What are the limits on employee monitoring information?

Feb 22, 2021 | Good Management

If you are satisfied that the employee monitoring you are proposing is lawful and necessary, and you have complied with data protection requirements around security and access, it’s important to consider the limits there are on the monitoring data you are collecting.

Some of these issues aren’t immediately apparent and may arise further down the line, but are worth bearing in mind before starting your monitoring.

Using the data for another purpose

A common query is whether it is ok to use data collected as part of employee monitoring for a purpose that has not been identified in a privacy notice. The simple answer is no – a fundamental principle of data protection legislation is that data can only be used for the specified purpose and cannot be used in a manner incompatible with that.

An example of this might be where you have specified that you are only using CCTV for the purposes of theft prevention, or prevention of other illegal activity, but it then transpires in the course of monitoring that an employee has done something you would consider to be misconduct, and you naturally want to act upon that information.

You can’t ‘unsee’ something you have seen, but using evidence obtained through monitoring where the reason you are using it has not been identified in advance is likely to make you vulnerable to either an unfair dismissal claim, if the outcome is an employee being dismissed, or a complaint to the Information Commissioner’s Office.

Therefore if you have seen something you feel the need to act upon, your priority should be to take steps to seek alternative evidence for your concern. This could be witness evidence, or other evidence depending on the nature of the concern. Remember you don’t need absolute proof in order to take disciplinary action against someone, including dismissal – a reasonable belief that the conduct took place and dismissal being a reasonable response are all that is needed.

Making sure you have correctly identified the purposes for which you will be processing data should help avoid this problem. Consider carefully what scenarios could arise, and whether you might feel the need to use the data being collected for another purpose. If you think you will, and you think this can be justified and is necessary, incorporate it into privacy notices from the start, rather than finding yourself in a situation where you have information you potentially cannot act upon.

Inadequate data

Employees have the right to have decisions made about them that are using adequate data for the purposes of the decision-making. If you are relying solely on the monitoring you are doing, and that monitoring is inadequate in terms of giving you enough information to make a reasonable fair decision, that could be a problem.

Irrelevant data

Employee monitoring can give you a lot of information, and when this is available, it can be tempting to incorporate more of it into a decision than is necessary. Avoid doing this, and make sure any data you are considering as part of a decision you are making is completely relevant to the issue being considered and to the purposes you have identified for processing the data.

Too much data

Because of the sophisticated technology and software available now, it is not uncommon for an employer to identify a solid legal basis for processing data gained through employee monitoring, only to find that the system they are using actually collects a lot more data than is needed for the purpose identified, or more than employees have been notified will be collected.

Consider this carefully when choosing your monitoring methods – just because it’s possible to collect intricate and detailed information doesn’t mean you should – can the options you are looking at be tailored to limit the data collected? Can you identify a way of immediately deleting unnecessary data?

Keeping it too long

A cautious approach to employee data used to be to keep everything ‘just in case’. Not retaining data longer than absolutely necessary is a key principle of data protection requirements, so this approach should be avoided at all costs. Don’t hang on to anything longer than strictly necessary – identify in advance what a suitable retention period will be, and make sure this is periodically reviewed, and, importantly, actually adhered to. Unless you are going to make sure data is actually erased after the retention period specified, identifying a retention period won’t protect you in the event of a complaint.


Incorporating these limitations when you are deciding whether to go ahead with employee monitoring will help you do so lawfully, and avoid complaints and possible tribunal claims.


If you need further advice on limits on the monitoring data you are collecting, do get in touch.