The modern British workplace has become, for many employees, a monitored environment in ways that would have seemed extraordinary a decade ago. Software that captures screenshots at random intervals, tools that log every keystroke, systems that track cursor movement to generate 'productivity scores', GPS devices fitted to company vehicles — and, increasingly, applications installed on personal devices used for work that harvest data far beyond what any reasonable employee would anticipate.
The expansion of remote and hybrid working since 2020 has accelerated this trend considerably. Employers unable to observe staff directly have turned to technology to fill the visibility gap, often implementing monitoring tools rapidly and with minimal consultation. The legal framework governing this surveillance exists — but it is frequently misunderstood by employers and almost entirely unknown to the workers it is supposed to protect.
The Legal Framework in Brief
Workplace monitoring in the United Kingdom is governed primarily by three instruments: the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Employment Practices Code published by the Information Commissioner's Office (ICO). Employers must also consider the Human Rights Act 1998, which incorporates Article 8 of the European Convention on Human Rights — the right to respect for private and family life — into domestic law.
Taken together, these instruments establish several clear principles. Monitoring must have a lawful basis under UK GDPR — typically either legitimate interests or, in limited circumstances, employee consent (though the ICO has been explicit that consent is rarely a reliable basis in an employment context, given the inherent power imbalance between employer and worker). Monitoring must be proportionate to the purpose it serves. And — critically — employees must be informed that monitoring is taking place, what data is being collected, how it will be used, and how long it will be retained.
The ICO's Employment Practices Code is not legally binding in the way that statute is, but employment tribunals and courts treat it as a strong indicator of what constitutes responsible practice. Departures from its guidance are difficult for employers to defend.
What Employers Are and Are Not Permitted to Do
The line between lawful and unlawful monitoring is not always immediately obvious, but several principles provide useful orientation.
Email and internet monitoring is lawful provided employees have been clearly informed of the policy in advance — typically through a written acceptable use policy. Covert monitoring of personal email accounts, even when accessed on company equipment, is far more difficult to justify and will rarely survive scrutiny under the proportionality test.
Screen capture and keystroke logging sit in more contested territory. These tools are highly intrusive by nature, capturing not just work-related activity but potentially sensitive personal information, confidential communications, and health-related searches. An employer wishing to deploy such tools must be able to demonstrate a specific, proportionate purpose — fraud investigation, for instance — and must generally inform employees that such monitoring is in place. Covert deployment for routine productivity management is very unlikely to be lawful.
GPS and location tracking of company vehicles during working hours is broadly accepted, provided employees are informed. Tracking extending beyond working hours — or applied to private vehicles — requires considerably stronger justification and is frequently disproportionate.
Biometric data, including facial recognition or fingerprint scanning for attendance purposes, constitutes special category data under UK GDPR and attracts the highest level of regulatory protection. Explicit consent or another Schedule 1 condition under the Data Protection Act 2018 is required before such data can be processed.
The Remote Worker's Particular Vulnerability
Employees working from home face specific risks that their office-based colleagues do not. When monitoring software is installed on a company-issued device, the legal position — whilst still requiring disclosure and proportionality — is at least relatively clear. The situation becomes considerably more complex when employers request or require the installation of monitoring tools on personal devices.
An employee who uses their own laptop or smartphone for work purposes may find that software installed at an employer's direction captures data that extends well beyond professional activity. Personal photographs, private messages, financial information, and health data may all sit on the same device. Processing any of that information — even incidentally — without a lawful basis constitutes a breach of UK GDPR.
Workers in this position should request, in writing, full details of any software installed on their personal devices at their employer's direction: what data it collects, where that data is stored, who has access to it, and what the retention period is. An employer who cannot or will not answer these questions clearly is unlikely to be operating a lawful monitoring regime.
Recognising Surveillance That Crosses the Line
Not all unlawful monitoring is immediately visible. Workers who suspect they may be subject to covert surveillance — or who have been presented with monitoring policies that seem disproportionately broad — should consider the following indicators:
- No written monitoring policy exists, or the policy is vague about what data is actually collected
- Monitoring extends to personal communications or activity outside working hours
- The employer cannot articulate a specific, legitimate purpose for the level of monitoring deployed
- Monitoring data is used for disciplinary purposes without the employee having been informed it was being collected
- Software has been installed on a personal device without explicit, informed agreement
Any of these circumstances may indicate a breach of UK GDPR, the Data Protection Act 2018, or both.
How to Respond and Where to Report
If you believe your employer is monitoring you unlawfully, there are structured steps you can take.
Begin by making a Subject Access Request (SAR) under Article 15 of UK GDPR. This entitles you to a copy of all personal data your employer holds about you, including data collected through monitoring tools. Employers have one calendar month to respond. Reviewing what data has been collected — and comparing it against any disclosed monitoring policy — can quickly reveal whether the surveillance in operation exceeds what was communicated.
If the SAR response reveals data collected without disclosure, or if your employer fails to respond within the required timeframe, you can raise a complaint directly with the ICO. The ICO has the power to investigate, issue enforcement notices, and impose financial penalties.
For employment-related consequences — dismissal or disciplinary action based on covertly collected monitoring data, for instance — an employment tribunal may be the appropriate forum. Legal advice from a specialist employment solicitor is strongly recommended before pursuing that route.
Doing It Right
Employers have legitimate interests in understanding how work is being performed, particularly in distributed working environments. Monitoring, conducted transparently and proportionately, can serve those interests without infringing on workers' rights. The test is not whether monitoring occurs — it is whether it occurs openly, with a clear purpose, and within boundaries that respect the dignity and privacy of the people it affects.
Workers who understand their rights under UK GDPR are far better placed to identify when those boundaries have been crossed — and to insist, through the proper channels, that their employer gets it right.
