As monitoring technologies become more sophisticated, regulators are increasingly willing to step in where employers overstep the legal boundaries. The UK Information Commissioner’s Office (ICO) has made clear that workplace surveillance must be necessary, proportionate, transparent, and grounded in a lawful basis. When organisations fall short, the consequences can be serious — ranging from regulatory intervention to significant financial and reputational damage.

The Serco Case: A warning for employers

A recent and highly publicised example is Serco’s use of facial recognition and fingerprint scanning to monitor staff attendance. The company deployed biometric tools across several sites without carrying out a proper Data Protection Impact Assessment (DPIA) and without considering less intrusive alternatives, such as ID cards.

The ICO found multiple breaches, including:

• use of intrusive biometric data without adequate justification;
• failure to show the monitoring was necessary or proportionate;
• insufficient assessment of risks to employees’ privacy; and
• lack of appropriate transparency and safeguards.

As a result, the ICO ordered Serco to stop using the technology, delete most of the biometric data, and to comply within three months — or face potential fines of up to £17.5 million or 4% of global turnover. The case demonstrates the high regulatory bar for using biometric monitoring and the importance of completing a DPIA before implementation.

Employee-led challenges

Enforcement is not limited to regulatory scrutiny. Employees themselves can take action if monitoring is mishandled. Workers may:

• file complaints with the ICO;
• seek court orders requiring compliance with data protection laws; or
• claim compensation where unlawful monitoring has caused financial loss or distress.

Failure to provide clear privacy information – a common pitfall – can itself trigger a complaint or investigation.

The risk of unlawful covert monitoring

The ICO treats covert surveillance as a last resort, only lawful in exceptional circumstances, typically involving suspected criminal activity. Even then, it must be tightly targeted and time limited. Employers who use covert monitoring without exhausting less intrusive options risk serious regulatory consequences.

A compliance culture is essential

The message from recent enforcement activity is clear: monitoring must be proportionate, well-justified, and grounded in a strong governance framework. Employers who embed DPIAs, transparency, and documented decision making into their processes significantly reduce the risk of sanctions – and help maintain trust with their workforce.

About Jon Dunkley

Jon Dunkley is a Partner at Wollens and heads up the firm’s Regulatory Department. Based at our North Devon office, Jon is a highly experienced solicitor with a broad commercial and regulatory practice, supporting businesses, professionals and senior employees across a wide range of legal issues.

You can also complete an online enquiry form. One of the Wollens team will contact you as soon as they are available.