There is something about the phrase “employee monitoring” which sounds a little sinister. Whether that's an employee monitoring system designed to track remote teams, or digital tools built to improve employee productivity, any mentions of monitoring rarely have a warm reception. And yet, there are occasions when monitoring systems are legitimately needed to manage workers. Despite this, handled incorrectly, employee monitoring can result in more than a few disgruntled employees.  

In this article, we discuss the ethics, legal considerations, and privacy concerns that relate to workplace monitoring. From tracking software to monitoring computer activity of remote employees, we'll set out the pros, the cons, and the absolute no-gos.

What does monitoring mean in the workplace?

There are lots of embedded monitoring practices we’re comfortable with, for example:

• Photocopier cards – keeping track of those who print off an entire forest because they keep forgetting to print double-sided.
• CCTV in the company car park – being able to provide footage to the insurers to claim back on the wing mirror that has been clipped and paintwork scratched.
• Signing in at reception – keeping track of who is in office in case of fire and doing a roll-call.

More recent monitoring practices we might feel comfortable with include when IT gets an alert that someone has tried to access an inappropriate website.

Not everyone is comfortable with monitoring however and you can understand why some people might think it goes a little too far when you read reports of companies accessing laptop webcams when employees are working from home. Feels a bit Big Brother, right?

Is it ethical for employers to monitor employees?

The starting point in law is that privacy is a human right, so we expect a degree of privacy as we go about our lives. Whether we are out and about (e.g. toilet cubicles in public bathrooms), go shopping (e.g. the cashier might look away as you enter your credit card PIN) or have a sales pitch at the office (e.g. sound-proof meeting rooms, maybe with frosted glass).

That being said, privacy is not an absolute right. That means sometimes actions that would normally be considered intrusive are legally justified. We usually don’t need to articulate the justification because the context explains itself (e.g. getting an extra pat-down by security when we make the airport metal detector beep).

But when the context is not obvious it leads to situations where one person considers their actions to be justified but the other person feels is a total invasion of their privacy.

What is the best practice for employee monitoring?

Let's start with the employee-employee context.

From an employment law point of view…

• there is an implied term of trust and confidence between employers and employees. This means that even though it might not be written anywhere in an employment contract, an employer or employee can assume that their relationship is founded on trust and confidence. If that trust completely breaks down (or, in legal speak, that implied term has been fundamentally breached), then – in a similar way to a romantic or platonic equivalent – the relationship can come to an end. Depending on who did the trust-ruining, that either means that an employer is entitled to dismiss the employee or the employee is entitled to walk away from their job (claiming constructive dismissal).

A cautionary tale! If it is the employer has broken the trust – because, perhaps they have installed software which periodically accesses remote working employees’ webcams without letting their employees know they do this – and the employee realises this breach and resigns, then the employer cannot rely on any post-termination restrictions in the contract. Meaning there is nothing to prevent a former employee from working for a competitor or trying to poach customers/staff and the employee doesn’t need to work out their notice period.

From the data protection point of view….

Employers need to comply with data protection law. Often when organisations think about data protection (the UK GDPR, cookie consent and all that good stuff) the focus is on their relationships with externals, e.g. customers, website visitors or suppliers. But data subjects also include employees (since a data subject is any person who can or could be identified by information, aka personal data). This means that employers are controllers (meaning they make decisions about their employees’ personal data) and they have specific obligations. Particularly relevant examples are:

• the employee has a right to know what information is being collected about them and why. These details must be included in an employee privacy notice but it might also be a good idea to have a specific employee monitoring policy. This is because (unless they’re well geeky like us at Stephenson Law) employees are unlikely to be reading through privacy information. The more intrusive the employee surveillance, the more prominently an employer should advertise what monitoring is being carried out and why.
• an employer needs to be clear about what they’re trying to achieve (and that their chosen method is the best way to do that). Some potential reasons for employee monitoring are:
• To ensure employees only use work devices and systems for business-related activities.
• For crime prevention and detection.
• To investigate an allegation of bullying, misconduct or unprofessional behaviour.
• To monitor the productivity of employees.
• To check the health and safety and well-being of employees.

Even when there is a good reason sometimes an employer might choose an approach which is OTT. Of course, a business will want to increase employee productivity but perhaps remotely accessing a homeworker’s webcam is a sledgehammer for a walnut. Another advantage to an employer being open about their monitoring practice is that they might hear about a solution they had not considered before.

An employer should also consider who should have monitoring access. It is not appropriate that every single member of staff can access their colleagues’ private messages – that should probably be reserved for a person in an HR role or a senior executive. Once someone has been given the responsibility of monitoring, specific safeguards should be put in place to make sure that individual doesn’t abuse their access permissions (e.g. that they only check a colleague’s browsing history once they receive a security notification, not any time they fancy). One way to do this might be by getting those individuals to sign a monitoring privileges acknowledgement form.

It’s a lot to think about, but it is indeed possible to conduct employee monitoring without giving the workforce a case of the creeps. Thinking about changing your employee monitoring practices and not sure about your legal obligations? We're here to help you distinguish creepy from practical.

‍