Here we list a selection of key cases on data protection, surveillance and privacy at work, providing a summary of the decision and implications for employers

Forbes v LHR Airport Ltd | Employment Appeal Tribunal | 8 July 2019
Issue: Social media – use outside employment

A security officer at Heathrow Airport shared an image on her Facebook page of a golliwog accompanied by the message, ‘Let’s see how far he can travel before Facebook takes him off’. The image was shared with her Facebook friends, including a work colleague, who showed the image to another security officer, Forbes. He was not a Facebook friend of the officer, but was shocked about the posting, and raised a grievance that racist images were being circulated at work. The grievance was upheld and the security officer apologised when the offensive nature of the image was explained. She received a final written warning for breaching Heathrow’s ‘Dignity at work’ policy. 

Forbes later refused to work alongside the security officer, which resulted in him being moved to another post without any explanation. He then went off sick and, before his return to work, brought a tribunal claim for harassment, victimisation and discrimination, based on the employer’s vicariously liability for what the security officer had done. 


The employer successfully defended the claim. The EAT said the posting of the racially offensive gollywog image on the personal Facebook account was not ‘in the course of employment’ so the employer could not be vicariously liable. The employee was not at work when the image was posted, the image did not refer or any Heathrow employees, and the security officer did not use Heathrow’s equipment in sharing the image. 

Some guidance was given on vicarious liability. If something is done ‘in the course of employment’, that phrase is construed as a non-lawyer would see it. Relevant factors include whether the act was carried out at work or outside work, or whether there was a sufficiently close connection with work.

In an online environment, it is difficult to see whether there is a sufficient link between personal social media activities and employment. If the account is used for work, or if the list of friends largely includes work colleagues, then there may be a sufficient connection to mean posts are in the course of employment.

Whether or not a social media posting is work-related will depend on the facts of the individual case. If the Facebook page in question is routinely used for raising work-related matters, there will be a sufficiently close connection with the workplace to mean the act has been done in the course of employment.

Further issues referred to by the EAT included:

  • The relevance of the security guard’s apology. The EAT pointed out that the definition of harassment includes the other circumstances of the case, which means that a tribunal may take account of an apology made shortly after the conduct, once it is brought to the employer's attention. The apology may be relevant in assessing if conduct has the purpose or effect of creating a hostile and intimidating environment.
  • The employer’s reasonable steps in preventing discrimination. Heathrow treated the conduct of the security guard seriously and gave her a final written warning, and had taken reasonable steps to prevent its staff from carrying out such discriminatory actions.

Implications for employers

Harassment under the Equality Act 2010 involves unwanted conduct related to a protected characteristic, which has the purpose or effect of violating someone’s dignity or creating an intimidating, hostile, degrading, humiliating or offensive environment. Employers are vicariously liable for employees’ harassment unless all reasonable steps have been taken by the employer to prevent the act complained of. Employers should be aware that they can be held vicariously liable for the actions of employees which constitute bullying, harassment and discrimination through online networks and social media.

It is not simple for employers to assess if an employee is doing something whilst at work when some of their activities are conducted online at home.

Employers are vicariously liable for the actions of employees on social networking sites if they occur in the course of employment. However, employers should not ignore employee conduct outside of the workplace. They can be vicariously liable for online activity even if the online comments are posted outside working hours. Organisations that fail to be proactive could face expensive litigation and loss of reputation.

Conduct which is linked to, or damaging to the employer, or causes offence to other employees, requires action. Employers should, therefore, take steps to protect themselves whilst being careful not to infringe an employee’s rights to respect for their private life.

Well-drafted and updated social media policies covering activity both within and outside the workplace are critical. Policies should make clear what conduct is, and is not, acceptable and that disciplinary action may be taken in the event of a breach. Managers and employees should be trained on social media matters. Policies and training will help employers use the ‘reasonable steps’ defence when defending discrimination claims arising in the context of the use of social media.

Apologies by employees are important and may be taken into account by a tribunal when deciding if there has been harassment.

Plant v API Microelectronics Ltd | Employment Tribunal | 4 May 2017
Issue: Social media – dismissal

A machinery operator had worked for a manufacturer of micro-electronics for the security sector for 17 years. She had a clean disciplinary record. The social media policy contained a non-exhaustive list of unacceptable social media activity, including posting comments that might damage the company’s reputation. The policy warned that because conversations between Facebook friends can be copied and forwarded on to others, these conversations were not truly private. The policy also stated that breaches could lead to disciplinary action, and serious breaches would be gross misconduct justifying dismissal. 

