Updates

Better with us

Home / Updates / Articles / Monitoring employees – What is legal and what is excessive?

Monitoring employees – What is legal and what is excessive?

Posted on in Employment Law

With the rapid evolution of technology and the increase in remote and hybrid working, employee monitoring has become more common in the UK workplace. From the red, orange, and green dots on Teams to tracking emails and internet use, employers now have more ways than ever to oversee staff activity.

Whilst intentions of monitoring may be genuine, there is a fine line, and employers that overstep risk potential employment claims, including unfair dismissal or breach of contract, ICO investigations, and possible data protection fines, as well as reputational damage, which can harm staff morale and make recruitment harder.

So what is actually legal when it comes to workplace surveillance, and when does it become excessive monitoring that risks breaching employee rights?

This guide explains the law on monitoring employees in the UK, what employers can and cannot do, and how to strike the right balance between legitimate business interests and staff privacy.

The legal framework for employee monitoring in the UK

Legally, employees are bound by the Data Protection Act 2018, UK GDPR, and the Human Rights Act 1988, which states that employees retain a right to private life under Article 8.

How the Data Protection Act and UK GDPR affect employee monitoring

Employee monitoring almost always involves the collection and use of personal data, which is therefore regulated by the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). To ensure legal collection and processing of personal data, employers must take the following principles into account:

  • Lawful basis. There must be a valid legal ground for monitoring. Most employers rely on legitimate interests, such as protecting IT systems or preventing misconduct.
  • Necessity and proportionality. Monitoring should only go as far as is required for the stated purpose. Employers must consider whether less intrusive alternatives are available.
  • Staff must be informed in advance about what monitoring takes place, why it is done, and how the information will be used. Secret or covert monitoring is only lawful in very limited circumstances, such as investigating suspected criminal activity.
  • Data minimisation and retention. Only data that is relevant should be collected, and it should not be stored for longer than necessary. Employers should have clear policies on how long monitoring records (such as CCTV or email logs) are kept.
  • Security and access controls. Monitoring data must be stored securely, with access limited to authorised personnel only. Where third-party software is used, appropriate data processing agreements must be in place.
  • Data Protection Impact Assessments (DPIAs). For high-risk or intrusive monitoring (such as biometric systems, CCTV, or large-scale surveillance), a DPIA is strongly recommended to assess risks and safeguards.
  • Employee rights. Employees retain the right to be informed, to access data about themselves, to request corrections, and in some cases to object to monitoring.

In practice, the DPA 2018 and UK GDPR do not prohibit employee monitoring, but they do set boundaries that ensure monitoring is fair, transparent, and proportionate. Employers who fail to comply risk enforcement action from the Information Commissioner’s Office (ICO) as well as reputational damage.

Is there any ACAS guidance on workplace monitoring?

ACAS recommends consultation with staff before any new monitoring is introduced. Employers should be open about why it is happening and ensure it is not excessive or unfair.

Furthermore, as an employer, employment contracts, IT use policies, and staff handbooks should clearly set out what monitoring may occur. This avoids disputes and helps demonstrate fairness if issues arise.

Common types of employee monitoring that are lawful

When handled correctly, certain types of workplace monitoring are generally legal in the UK:

  • Email and IT monitoring - to prevent misuse, protect confidential data or detect malware.
  • Internet access logs - recording websites visited during working hours.
  • Telephone call logs - capturing call length and numbers dialled (not normally call content).
  • Time and attendance systems - including swipe cards, biometric log-ins or clocking in/out.
  • CCTV at work - in communal or security-sensitive areas, with clear signage.

Examples of Excessive or Unlawful Employee Surveillance

Monitoring becomes unlawful or “excessive” where it crosses the line into disproportionate intrusion. Examples of excessive surveillance include:

  • Covert surveillance. This is only permitted in very rare cases, such as suspected criminal activity.
  • Always-on webcams. The requirement for staff to keep cameras running during home working is highly intrusive.
  • Keylogging and screen recording. Tracking every keystroke or screenshot can rarely be justified.
  • Reading private communications. Accessing personal emails or calls would be considered disproportionate without exceptional justification.

Best practice for lawful employee monitoring

To stay compliant and maintain trust with the workforce, employers should adopt these best practices:

  • Be transparent. Have a clear monitoring policy that is communicated to all staff.
  • Be proportionate. Only collect data that is necessary and avoid blanket surveillance.
  • Consult staff. Engage with employees or representatives before introducing new monitoring systems.
  • Protect data. Limit who has access to monitoring records and set retention periods. Ensure that it is stored safely and securely.
  • Consider alternatives. If there are alternative ways to manage performance without invasive surveillance, they should be used where possible.

Conclusion

Workplace monitoring in the UK is legal when it is transparent, proportionate, and justified. But excessive surveillance, such as constant tracking or covert recording, risks breaching data protection law and employee rights.

The safest approach for employers is to combine clear written policies with open communication. For employees, knowing your rights helps ensure monitoring is used fairly, lawfully, and only where necessary.

FAQs about monitoring employees in the UK

Can my employer monitor my emails at work?
Yes, but only if employees have been informed in advance. Employers cannot routinely read personal emails unless there is a strong, lawful reason.

Is workplace CCTV legal?
Yes, but cameras must be clearly signposted and not used in private areas. CCTV should be for security, not covert monitoring of performance.

Can my employer track me when I work from home?
Employers may monitor log-ins, use of company systems or productivity tools. However, constant webcam surveillance or monitoring of personal devices would usually be unlawful and excessive.

Do employers need consent for monitoring?
Consent is rarely valid in the employment context, as it cannot be freely given. Instead, employers usually rely on “legitimate interests” under UK GDPR, but they must still show necessity and proportionality.

For advice and support relating to the issues raised in this blog or to make an appointment with our Employment Law Team please call 01256 320555 or email mail@clarkeandson.co.uk

Disclaimer: The content of this website blog is for general awareness and insight. This is not legal or professional advice and readers should not act upon the information provided, they should seek professional advice based on their own particular circumstances. The law may have changed since this article was published.

    Get in touch

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Related Posts