Monitoring employees almost always involves collecting personal data – whether that’s CCTV footage, system access logs, browser history, location data or recorded calls. Because of this, any monitoring must comply with the UK GDPR and Data Protection Act 2018, which set out strict rules on what data can be collected and how it must be processed.

Under the GDPR, employers must follow the seven core data protection principles, ensuring that personal data is:

  1. processed lawfully, fairly and transparently;
  2. collected for a specific and legitimate purpose;
  3. limited to what is necessary;
  4. accurate and kept up to date;
  5. kept only for as long as necessary;
  6. stored securely; and
  7. capable of being evidenced through accountability measures.

Purpose and lawful basis

Before any monitoring takes place, employers must identify a specific purpose and a lawful basis. Common bases include complying with a legal obligation, performing a contract, protecting vital interests, or pursuing a legitimate interest. Legitimate interest is the most flexible but still requires employers to show the monitoring is necessary and does not override employees’ rights.

While consent is possible, it is rarely reliable in employment due to the power imbalance between employer and employee.

Special category data

Some monitoring – such as biometric systems or browsing history revealing religious or political views – captures special category data, which is subject to even stricter rules. Employers must meet an additional condition, such as protecting health and safety or demonstrating substantial public interest.

Fairness and transparency

The monitoring must be something employees would reasonably expect. Covert monitoring is only justified in exceptional circumstances, such as serious crime, and even then, must be tightly limited.

Employers must also provide clear privacy information, explaining what data is collected, why, who can access it, and how long it will be kept. Early staff engagement helps build trust and reduces the risk of complaints later.

Data minimisation, accuracy and security

Employers should collect only what is necessary, guard against “function creep”, ensure systems are reliable, and keep data secure through restricted access, encryption and proper training.

By embedding these principles, organisations can monitor responsibly while protecting staff privacy and reducing legal risk.

About Jon Dunkley

Jon Dunkley is a Partner at Wollens and heads up the firm’s Regulatory Department. Based at our North Devon office, Jon is a highly experienced solicitor with a broad commercial and regulatory practice, supporting businesses, professionals and senior employees across a wide range of legal issues.

Speak to Jon Dunkley

Jon is a Partner at Wollens and can advise you. Contact Jon via email jon.dunkley@wollens.co.uk or call 01271 341021.

Jon Dunkley - Wollens Solicitors Devon

You can also complete an online enquiry form. One of the Wollens team will contact you as soon as they are available.