The employee posted inappropriate comments on Facebook, including putting her job title as ‘general dogsbody’ and, linking to the employer’s announcement about a possible move of premises, saying ‘bloody place I need to hurry up and sue them PMSL (pissing myself laughing)’. 

Following an investigation and a disciplinary hearing, she was dismissed for breach of the employer’s policy and she later claimed unfair and wrongful dismissal.


The tribunal held that her dismissal was fair, despite her length of service. The employee knew about the company’s social media policy and the dismissal was within the band of reasonable responses open to the employer. 

Implications for employers

Employers must provide employees with access to clear social media policies, with specific sanctions for breach. Organisations should retain written confirmation from employees that they have read and understood the policy, and should also supply regular social media training

To decide if a social media-related dismissal is appropriate, employers should consider the nature and severity of the comments made by an employee and the extent of the damage caused to the business’s reputation. If the organisation has a social media policy, providing training on that policy will be critical to defending a potential unfair dismissal claim.

Derogatory comments made about the workplace may vary from the mildly witty to the deeply damaging. Employers should make an objective assessment of the potential or actual reputational risk and gather evidence of any damage. Relevant aspects include how many customers and clients, saw the posting and whether there were any complaints. How identifiable was the company from the employee’s profile and were any derogatory remarks made about the company, its clients or customers, or employees?

Other relevant factors include whether comments were made during working time and on the employer’s equipment, and whether there has been a breach of the confidentiality that should exist between employers and employees.

While employers should take into account mitigating factors, such as an unblemished record and long service, a clear breach of a known policy may still fall within the range of reasonable responses open to an employer. 

[2016] ECHR 61
Issue: Data protection – monitoring

This ruling gave substantial guidance for employers undertaking monitoring.

An employee was dismissed for breaching the employer’s IT policy that prohibited any personal use of IT equipment. Bărbulescu had previously been told to set up a Yahoo Messenger account for work purposes as well as his personal Yahoo account.

The employer had reminded employees of the IT policy and reiterated that personal use of the internet, phone or fax machine was not permitted. The employer’s notice confirmed that employees’ work would be monitored, and that misconduct would be punished.

The employer monitored Bărbulescu's communications and informed him he was in breach of the policy. Bărbulescu said he had only used Yahoo Messenger for work purposes, but the employer had a long transcript of his communications, including some personal communications with his brother and his fiancée. He was dismissed and challenged the dismissal in the Romanian courts. He lost, largely because he had been told about the company's position on personal use of IT equipment and about the monitoring. He then claimed in the ECHR for a breach of his Article 8 rights (right to respect for private life). 


The ECHR held that the employee's right to a private life had been breached by the employer's monitoring. There had to be a fair balance between the employee's right to respect for his private life and the employer's right to run the company.

The right for respect for private life continues to exist at work, even if this right may be restricted in so far as necessary.

Implications for employers

The European Convention on Human Rights gives a right to respect for private and family life, home and correspondence (Article 8). 

Employers should have comprehensive IT policies, which all staff know about, and which are regularly updated and reviewed. However, these IT policies and any monitoring practices should incorporate safeguards to prevent breach of the Article 8 right. 

This case decision does not mean that employers can no longer monitor employees at all, but organisations should be careful about monitoring, even if their purpose is simply to ensure employees are not using their IT systems inappropriately.

The Regulation of Investigatory Powers Act 2000, and the Investigatory Powers Act 2016 and regulations, govern monitoring of electronic communications. Guidance on monitoring is also provided by the Information Commissioner's Office. 

Employers should:

  • consider if monitoring is required and decide the least intrusive method of doing so
  • inform employees that monitoring may take place, if monitoring is necessary
  • assess the degree of intrusion into employees' privacy caused by the monitoring
  • monitor the flow of communications rather than the actual content of communications
  • limit the number of people who have access to any data collected to make the monitoring less intrusive.

Each time monitoring is proposed employers should assess whether it is appropriate in the circumstances and should remain alert to changes in law governing this area.

[2015] EWHC 376 
Issue: Data protection – dismissal for email abuse 

The technical director of Leeds United was given notice of an imminent redundancy.  A week later he was summarily dismissed for gross misconduct when it was discovered by the club that five years before he had sent a pornographic email to a friend at another football club, and to a younger junior female member of staff – the receptionist – at Leeds United too.

