Skip to content

UK - ICO Guidance on Employee Monitoring: a consultation

Image of Bertrand Nzabandora
Bertrand Nzabandora



View profile →

Fahy Sheila
Sheila Fahy

PSL Counsel


View profile →

21 October 2022

As part of its topic-specific guidance on employment practices and data protection, the ICO has released its draft guidance for monitoring employees at work for consultation. It will remain open until 11 January 2023 for comments.

At a glance

The previous version of the guidance was first published over a decade ago when the technology and working practices of today were non-existent. Helpfully for employers, the draft has been updated to include the monitoring of remote and home workers and new technologies such as biometric data.

The overall approach is much the same, bringing colour to principles with examples. As with most employment laws and practices, fairness is a key data protection concept. For employees, this means that nothing should come as a surprise. It is closely linked to transparency where the “how” and “why” of processing is crystal clear.

There are a few points of difference, which may mean that employers will want to rethink or refresh their data protection policies, including:

  • consultation with employees where monitoring is being introduced, unless there are good reasons for not doing so, which should be documented;
  • the need for a special category condition to be identified and documented before the monitoring starts where monitoring (e.g. emails) is likely to capture special category data inadvertently;
  • conducting an impact assessment as a matter of good practice even where there is no requirement to do so because there are no high risks to employees (and any decision to proceed without one should be documented); and
  • the expectation that the bar for privacy is likely to be higher when monitoring home working than in the workplace.

The draft guidance

The ICO’s draft guidance covers the monitoring of employees at work and the related data protection considerations under the UK General Data Protection Regulation and the Data Protection Act 2018. With this draft guidance, the ICO states that it aims to:

  1. help provide greater regulatory certainty;
  2. protect workers’ data protection rights; and
  3. help employers to build trust with workers, customers and service users.

The draft guidance is aimed at any public or private organisation that has employees, workers (including gig workers), contractors or volunteers, who are all referred to as “workers”.

What does the ICO mean by “monitoring at work”?

The ICO acknowledges “monitoring at work” to be a broad term which includes the use of the following:

  • camera surveillance;
  • webcams and screenshots;
  • technologies for monitoring timekeeping or access control;
  • keystroke monitoring to track, capture and log keyboard activity; and
  • tracking internet activity and keystrokes.

Potential rationales for this monitoring include:

  • reviewing the quality and quantity of a worker’s output;
  • protecting the health and safety of workers, including their wellbeing;
  • meeting regulatory obligations, including forming part of an employer’s security measures to protecting personal data; and
  • forming part of a short-term response to a specific need, such as installing camera surveillance to monitor for a suspected theft.

Key takeaways

The draft guidance summarises the position under UK law on monitoring at work as follows:

  • Monitoring is permitted but regulated under data protection, human rights and equality laws: Employers must balance the level of intrusion against their needs and those of workers and the public.
  • Workers must be notified: Employers must notify workers of the monitoring, including its nature, extent and rationale, unless exceptional circumstances require covert monitoring.
  • Clear purpose: Employers must be clear about their purpose for monitoring. Further, they must not use the data collected under an existing purpose for a new purpose, unless it is compatible with the existing purpose in most circumstances.
  • DPIAs: Employers must carry out a data protection impact assessment for any monitoring that is likely to result in a high risk to the rights of workers and other data subjects. Further, employers should keep the need for an impact assessment under review. Even where these impact assessments are not mandatory, employers should consider carrying one out as good practice, as the process would help employers make better risk-based decisions and more clearly meet their data protection obligations.

Biometric data

In recognition of the universal trend to use technologies to enhance HR processes, the ICO has incorporated a section on biometric data (finger prints, face and voice recognition). In a workplace context, this might be used, for example, for processes such as monitoring access to buildings or restricted areas - an issue which has taken on greater significance with hybrid working and the need to know who is working where. If going down this route, the ICO warns that the processing of biometrics requires careful consideration. Challenges include:

  • being clear about why less intrusive alternatives are not being used and documenting the reasons for not doing so, which can be tricky because the HR processes like access control and security already have existing less intrusive methods which are mostly effective;
  • identifying a special category condition for processing, which is likely to be consent (notwithstanding that the difficulties surrounding consent are well-known, because of the deemed power imbalance between employers and employees); and
  • providing those employees who do not consent with an alternative, without any detriment, which is required.

The requirement to provide an alternative may be problematic in this context.  For example, it could mean that an employer who introduces biometric access to laptops and other devices, to enhance security, would still be required to offer an alternative. Simply offering an alternative of a strong password may well defeat the purposes of introducing biometric access (i.e. to offer stronger protection against the risk of compromised passwords), so other solutions would need to be considered (e.g. multi-factor authentication).

Next Steps

  • The previous guidance was a well-thumbed volume for those in HR and employment relations whose day jobs encountered aspects of employee-related data protection. It is worth reviewing this draft as monitoring can be highly technical but this publication is very accessible with helpful examples.
  • There is no need to make changes to data protection policies and training at this stage but the monitoring sections should be reviewed to identify gaps and areas which could be improved.
  • Discuss with relevant stakeholders whether there are any recent working practices e.g. in relation to hybrid working or monitoring the presence of workers in workplaces that need to be incorporated into data protection polices and communicated to workers.
  • Consider whether to respond to the consultation, particularly in respect of those areas of your business which you feel are not clearly or adequately covered. If you would like to submit responses, you can do so by completing the survey for the draft guidance and / or the survey for the draft impact scoping document. Alternatively, you can download the survey for the draft guidance and / or the survey for the draft impact scoping document and email them to

Related blog topics

Related expertise