Big Brother is (probably) watching: top tips and pitfalls for staff monitoring

What is employee monitoring?

At its most basic level, employee monitoring encompasses any activity involving the surveillance, supervision or observation of staff members.  In practice, it comes in many forms; whilst monitoring email content / traffic, internet use and CCTV surveillance are now fairly standard, other forms such as keystroke monitoring and location tracking are becoming increasingly popular. Monitoring may be carried out in various ways, including:

• spot checks (such as monitoring access to certain internet sites or the number of emails sent, for example) which are targeted at the activity being monitored rather than the individual doing it;

• specific checks or monitoring focused on the activity of specified individuals; or

• monitoring content, such as the content of emails, which may be carried out on a random basis, targeted at specific individuals or (as is increasingly common) applied using key words and phrases.

Why do employers want to monitor staff?

Employee monitoring requires an investment of time, effort and cost on the employer's part, and comes with significant risk to a business.  Studies and commentary suggest that it also has a significant impact on the relationship between employer and worker.  So why do it?

Monitoring is usually driven by the culture and key concerns of the employer business. 

• Monitoring is often driven by employers' concerns as to the risks or potential damage that employees could cause, such as data loss, disclosure of confidential information, damage to the employer's brand or reputation and loss of business.

• Employers may have more Orwellian designs in seeking to harness new technology to drive employee performance and efficiency.

• Monitoring is also often carried out in the context of safety, security and the protection of assets.  This could include guarding against damage to or compromise of the employer' systems (such as hacking or viruses), its premises or the health and safety of staff and customers.Monitoring is often relevant in the context of disciplinary, grievance, performance review and other employee management processes, and both retrospective and proactive monitoring may be involved.

Right to privacy and the rise of electronic surveillance: master and servant?

There has been a general shift amongst employers, particularly with the rise of technology, towards carrying out more, and using more intrusive methods of, staff monitoring.  Based on current trends, experts are predicting more and more aspects of working life will be monitored and measured, and that this will dictate access to jobs and continued engagement.Perhaps understandably, studies show that employees remain deeply suspicious of the introduction of new forms of monitoring.  And, whilst employee monitoring used to be relatively simple, the growth in both the use of technology in the workplace and electronic means of monitoring has complicated matters.This increase in monitoring activity has clear implications for the underlying employment relationship and employers must carefully consider the implications of employment and data protection legislation, and the surrounding regulatory framework, when looking to monitor staff.

As a starting point, whilst there is no statutory right to privacy in the workplace under UK employment law, employers are by no means free to monitor as they please. The mutual duty of trust and confidence which is implied into every employment contract is a key constraint. Excessively intrusive monitoring activities could constitute a breach of this duty and thus form the basis of a grievance or constructive dismissal claim.

Private sector employers should be mindful of individuals’ right to privacy under Article 8 of the European Convention of Human Rights (ECHR), as the UK courts must interpret all legislation in line with this right (so far as is possible).  In the employment context, this means that when considering whether an individual was unfairly dismissed, an employment tribunal must consider the right to privacy where relevant (which it almost certainly will be where monitoring data is used to inform the employer’s decision making).

Workplace monitoring involves processing personal data and is therefore governed by the General Data Protection Regulation 2016 (GDPR) and domestic legislation.  For the UK, that means the Data Protection Act 2018 (DPA 2018), as well as a host of other legislation including the Computer Misuse Act 1990, the Investigatory Powers Act 2016 (IPA 2016) and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018 (IPR 2018), which impose criminal and civil sanctions for non-compliance.

So what should employers do or not do when considering monitoring staff?

1.  Identify the underlying concern and purpose of the monitoring – how will the monitoring you propose tackle this?

When considering whether or how to monitor staff, the starting point should be the underlying concern and purpose – what are you trying to achieve?  Are you looking to increase efficiency, or are there specific security concerns?  Is this a one-off concern (such as stock going missing at a particular location) or is it more general?  Doing their homework at the early stage should help employers comply with the legislative requirements.  At a more practical level, it should also force employers to think about their real concerns, and how they can best protect themselves.

Once an employer has identified the reason or purpose for any monitoring, the next step should be to consider how the chosen monitoring addresses the concern or reason identified, and whether there are any alternative ways of achieving this other than monitoring.  From a legal standpoint, if there is a less intrusive way to achieve a particular objective than monitoring employees, both the employment tribunals and the Information Commissioner’s Office (ICO, the regulator with responsibility for enforcing data protection laws) would expect the employer to take it and doing so should lower the risk to the business.