It emerged that Leeds United had actually made a decision not to pay him for his notice period before notice of redundancy, and deliberately went through his emails to try to find evidence of misconduct. The emails were in clear breach of Leeds United’s email and internet use policies, but Williams had never been shown these policies. He accepted that the emails were inappropriate but claimed that this was not gross misconduct enabling termination of his contract without notice. 

He brought High Court proceedings for wrongful dismissal for the salary and benefits he would have received during the notice period. 


The High Court found in favour of the employer and dismissed Williams’ claim for wrongful dismissal. He had committed gross misconduct five years earlier, and the club was entitled to accept this as a repudiatory breach of contract even though that it was discovered so much later. The club was able to justify his dismissal by referring to evidence, discovered only after his dismissal, that he had also sent the offensive attachment to the receptionist at the club.

The fact that the emails had been sent five years earlier was immaterial as the employer had acted promptly when they were discovered. The motives to avoid paying notice pay were also irrelevant. It did not matter that the email and internet use policies hadn’t been shown to Williams as the emails were so clearly inappropriate that he should have known not to send them, especially given his seniority. Involving a much more junior member of staff was gross misconduct as she couldn’t complain and, by doing so, he had exposed the club to a sex harassment claim.

Implications for employers

Organisations that want to dismiss employees and avoid paying their notice pay may be able to use an employees’ misuse of their IT systems, especially transmitting inappropriate material, to defend it in the event of a claim. But for any dismissal, they must follow a fair procedure and act fairly. 

Failure to carry out a proper investigation, for example, could make a dismissal unfair and mitigating factors, such as an unblemished service record, may have an impact on the fairness of the dismissal. If the HR team have been aware of issues for some time, but have taken no action, then a dismissal may be unfair.

Organisations must have a clear policy on social media, email and internet use that links in with the disciplinary policy, and keep it updated. The should ensure that the IT policy:

  • clearly states that breach of the policy is potentially gross misconduct
  • makes it clear that posts on private social media accounts are covered by it  
  • is brought to the attention of all employees. 

In less serious cases, or cases involving more junior employees, the policies that the employer has are of even greater relevance. Employees should be treated consistently across the organisation, and any potential breaches of the policy should be fully investigated.  

[2014] EWCA Civ 92
Issue: Data protection – data subject requests 

Before this case it was thought that employers would only need to disclose data which was of ‘biographical significance’. For example, information would need to go beyond a mere mention of an individual's name in a matter with no personal connotations, such as a meeting request e-mail. It was also thought that to be covered the information must have the individual as its focus, affecting his or her privacy, whether in a personal or business capacity.

Freedom of information applications for disclosure of third party information became less likely to succeed following this case.

Edem made a request to the Financial Services Authority for information about the handling of an earlier complaint. He wanted to use data protection subject access rights to find out data, including the names and job titles of the junior staff who had dealt with his complaint. This contrasted with the Durant case, where the access request related to his own name. The FSA refused to provide names of the three junior employees because this was personal data and so should be exempt from disclosure. 

Looking at legal tests applied in earlier cases, the question was whether it was necessary to decide if the names and job titles were ‘biographically significant’. It appeared that names alone did not satisfy this test from the earlier Durant case.


The Court of Appeal ruled that third party names, requested under the Freedom of Information Act 2000, could be withheld on data protection grounds. Importantly the court said that personal data should be interpreted in accordance with Information Commissioner’s Office guidance and that the Durant case only applied to limited situations. 

When trying to work out whether an individual’s name is personal data, the CA said that biographical significance was irrelevant. The question was whether the data identified a living individual, although the biographical significance test should be used occasionally if needed.

The court held that:

Names are personal data, provided that the context is sufficient to identify individuals. In this case, the context of the individuals' employment in a particular capacity at the relevant time was sufficient to identify them. In contrast, the request in the Durant case was for documents in which Durant was merely mentioned by name.

Only if the information requested was not obviously linked to an individual was the ICO guidance on biographical significance and focus tests needed.

Implications for employers

This ruling has wide implications for employers handling data subject access requests. Under the legislation, individuals (data subjects) including employees can request access to personal data which the employer holds about them.

Under the freedom of information legislation, individuals can also request access to information that is held by UK public authorities, unless an exemption applies. However, third party personal data is exempt from being revealed if its disclosure would go against any data protection principles.

