Black Friday | 25% off online accounting for 6 months!
With CCTV cameras everywhere you go these days, how likely is it that your employer or client is keeping an eye on you? Basically, quite likely. Employers can monitor staff through a variety of methods – but it must do so in a way that’s consistent with several legal requirements.
Many employers will also choose to monitor phone and IT systems usage by their staff, and in some sectors employers will also use vehicle tracking and CCTV and other methods to monitor their products/goods/premises.
As technology moves on some companies even go as far as implanting their staff with microchips, providing wristband trackers, PC webcam access and screen capturing.
With many office staff working from home during the coronavirus pandemic in 2020, we also look at the issue of employers monitoring staff at home.
Employers may choose to monitor their staff for any of the following reasons:
Most large employers will have a Social Media Policy which may include monitoring of employees usage of networking websites (on the company’s own social media page or the employees personal one). Many employers will also have an IT and Communications Policy setting out how employees can use their systems (which may include usage of Company owned mobiles and tablets and Bring-Your-Own-device policies).
The laws that cover the area of monitoring include:
The implied legal obligation of trust and confidence that exists between an employer and employee is also relevant – Employers shouldn’t act without reasonable and proper cause, in a way which is likely to destroy or damage the relationship of mutual trust and confidence between themselves and their employees.
However, The Human Rights Act 1998 also plays an important role here as it gives individuals a right to privacy and the UK’s laws try to recognise that employees may feel that monitoring by their employer at work is intrusive.
Therefore, employers need to find a balance between an employee’s legitimate expectation to privacy and the Employers interests when they monitor their staff, in any way; there also must be a legitimate purpose for the monitoring.
Because of the need for this balance, the current UK laws distinguish between:
Therefore when employers set up monitoring systems they must (to ensure the monitoring is legal):
If employers wish to monitor employees when they are working at home, the Information Commissioner’s Office advises that employers must tell employees if they are being monitored. They must also tell staff why they are being monitored, and the extent of that monitoring.
Employers can now choose from a plethora of surveillance systems that monitor their employees’ work, through taking screenshots, to tracking log-in times and keystrokes. While it will be legitimate for employers to monitor and test their network for cyber security reasons, if employers do not tell their staff that they are using productivity tracking systems, they are basically breaking the law.
Generally, monitoring should only be carried out by an employer in an open and systematic way, unless targeted and/or covert monitoring is justified.
Targeted/covert monitoring will usually only be justified in exceptional circumstances, where there are grounds to suspect criminal activity or serious malpractice by the employee in question and the monitoring is necessary to prevent or detect this crime or malpractice, where no other method is feasible.
If this targeted monitoring provides information inadvertently of other malpractice by other workers, this evidence should not be used against those workers unless it is a case of serious gross misconduct. Where the misconduct is minor in nature, use of the ‘secret’ footage to discipline workers will generally not be allowed.
Personal data collected through monitoring must be for legitimate purposes and cannot be used for any other purpose than originally intended.
Surveillance of staff outside of the workplace may also be acceptable if the employer can demonstrate it was ‘justifiable’ (they have credible reasons to suggest an employee is involved in wrongdoing or breaching company policies) and ‘proportionate’ (the employer did not go any further than was necessary in its use of surveillance).
Basically, any monitoring that’s done by the employer must be proportionate to the issue the employer seeks to address.
With the GDPR becoming law on 25th May 2018, the Information Commissioner’s Office have confirmed that covert monitoring of employees can only be justified in exceptional circumstances when informing the employee involved would prejudice the prevention or detection of a crime.
In a 2014 case, Atkinson v Community Gateway Association, the Employment Appeal Tribunal held that the Employer accessing an employee’s emails, in the course of a disciplinary investigation into the employee’s conduct, didn’t amount to an unjustified interference with the employees’ private life – the employee didn’t have a reasonable expectation of privacy in circumstances where he had sent emails from his work account in breach of the e-mail policy (which he himself had drafted and was responsible for enforcing!) and the emails were not marked ‘personal/private’.