2.  Take steps to ensure any underlying GDPR compliance is in place

To carry out GDPR-compliant monitoring of staff, employers must identify a legal basis for carrying out and processing any personal data gathered through monitoring, and any exemptions for sensitive data (such as images or health data).  As consent is not a viable basis in the employment context (especially for sensitive activities like monitoring), in most cases employers will have to rely on the catch-all "legitimate interests" ground for processing (meaning a legitimate interests assessment (LIA) must be undertaken and objections to processing can be raised). Further, staff monitoring is generally considered to be "high risk" processing meaning a privacy impact assessment (PIA) must also be undertaken.

It is important for employers to carry out these steps and ensure they are appropriately documented.Aside from the accountability and other compliance requirements, the documentation will assist the employer in defending later claims or complaints or responding to an ICO investigation.

3.  Informing staff: implement appropriate policies and publicise

This step is critical.  Employers must inform staff clearly what monitoring will be carried out, the purposes for which it will be carried out and how that information will be used.And it is not sufficient to rely on the small print; employer must also draw the policies to the attention of staff. Appropriate training for staff carrying out monitoring and using the resulting data is also key. 

Failure to so inform staff properly will hamper the steps an employer can take to monitor safely and/or leave it exposed to additional risk and claims.Put simply, if you don’t tell staff what monitoring you are carrying out and what you will use it for, you can expect push back and grievances from the employee (and any trade union involved) at the initial stage, and risk regulatory action. Where the data gathered through such monitoring leads to adverse actions against employees (e.g. it is used to support a decision to dismiss), the failure to properly inform could damage both your defence of any steps taken and your negotiating position should you wish to consider settlement.

4.  Access and retention

If you decide to undertake employee monitoring, you must ensure that you limit access to monitoring data – only those who really need access should be able to access it.This means thinking about how to control access, including any permission / sign off processes etc. to facilitate access where needed (for example, in the event of an employee grievance or disciplinary process).

Connected to this are the thorny problems of retention and security.  Under the GDPR data should only be kept to the extent it is relevant to the purpose for which it is processed and whilst it remains accurate; indefinite retention is not permissible.  The period of retention will to a certain extent depend on the nature of the information collected and its usefulness. The employer must also implement appropriate technical and operational measures to ensure the safety and integrity of the data at all times and, once no longer needed, data must be disposed of safely and securely.

5.  Employee communications are key: tales from the Telegraph

As noted, employees remain deeply suspicious of the introduction of new forms of monitoring and the impact of employee monitoring has been a hot topic of late.  Employee communications around proposed monitoring will be vitally important; get those wrong and the employer will cause itself a world of pain.

As a cautionary tale, journalists based at the Daily Telegraph's London offices arrived at work to find that heat and motion sensors had been installed, without appropriate advance communications.  Staff were later informed that the sensors were intended to assess desk usage in a drive to improve energy efficiency, but this wasn't sufficient to stem the tidal wave of complaints or avoid criticism by the NUJ and (even though the boxes were withdrawn within hours) has arguably has had a lasting impact on employee relations.

6.  Private means private, personal means personal

Not everything on a workplace email system is fair game for monitoring; whilst employees should be warned that they cannot expect emails sent and received on work email systems to be private , if staff communications or documents are marked "private" or "personal", employers should not read them unless they have very good reasons for doing so.

Furthermore, employers should treat personal devices as out of bounds, unless such devices hold workplace systems and/or are work-related communications and the employer has a clear policy in place setting out what monitoring it can carry out. The same applies where an employee uses a personal email account or uses their personal devices for work-related matters (confirmed in Copland v United Kingdom). There will always be sensitivities around such matters, and if Whatsapp or other encrypted systems are used, this will add to the complexities involved.

Getting this wrong can be problematic, as the employer in the Bărbulescu case found out to their cost. Consideration must always be given to the employee's right to privacy under the ECHR and a careful balance must be struck between this and the employer’s legitimate interests.  Additionally, accessing electronic communications without grounds to do so could amount to an offence under the Computer Misuse Act 1990, the IPA 2016 and/or the IPR 2018, which potentially carry criminal sanctions for the individual and the business.

7.  Location, location, location

Location tracking is seen by the ICO and UK courts as a particularly invasive form of employee monitoring, which raises the risk factor in implementing it.  Despite this, location tracking is an increasingly popular form of employee monitoring, particularly with field workers and in the transport, retail and hospitality sectors.