The ICO guidance is the starting point when identifying what information must be disclosed. This says:

  • If information is obviously about someone, such as their name, or clearly linked to them, then it is personal data.
  • If the situation is not so obvious, then information which is not obviously about someone or clearly "linked to" them may be withheld.

References to third party names are not automatically personal data. However, if names reveal the job title of the employees and so on, this may be personal data. If an employee is simply copied in on an email, with no other information about them, this is unlikely to constitute their personal data. It mostly depends on the context.

Weeks v Everything Everywhere Ltd | Employment Tribunal | 15 October 2012
Issue: Social media – use during employment

This case concerned a customer services advisor, with a clean disciplinary record, who worked for the mobile phone company EE, formerly known as T-mobile. He made frequent references to the workplace as ‘Dante’s Inferno’. He was reported for being in breach of the company’s social media policy because the comments were influencing other employees who were also his online friends. 

He was given warnings to stop posting offensive posts but, despite the warnings, continued to make comments about how he disliked where he worked, even though the company wasn’t mentioned by name. He even made harassing and bullying Facebook comments against the colleague he suspected of reporting him. He was subsequently dismissed.


The tribunal held that his dismissal as a result of his Facebook postings was fair.

Implications for employers

Employers must have an up-to-date social media policy which is brought to the attention of all employees.

Cases involving inappropriate comments made by employees on social media should be treated like any other form of potential misconduct. There should be a proper investigation and organisations should ensure that any disciplinary penalty is supported by evidence and is proportionate.

In determining whether a dismissal is justified, the following factors are likely to be relevant:

  • The employee’s job and seniority.
  • The seriousness of the alleged misconduct.
  • The terms of any social media policy.
  • Whether or not any confidential information has been disclosed.
  • The risk of reputational damage.
  • The impact on the employee’s job.
  • Mitigating factors, such as the employee’s service record, disciplinary process and apology.

Any measures taken against an employee must be proportionate to the seriousness of the offence and there must be evidence that reputational damage has taken place.

Otomewo v Carphone Warehouse Ltd | Employment Tribunal | 8 May 2012
Issue: Social media – use during employment

Two Carphone Warehouse employees took a colleague’s mobile phone and logged onto his Facebook page and updated his status to say, ‘Finally came out the closet. I am gay and proud’. The employee was straight and knew his colleagues did not think he was gay. He was later dismissed for unrelated reasons but claimed unfair dismissal, direct sex discrimination, direct sexual orientation discrimination and sexual orientation harassment.  


The tribunal ruled that the employee won the claim for unfair dismissal and the employer was vicariously liable for this sexual orientation harassment. The incident had taken place during work hours and in the workplace. He lost his claim for direct sex discrimination.

Implications for employers

Employers should review their equal opportunities and their social media policies jointly to ensure that the social media policy includes all postings on any social media, not just the employee's or employer's social media. Policies should also be clear that employees can suffer discrimination even if they do not have the particular characteristic to which the discrimination relates.

Issue: Data protection – employer’s reputation on social media

An employee at Apple Retail enquired about a possible transfer to the US. However, he was unable to obtain a US visa and the company would not sponsor him, which made him disgruntled.

He made a series of Facebook posts that used swearing language to criticise working at Apple and made other criticisms about the company and its products. He was suspended pending an investigation and was summoned to a disciplinary hearing for making the comments on Facebook. He was unable to access the disciplinary procedure so had only one hour to familiarise himself with it before the initial meeting. Following the hearing, he was dismissed for gross misconduct for bringing the company’s name into disrepute. 

He had previously had training in the company’s policies and guidelines, which included how an employee’s actions outside work and online could affect the employer’s reputation. He had been notified that a breach of the policy may result in disciplinary proceedings. 

The employee claimed unfair dismissal, breach of his Article 8 right to respect for private and family life under the European Convention on Human Rights, and infringement of his Article 10 right to freedom of expression. 


The employment tribunal found in the company’s favour and dismissed Crisp’s claim for unfair dismissal. The organisation had conducted a reasonable investigation and had clear evidence regarding the social media posts. The failure to provide Crisp with the disciplinary procedure prior to the appeal stage was not enough to make the disciplinary process unfair, as his previous training was sufficient to make him aware that these comments were capable of damaging the employer’s reputation.

