The ICO exists to empower you through information.

We’ve written these tips with the needs of small businesses and SMEs in mind. If you’re a small club, group or other small organisation looking to set up oversight of your employees’ workspace, you may also find this useful.

The increase in remote working means many small businesses will want to think about how they can run their business efficiently and productively, wherever their staff are based.

Monitoring staff can be intrusive, even when done with the best of intentions. But if you do it right, you can build strong relations with those you work with and earn a reputation as a business that respects privacy. You’ll also save time by avoiding disputes.

This short guide will help you decide if employee monitoring is right for your business. It will also show how you can do it in a way that respects your staff and complies with data protection law.

Think about your reasons for monitoring your staff

You can monitor your staff as long as you can justify it and have a lawful basis. You might want to protect your staff by making sure they can work safely in a different environment, or protect your business from theft, complaints or legal action. Or you might want to check if something is making your business less efficient than it could be – for example, whether staff are using company resources appropriately.

Make sure what you’re doing is fair

Staff oversight should be reasonable and it should depend on each situation. You should consider whether this is necessary and proportionate and whether it could intrude on employees’ personal lives.

Example

For example, Stevie is the owner of a small courier. She decides it’s fair to track the location of company vehicles delivering parcels, to run her business efficiently and give her customers a good service. One of her team uses the same car for work and personal reasons. Stevie makes sure there’s the option to turn off tracking outside of working hours as she knows recording during these times would be unfair and potentially unlawful.

Similarly, you might think about monitoring phone calls, email or internet use. You must consider whether it could intrude on employees’ personal emails, calls or other correspondence. You could minimise the risk of checking employees’ personal or confidential information without good reason by discouraging staff from using company devices for non-work matters. Or consider putting in place an agreement that confidential or non-work-related emails won’t be checked as long as they have been flagged in the subject line, for example “private - confidential”.

Be transparent with your staff

You should tell people in advance about the oversight tools you’re using, including any potential for covert monitoring. They should understand what you’re doing and what’s expected of them. For most small businesses, a simple explanation as part of your staff policy or privacy notice is enough. But you could also draw attention through a staff email, showing you care about data protection and helping to build trust with your team.

Your oversight activities need to be documented in full in your policies. You should also do regular reviews of your methods to check they’re still appropriate.

Keep the data secure

As with all personal data, any information you record should only be available to people who need to see it. It also needs to be protected from damage, loss or theft.

It’s important you securely delete or dispose of the information when you no longer need it. The less information you hold, the easier and cheaper it is to protect it, for example through lower storage costs.

Consider alternatives

Think about whether there are less intrusive ways to achieve the same results. This could include training staff on how they’re expected to work, or carrying out regular performance reviews to encourage them to work in a certain way.

If you feel monitoring is appropriate, you could consider whether this could be limited to particular areas of your business, rather than a one-size-fits-all approach.

Example

For example, Zac runs a furniture warehouse. There has recently been a number of incidents in the loading bay, one of which led to a staff member being injured. Zac wants to check that staff adhere to health and safety guidelines and see where he can make improvements.

He considers health and safety refresher training but thinks CCTV could help prevent future incidents too. He thinks installing CCTV is justified and necessary to protect staff and make sure they’re following guidelines. It will also provide evidence if something happens.

To limit the CCTV’s privacy intrusion, Zac only installs them in high-risk areas of the loading bay. He limits access to the footage to his floor managers, who check the footage periodically, rather than all the time. The cameras don't cover the staff break room, locker room or toilets.

Zac lets his staff know that cameras are installed by putting up signs, and explaining what the cameras are being used for as part of the additional training.

Please note: we’re currently updating guidance following the responses from our call for views on employment practices and data protection. Therefore this short guide may be updated in the future.