The fact that Mr Atkinson had used the email system in breach of the Association’s email policy was discovered as a result of its legitimate investigation into his conduct. Employers should bear in made that staff may have a reasonable expectation of privacy at work if the Employer doesn’t have an ‘Email and Internet Use Policy (or similar) which is made known to all staff.
In early 2018, two important decisions have been given by the European Court of Human Rights (ECHR):
In Antovic and Mirkovic v Montenegro, the ECHR ruled that it was a breach of two professor’s privacy rights under Human Rights regulations, to install surveillance cameras in student auditoriums (for the said purpose of protecting property and people and also monitor teaching). The ECHR said that ‘private life’ may include professional activities taking place in a public context (the auditorium), and the employer lacked sufficient justification for the monitoring as there was no evidence that property or people were at risk
In the Spanish case of Lopez Ribalda and Others v Spain, the ECHR found that the use of hidden video cameras in a supermarket to monitor suspected thefts by employees, violated their privacy rights under Article 8 of the European Convention of Human Rights.
In 2009, after seeing irregularities between levels of stocks and sales that amounted to 20,000€ over several months, the supermarket installed both visible CCTV cameras throughout the store and also concealed cameras behind their cashiers desks. Five employees were subsequently dismissed, after the surveillance cameras detected them stealing (or them helping other employees or customers to steal). The employees said their data protection rights and rights to privacy had been breached by the use of covert recordings.
The Spanish courts disagreed and said the dismissals were fair as the covert surveillance was justified. The ECHR disagreed and said the Spanish Courts had failed to strike a fair balance between the employees’ right to privacy and the employer’s right to safeguard its business – they hadn’t told staff about the installation of the covert CCTV cameras, and all staff were monitored without time limit.
The ECHR felt that the covert surveillance was an intrusion into their private life, as the cashiers couldn’t avoid being filmed as they were required to report to work. The ECHR said that to comply with the data protection legislation the employees must ‘explicitly, precisely and unambiguously’ be informed of the monitoring and the purpose of the monitoring.
However, the Spanish Government appealed against this decision and in November 2019, the ‘Grand Chamber’ of the ECHR heard the case; and said that the Employer’s use of the covert surveillance was justified in this case because:
In October 2020, the Swedish fashion retailer, H&M, received a fine of €35.3million from Germany’s data protection watchdog for the unlawful monitoring of employees in their service centre in Nuremberg, Germany (under GDPR laws). This is believed to be the second largest fine that a single company has received under EU GDPR laws.
Since 2014 H&M supervisors at the service centre had been keeping extensive records of the personal circumstances of their employees – personal stories about holidays, information on absences and diseases and symptoms, family problems and religious details. Some of this information was recorded digitally and could be accessed by up to 50 managers. The data was highly detailed and was used to assess individual performance and create profiles of employees.
In 2019, there was a data breach at the company which meant that the records were accessible for two hours, across the whole company. On investigating the data breach, the excessive information gathering was discovered.
The German data watchdog, in Hamburg, concluded the monitoring was not proportionate and did not comply with the GDPR obligations that the company had. H&M has accepted that it will also need to pay a considerable amount of damages to its employees and has issued an “unreserved apology” to the affected staff.
If you need help you can contact the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. You can see the ICO’s Employment Practices Code here (Section 3 covers Monitoring at Work). With the introduction of the GDPR in 25th May 2018, guidance issued by European data protection advisory body, the Article 29 Working Party (WP29), suggests that:
If you are an Employer and need ongoing professional help with any staff/freelance issues then talk to Lesley at The HR Kiosk – a Human Resources Consultancy for small businesses – our fees are low to reflect the pressures on small businesses and you can hire us for as much time as you need.
Please note that the advice given on this website and by our Advisors is guidance only and cannot be taken as an authoritative interpretation of the law. It can also not be seen as specific advice for individual cases. Please also note that there are differences in legislation in Northern Ireland.