The Article 8 right to respect for private and family life did not arise because of the nature of social media and the ease with which information can be distributed. The article 10 right to freedom of expression was balanced by Apple’s conduct in limiting this right to protect its reputation.

Implications for employers

Although this is only an Employment Tribunal decision and is not binding on other tribunals, it is a useful example of how the law treats misuse of social media in the workplace. Employee’s actions on Facebook are sufficiently linked to employment to justify dismissal. 

Employers should review their IT policies regularly to ensure that they are sufficiently up to date, are linked to disciplinary and dismissal procedures, and make it clear that any breach of the policy could potentially be gross misconduct. 

Training in social media policies may assist organisations that wish to dismiss employees for comments that could damage their reputations. They must be able to show that policies have been brought to the attention of employees, and that their policies make it clear that postings made on private social media accounts are covered too. 

Issue: Data protection – misuse of social media

Preece, who was a shift manager at a Wetherspoons’s pub in Cheshire, and her colleague, were subjected to a shocking torrent of verbal abuse and physical threats by a group of customers, particularly by two known customers. The manager was threatened with a cane and asked the customers to leave the pub because of this behaviour. 

That evening the daughter of the problem customers made a series of unpleasant phone calls to the manager’s colleague, threatening them with a P45. That evening Preece began Facebook and real-life discussions about what had happened, in which she was rude about the two known customers. 

The organisation received a complaint from the customer’s daughter about Preece’s Facebook entries and began an investigation. 

The manager knew about the company’s policies on MySpace and Facebook, which stated that employees should not contribute to any content lowering the reputation of the company or its customers. She stated, in mitigation, that she had been subjected to three abusive telephone calls from these customers and their daughter. 

At the disciplinary hearing, Preece admitted that her actions were in breach of company policy. However, she said her privacy settings meant that her Facebook messages would have been seen only by between a maximum of 40 to 50 friends, rather than all her 646 friends. 

She was dismissed for gross misconduct and appealed on the grounds of the severe provocation. However, the dismissal was upheld and a claim for unfair dismissal followed. 


The tribunal found that the employer genuinely believed that Preece had committed gross misconduct. The organisation had carried out as much investigation into the matter as was reasonable in all the circumstances. The Facebook activities were in the public domain. Under the European Convention on Human Rights, the employee had the right to freedom of expression, but the employer’s actions were justified in view of the risk of damage to its reputation. 

The tribunal stated that if the Facebook entries had been made more in the heat of the moment, the organisation may have considered the manager’s misconduct warranted a final written warning, rather than dismissal. But there had been sufficient time for Preece to calm down between the incident occurring and her comments, and the dismissal was within the range of reasonable responses open to the employer. 

Implications for employers

This case is a good example of how an employee who has mitigating factors in their favour may still be dismissed fairly for misconduct. 

It is essential that all employers have, and follow, a clear and comprehensive policy on their employees’ use of social media.

[2007] ECHR 253
Issue: Data protection – monitoring

An employee at Carmarthenshire College had her telephone, internet and email use monitored to ascertain whether she was making excessive personal use of them. 

The college said her telephone use was monitored only by analysing telephone bills for a few months. The employee said incoming calls were monitored as well as outgoing calls, and that the length, volume and telephone numbers were logged for at least 18 months, and her emails monitored for at least six months.

The college did not have a policy on monitoring employees’ communications.


The ECHR held that the monitoring was in breach of Article 8 rights to privacy under the European Convention on Human Rights as employees were not even warned that they could expect such monitoring to take place. It awarded compensation of €3,000 in respect of damages for stress, anxiety, and inability to sleep, plus €6,000 for costs.

Implications for employers

Organisations must have policies covering the monitoring of employee communications and apply these policies fairly.

The Regulation of Investigatory Act 2000 (RIPA), and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 made under RIPA, which cover such activities had not came into when this case was heard. Since the employee had not been informed of the monitoring, and consented to it, the employer’s actions were a breach of Article 8 and a criminal act. 

Employees are entitled to a significant degree of privacy at work. Organisations should note that:

  • It is a criminal offence for employers to intercept employees’ communications unless both parties to the communication consent, or the employer has taken reasonable steps to inform employees that their communications might be monitored.
  • They must be able to justify any monitoring by real reasons and benefits. 
  • Monitoring employees’ communications can amount to a breach of the duty of trust and confidence, entitling an employee to resign and claim constructive unfair dismissal. 

