Share this on:

From preventing employees working for others in the employer’s time, to checking if someone is having an affair with your partner; employers feel they have legitimate reasons for monitoring employees. But what is it lawful to do?

To understand what is lawful we need to look at some details:

  • are there legitimate reasons for the monitoring?
  • is the monitoring proportionate to the reasons?

Legitimate reasons

The law (i.e. the GDPR) allows you to hold personal data for legitimate reasons. If the reasons are “legitimate” then the employee’s consent is not required. Of course if an employee feels you are continually looking over their shoulder, then that is micro-managing them. Such action can destroy an employee’s motivation. There needs to be a balance.

It is legitimate to use personal data about your employees:

  • for monitoring day to day activities of employees
  • to enable their general management
  • to administer their wage/salary payments
  • to carry out appraisals, performance and salary reviews
  • to operate and check your employment rules and policies are followed
  • to operate and maintain security of the company’s information
  • to detect abuse of information systems
  • to comply with legal obligations

There are other reasons that may be applicable in particular cases. For example, in some environments it may be legitimate to monitor health.

Monitoring may also be legitimate where there is lone working. While the reasons above also apply, there can also be a live health and safety need.

Is it legitimate to monitor an employee to see if they are having an affair with your partner? I suggest not. That intrudes into the person’s private life. Of course the suspicion could damage working relationships. Whether that is a legitimate reason is a matter I’d leave you to argue in court!


All personal data gathered has to be proportional to the purpose for which it is gathered.

Tracking of employees’ vehicles during their working time is legitimate. But if you allow private use then there is an argument that the employee should be allowed to switch the tracking off when they are not in working time.

Blanket monitoring will invariably fall foul of the law! I would not advise that you monitor all employees to see who might be having that affair.


Workplace monitoring fosters distrust and it is crucial to be open about the data collected.

Details such as browsing history, phone logs and emails are typically recorded. Employees need to be aware of this, and whether such activity is reviewed, by whom and for what purpose.

Covert monitoring is rarely justified. You must be reasonably sure that there really is some crime being committed. There is more on this in an earlier blog here.


Digitalisation and new technologies make monitoring much easier and more pervasive. Smartphones are increasingly used by employees in their work. In some cases Smartphones will be provided by the employer. In that case, should the employer know the employee’s Apple/Smartphone ID? If you want to do that then it should be covered in the contract of employment.

Monitoring should not be intrusive. If it extends into the employee’s private life you risk infringing human rights.

Employees should be warned that personal material that they place on the organisation’s information systems might not remain private. That might be a warning to that philanderer!


Monitoring that may relate to personal data needs to be kept secure with limited, specified, access.

Records need to be destroyed when no longer relevant – including anything that gave rise to your infidelity suspicions!

Action points

1.Check your policies:

  • Do they outline the data you collect, how you collect it, and for what you are using it?
  • Do they know that personal data they may place on your systems (emails for example) may not necessarily be private?
  • Do these policies provide for monitoring?
  • A policy about when you will destroy data should be explicitly stated.

2. Check signage as appropriate

  • If you are using CCTV then the need for signage is well known
  • You may want to include a notice in vehicles that are subject to tracking

3. Is your data secure?

  • CCTV footage, and other monitoring data that might be used in criminal proceedings, needs a restricted access procedure.
  • Check you are clear about other personal data. If one employee stalks another, and you’ve allowed unrestricted access to the stalked employee’s home address, then that could be a data breach under the General Data Protection Regulations*.
  • Data should be destroyed when no longer relevant to the purpose for which it was gathered.

*There is more information on complying with the GDPR here.

Malcolm Martin FCIPD

Author Human Resource Practice