there is suspected criminal activity or malpractice such as theft or fraud by your staff. You should ensure your policies explain that covert monitoring may take place and it is advisable that the decision to covertly record is taken by senior management. Although, you need to proceed with caution as an unfocused and excessive approach will not only breach GDPR obligations but could infringe the right to privacy.

For specialist advice on your ability to monitor your workforce or on any other employment law matter, please contact our Coventry based Employment Law Solicitors:

Email: Lianne@askewslegal.co / Jake@askewslegal.co