There is rarely any legal obligation, public interest or contractual requirement basis for processing location tracking data, and employee consent will almost certainly not be valid, meaning employers have to work harder to justify such tracking.  Employers may be under the impression that they can avoid employment and data protection implications by arguing that they are tracking assets (such as transport vehicles or stock) rather than tracking individuals.  The proposition is potentially flawed – if that is the case, the tracking should be fully anonymous.

Even if the employer can get over the legal basis and justification hurdles, if it wants to use such data for the management and discipline of wayward employees it must spell this out clearly for employees, otherwise it will breach key provisions of the GDPR and employment legislation and could set the employer up for additional claims and risks.

8.  Covert investigations and mission creep: don't go rogue

There will inevitably be scenarios where an employer is tempted to use the monitoring facilities available to it for wider purposes, but the risks of doing so are significant and employers should beware of 'mission creep'.  Monitoring data should only be used for the purpose for which it is ostensibly collected, and changing the purpose for which it is used will raise further questions as to whether the monitoring was justified and whether employees affected were appropriately informed. It is hard enough to justify employee monitoring; attempting to use that data for another purpose creates a new layer of risk.

Covert investigations are particularly risky and covert monitoring should only be undertaken in exceptional circumstances. In short, it should be authorised by senior management, and limited to circumstances where there are legitimate grounds for suspecting criminal activity / malpractice and where notifying the individuals would prejudice its detection or prevention.  The ICO, the civil courts and employment tribunals tend to take a dim view of covert investigations or monitoring unless there are clear and sufficiently serious reasons for doing so, so employers are advised to consider this very carefully.

9.  Upping the stakes:  the role of artificial intelligence and HR analytics

The use of artificial intelligence (AI) in assessing and monitoring staff behaviour is a quieter but growing development.  Whilst, for example, the monitoring of email activity and access to files is not new, the use of AI and algorithms to interpret that information (or other staff information collected) and draw conclusions is a step too far for many.

This raises queries around the use of HR analytics, which carry both compliance and employee relations risks.  Any automatic decision making involving employment decisions will be subject to scrutiny, and staff must be informed (raising the employee relations risk). Those in favour of such activities argue that they can improve risk management, internal communications and improve efficiencies, and suggest that this can save employers time and money; those against or who see this as tantamount to stalking, point to the potentially negative implications for employee relations, the lack of clarity as to how analysis outcomes are reached and the inconsistency in results.  Whilst this is a growing area, UK employers are advised to proceed with caution.

What if you get it wrong?

Where employees believe there has been a breach, or data has been improperly processed, they can complain to the UK's data protection authority, the Information Commissioner's Office (ICO). The ICO has the power to investigate and to impose significant sanctions, including banning processing activities, suspending data transfers and imposing fines of up to 4% of global annual turnover or €20million (whichever is greater), so this is something to consider as it could have wider implications for the employer's business. It may also open the business to wider ICO scrutiny.

The more immediate data protection concern is that under the GDPR individuals have the right to request all of the personal data an organisation holds about them (subject to narrowly construed exemptions, including correspondence which is legally privileged). This would include any monitoring information, and personal information or opinions about that employee contained within emails and instant messages.

On the employment side, aside from the employee relations and reputational issues it can cause, employees can raise grievances or complaints where they believe monitoring has been carried out or the data produced has been used improperly.  In practice, this adds to the complication of dealing with sensitive matters (e.g. allegations of sexual harassment) and can give rise to further risks. As an example, employees may have potential claims around damage to their reputation where an investigation is found to be pre-determined, and if an employee raises a potential data breach as a grievance, this may give them grounds to bring whistleblowing claims.

If the outcome is dismissal, where an employee can point to flaws in the employer's processes, this can affect the fairness of the decision to dismiss.  UK employees with 2 or more years' service have unfair dismissal rights, meaning that in order to dismiss fairly the employer needs to show both that it had a fair reason to dismiss and that it followed a fair process.  There may be other risks as well; where an employee can establish that employee monitoring has caused or exacerbated ill health (stress would be the obvious risk here), this could open up personal injury and/ or disability aspects to any claim.

As an overall comment, it is now more important than ever for employers to ensure any staff monitoring is carried out in an appropriate and compliant way, as the implications for not doing so can be significant for the employer and its wider operations.