Remote working: can employers monitor their employees?

Working from home has become the new normal due to the impact of Covid-19. Employers and employees across many industries have had to quickly adapt to the Government’s guidance of “work from home wherever possible”. This shift to home working has inevitably led to concerns from employers and, therefore, many have taken steps to monitor what their employees are doing from home. Employee monitoring might seem legitimate, however; employers will need to be careful and address wider considerations such as employee privacy and data protection issues.

What is workplace monitoring?

Workplace monitoring is any form of surveillance undertaken by an employer. This generally involves using techniques to monitor an employee’s activities or behaviours during the working day. Such methods can include spot checks of emails and monitoring internet history to more invasive methods such as installing software on laptops or devices that record keyboard use or the number of hours sat in front of a screen.

 Can employers monitor their employees?

Employers often include the right to monitor employees in their employment contracts or workplace policies. Whilst employers might have this right, they must exercise caution and consider the way in which they monitor employees from home.

Excessive monitoring could constitute a breach of article 8 of the European Convention of Human Rights (ECHR), the right to respect for private and family life. The Human Rights Act 1998 incorporates article 8 of the ECHR into UK Law and, although it only applies to public authorities, it is still relevant to all employers as courts and tribunals must interpret all legislation consistently with ECHR rights. Given this, employers will need to balance their right to introduce measures that ensure effective running of their business against the employee’s right to privacy. The monitoring measures must be a proportionate response to a legitimate business need. Employers should ensure that employees are given prior notice, the scope of the monitoring is well defined and that they have clear reasons to justify the monitoring.

It is also important for employers to consider any implications on employee relations. Research has suggested that monitoring can negatively impact trust within management teams. Given this, employers should consider employee views at an early stage and think about how they introduce any policies.

What about data protection?

Data protection rules do not necessarily prevent employee monitoring, but they do impose some important parameters as most forms of employee monitoring will involve processing of personal data. If the processing presents a risk to the rights of individuals, such as the right to privacy, the employer will need to carry out a data protection impact assessment before monitoring. The employer needs to work out if the processing of personal data is really necessary? Is the data collection being limited in scope? The reason for the processing will often be that the monitoring is in the employer’s legitimate business interests, such as monitoring performance or quantity and quality of work. As part of the impact assessment, employers will need to consider any adverse impact on employees such as intrusion of privacy (see above) and whether there are any alternative methods. Factors to consider might include:

• Is the monitoring oppressive or demeaning?
• Who will see the data?
• What is the likely impact on employee relations and trust?
• How long will the data be retained?

If new practices relating to employee monitoring are introduced, it is advised that employers carry out a fresh impact assessment and update their employee privacy policies accordingly.

Practical steps for employers

• Employers should review all employee privacy policies to ensure that they are in line with the Data Protection Act 2018 and to check if monitoring is already covered. If any significant changes are made to monitoring practice, employers must ensure that employees are notified of any change and given sufficient details.  
• Employers need to be cautious if the employees use their own devices for working from home. The risk is that monitoring picks up their personal communications or those of their family members.
• Employers should review any IT policies and ensure that they include the right to monitor employees. The policy should set out the scope of the monitoring, those devices that are monitored and the employer’s reasons for monitoring.
• Employers should consider carrying out a data protection impact assessment to identity any risks with employee monitoring practices. Revisit existing practices and policies – are they necessary and limited in scope?
• Employers might want to introduce a working from home policy to introduce best practice. This can help employers manage expectations around monitoring, data protection and employee performance.