Employee Monitoring and Surveillance

Managing productivity and safeguarding assets are legitimate business aims. In the UK, employers can monitor and survey workers, but only when it’s lawful and proportionate. With remote and hybrid work on the rise, the ICO’s latest guidance makes compliance more critical than ever.

What’s allowed, and on what basis?

• Lawful basis under UK GDPR: Most employers rely on legitimate interests (e.g., security, compliance, safety). You must assess necessity and ensure workers would reasonably expect the monitoring.
• Respect privacy rights: Monitoring must be respectful of the right to private life, especially for homeworking and intrusive tools.
• Extra caution for high-risk tech: Biometrics (facial recognition, fingerprint scanning) and granular surveillance require stronger safeguards as those constitute the processing of special category data.

Practical examples

• CCTV / security footage: Permissible for safety and theft prevention; avoid private areas, use signage, and don’t repurpose footage for performance reviews without clear justification
• IT activity logs, email / internet tracking, keystroke tools: Ensure necessity, explain in policies, and avoid excessive or covert monitoring
• Attendance / location checks and productivity tools: Apply data minimisation and retention limits; consider less intrusive alternatives and engage staff early.

Your compliance checklist

• Define purpose and necessity: Document why monitoring is needed and why lesser measures won’t work
• Identify a lawful basis: Usually legitimate interests; record your balancing test in which you balance the rights of workers and the needs of the organisation
• Conduct a DPIA for high-risk monitoring: Mandatory for technologies like biometrics or keystroke logging
• Be transparent: Update contracts and policies; clearly tell workers what, why, how, and for how long
• Limit data and retention: Collect only what’s necessary; set deletion schedules
• Secure the data: Apply access controls and vendor agreements
• Covert monitoring: Only in rare cases such as for suspected criminal activity and only for a limited time
• Engage and consult: Involve staff early; transparency builds trust.

Risks of Getting It Wrong

Excessive or unclear monitoring can trigger ICO investigations, enforcement notices, and reputational harm. It may also lead to employment claims (e.g., unfair dismissal, discrimination) and damage morale.

How can we support you?

We design lawful, proportionate monitoring frameworks that balance business needs with worker privacy:

• Policy drafting and lawful-basis assessments
• DPIAs for high-risk technologies (such as biometrics, keystroke analytics)
• Vendor and data processing agreements
• Training for HR, IT, and managers
• Governance reviews and remediation plans.