[2003] EWCA Civ 1746
Issue: Data protection – personal data and manual records

This case involved a very long-running dispute between a former Barclays Bank customer and the Financial Services Authority (FSA, now the Financial Conduct Authority). 

Durant wanted access to personal information which the FSA refused to give him. It was critical in the case to establish precisely what ‘personal data’ meant under data protection law in force at the time. Although the law has moved on since, the case remains very useful for employers trying to fully understand the complexities of personal data and filing systems.


The Court of Appeal judges decided against Durant, ruling that merely mentioning an individual's name in a document does not make that whole document personal data. This meant that some data could not be obtained by an individual under their rights of access. The CA said personal data covers personal information that affects a person's privacy, whether in their personal or family life, business or professional capacity.

The CA also gave guidance on the kinds of manual files that were covered by subject access. Paper-based personal information was subject to the data protection legislation, but only if the information was recorded in a highly structured filing system so that specific information about a particular individual could be readily located.

Implications for employers

At the time, the Durant case was ground-breaking, because the Court of Appeal clarified the two most important data protection issues, namely: 

  • what makes data personal
  • what was meant by a relevant filing system. 

The law has developed since this case. As well as detailed guidance from the Information Commissioner's Office, developments have included the Data Protection Act 2018, the General Data Protection Regulation and updates to the Freedom of Information (FOI) legislation.

Following this case (and the subsequent legislation):

  • Personal data now includes information relating to an ‘identifiable natural person’. This includes a person who can be identified, directly or indirectly, by reference to their name, or an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
  • Processing of personal data covers processing by automated means, and non-automated processing, which is intended to form part of a filing system.
  • Under certain circumstances, personal data includes online identifiers such as IP addresses and mobile device IDs. 

For example, there are many individuals called John Smith but where the name is combined with other information (such as an address, place of work, or telephone number) this will usually be sufficient to clearly identify one individual.

Under the Data Protection Act 2018, even unstructured manual information processed by public authorities constitutes personal data. This includes paper records that are not held as part of a filing system. Although it is personal data, it is exempted from most of the principles and obligations in the GDPR. 

Employers should be cautious and make sure all data is secure and not stored for longer than necessary. Also see the implications in the Edem case.

[1997] ECHR 32
Issue: Data protection – monitoring

An assistant chief constable with Merseyside Police unsuccessfully sought promotion and then started tribunal proceedings, claiming the reason for her failure to progress further was sex discrimination. 

She alleged a campaign against her followed in response to her sex discrimination claim, including press leaks and interception of her telephone calls. She claimed a breach of her Article 8 rights to privacy under the European Convention on Human Rights when her phone calls from her office were intercepted for the purposes of obtaining information to be used against her in the discrimination proceedings. She also claimed her phone calls from home were intercepted.


The ECHR held that:

  • the telephone conversations in Halford's office at the police headquarters fell within the scope of her private life and correspondence
  • the police authority violated her Convention rights to privacy when it tapped her office telephone calls to gather information in order to defend the sex discrimination. 

No warning was given that calls made on the office telephone would be liable to interception, and so Halford had a reasonable expectation of privacy for such calls. She was not able to show that her telephone calls made from her home had been intercepted. She was awarded £10,000 damages but her claim to have suffered a stress-related illness as a result of the breach was rejected. 

Implications for employers

Article 8 of the European Convention on Human Rights gives a right to respect for private and family life, home and correspondence. Employers’ monitoring practices should incorporate safeguards to prevent breach of the Article 8 right. 

Organisations must identify the purpose and benefits of monitoring; an impact assessment which achieves this may range from a few moments’ thought to a detailed analysis. 

If monitoring is to be used, businesses must:

  • have a clear policy on privacy, which refers to the nature and extent of any associated monitoring, and make employees aware of the policy
  • tell employees what monitoring is taking place and why, and keep them aware of this
  • ensure that the sensitive data conditions are satisfied under the data protection legislation if sensitive data (such as health information) is monitored.

The staff that have access to personal information obtained through monitoring must be kept to a minimum and be properly trained in confidentiality and security requirements.

Personal information collected through monitoring must only be used for purposes for which the monitoring was introduced, unless it reveals activity that no employer could reasonably be expected to ignore (for example, criminal conduct).

Please note: While every care has been taken in compiling these notes, CIPD cannot be held responsible for any errors or omissions. These notes are not intended to be a substitute for specific legal advice.

Explore our related content