Data Protection and Monitoring: What employers need to know

Monitoring employees almost always involves collecting personal data - whether that’s CCTV footage, system access logs, browser history, location data or recorded calls. Because of this, any monitoring must comply with the UK GDPR and Data Protection Act 2018, which set out strict rules on what data can be collected and how it must be processed.

Under the GDPR, employers must follow the seven core data protection principles, ensuring that personal data is:

1. processed lawfully, fairly and transparently;
2. collected for a specific and legitimate purpose;
3. limited to what is necessary;
4. accurate and kept up to date;
5. kept only for as long as necessary;
6. stored securely; and
7. capable of being evidenced through accountability measures.

Purpose and lawful basis

Before any monitoring takes place, employers must identify a specific purpose and a lawful basis. Common bases include complying with a legal obligation, performing a contract, protecting vital interests, or pursuing a legitimate interest. Legitimate interest is the most flexible but still requires employers to show the monitoring is necessary and does not override employees’ rights.

While consent is possible, it is rarely reliable in employment due to the power imbalance between employer and employee.

Special category data

Some monitoring - such as biometric systems or browsing history revealing religious or political views - captures special category data, which is subject to even stricter rules. Employers must meet an additional condition, such as protecting health and safety or demonstrating substantial public interest.

Fairness and transparency

The monitoring must be something employees would reasonably expect. Covert monitoring is only justified in exceptional circumstances, such as serious crime, and even then, must be tightly limited.

Employers must also provide clear privacy information, explaining what data is collected, why, who can access it, and how long it will be kept. Early staff engagement helps build trust and reduces the risk of complaints later.

Data minimisation, accuracy and security

Employers should collect only what is necessary, guard against “function creep”, ensure systems are reliable, and keep data secure through restricted access, encryption and proper training.

By embedding these principles, organisations can monitor responsibly while protecting staff privacy and reducing legal risk. As always, a clear policy can provide useful guidance and regular training can help ensure awareness of the issues and risks. 

For advice and support relating to the issues raised in this blog or to make an appointment with our Employment Law Team please call 01635 896 336 or email employment@fentonelliott.co.uk

Disclaimer: This summary is for general awareness and insight, not legal or professional advice and readers should seek professional advice for their situation.