Your rights around surveillance

Close-up photo of a door camera lens
Photo by Bernard Hermant

“What privacy am I entitled to?”

An employee’s decision to enter into a contractual relationship with an employer does not mean that they sacrifice their entitlement to a private virtual or physical space but retain a reasonable expectation of privacy at work [a46] .

All employees and workers continue to enjoy a right to privacy pursuant to Article 8 of the European Convention on Human Rights (ECHR) and the Human Rights Act 1998 (HRA). Article 8 states [a] :

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.

  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

“What forms of surveillance are covered by the law?”

Data protection laws cover all personal data gathered through workplace surveillance through means such as [b] :

  • A person’s image on a CCTV recording
  • Voice capturing from phone calls or computer microphones
  • Information about a person’s use of a computer or use of emails or the internet at work

“What are the restrictions on employers?”

Employers must ensure that personal data is processed in a fair and lawful way. For example, employers [b] :

  • Can only gather and keep information for limited and stated purposes
  • Must tell workers what personal information is being recorded, how it was gathered, why it’s being recorded and who is likely to have access to it and for what reason
  • Must ensure that information kept about individuals is accurate, relevant and up to date and that it is not kept for longer than necessary. They must also ensure that personal information is held securely.
  • Must not reveal personal information to people who do not have a legitimate interest for seeing it, unless individuals have willingly given their employers permission to do so

“What type of data can an employer legally collect?”

Employers can only gather and keep information for limited and stated purposes. There are also stronger legal safeguards in place for special categories of data including information about a person’s [b] :

Person typing on a laptop
Photo by Kaitlyn Baker
  • Racial or ethnic origin
  • Political opinions
  • Religious or similar beliefs
  • Trade union membership
  • Mental or physical health
  • Sexual orientation or sexual life
  • Alleged or actual criminal offences

“What data protection rights do I have?”

Data protection law gives workers important individual rights, including the right to [b] :

  • Be informed about how any why their personal data is gathered and how it will be used
  • Request an easily accessible copy of the personal information that an employer holds about them. Thanks to the GDPR, the information must be provided free of charge and within 1 calendar month. In limited circumstances, employers can withhold information, for example where the disclosure of information may breach a duty of confidence to someone else, where providing the information would require ‘disproportionate effort’ or whether the information might undermine on-going negotiations between an individual and their employer
  • Ask employers to correct, delete or destroy any information held about them that is factually inaccurate. This could be particularly important in relation to disciplinary records or information held about health

“Can employers use surveillance data for automated decision making?”

Employers may attempt to use data collected through surveillance as a means for automated decision making. However, individuals must be told when a decision has been taken solely using automated decision making and have the right to ask for the decision to be reviewed by a person in authority.

Under GDPR automated decision-making systems can only be used:

  • If it is necessary for the performance of or entering into a contract
  • If it is authorised by law
  • Or an individual has explicitly consented to it

Unfair dismissal legislation should protect employees who qualify for protection under s.97 and s.98 of the Employment Rights Act 1996 from dismissal decisions that are factually inaccurate or opaque in the usual way. The use of technology to support such decisions does not make any difference to this important legal protection.

Desk with camera and memory cards

“What if I believe the automated decision making is unfairly discriminatory?”

All job applicants, employees and workers are entitled to work free from discrimination, harassment and victimisation relating to defined protected characteristics: age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation [a48] .

Organisations using automated decision making should also carry out regular reviews and use appropriate procedures to prevent errors.

Specific examples of rights

Under the European Court of Human Rights:

  • Workers have a reasonable expectation of privacy when using the phone at work, especially if employees have not been warned them their telephone might be bugged [b5]
  • Monitoring of work emails can breach employees’ rights to privacy, particularly where employers do not have a workplace policy [b6]
  • Employers must be able to justify surveillance of employee communications, especially if this involves reading employees’ private emails or online messaging. They should also explore any less intrusive alternatives [b7]
  • Covert surveillance at work can only be justified in exceptional circumstances [b8]
Desk with coffee
Photo by Andrew Neel

The Employment Appeal Tribunal (EAT) has decided:

  • Covert surveillance of an employee’s home who was suspect of fiddling time sheets, was not disproportionate [b10]
  • Filming of an employee in public did not breach his right to a private life [b11] . The employee had been seen at a sports centre when he was supposed to be at work but had not clocked out. Because he had acted fraudulently he had no right to privacy
  • It was fair for an employer to dismiss an individual because of derogatory comments they had made about the employer on social media, even though the comments were posted two years before the dismissal took place. The employer had also found evidence on social media that the individual had consumed alcohol whilst on standby [b12]

Useful Resources

General Info

Legal Documents

  • The right to privacy is protected by Article 8 of the European Convention on Human Rights and in UK law by the Human Rights Act 1998

General Guidance