Data protection issues when monitoring staff

There are strict restrictions on your ability to collect information about your by keeping them under some form of observation. This section provides guidance about when and how you can monitor your using various different means without your obligations. This includes monitoring their correspondence, calls, web browsing, social media, physical location and personal devices. It also covers monitoring via CCTV or by carrying out drug or alcohol testing.

Monitoring staff's online activity, emails, post or voicemails

  1. 1.Am I allowed to monitor staff online activity, emails, post or voicemails?
  2. 2.Do I need to have a specific reason for monitoring my staff members' online activity, email, post or voicemails?
  3. 3.Do I have to consider alternatives to monitoring staff online activity, emails, post or voicemail?
  4. 4.Do I need to carry out a data protection impact assessment before I start monitoring staff online activity, emails, post or voicemail?
  5. 5.How closely can I monitor staff online activity, emails, post or voicemail?
  6. 6.Am I allowed to access private or sensitive personal data when monitoring staff online activity, emails, post or voicemail?
  7. 7.Do I have to tell my staff that I am monitoring their online activity, emails, post or voicemail or can I monitor them covertly?
  8. 8.Am I allowed to monitor staff emails and online activity if they are using a personal device or home network to work?
  9. 9.Am I allowed to monitor staff members' social media pages or other personal online accounts?
  10. 10.Am I allowed to open staff members' post, emails or voicemails?
  11. 11.What can I do to minimise the impact on the privacy of my staff if I need to access their post, emails or voicemails?

Monitoring the location of staff members

  1. 12.Am I allowed to monitor my staff members' location using location tracking software or other geolocation data?
  2. 13.Do I need a specific reason to monitor my staff's location using location tracking software or other geolocation data?
  3. 14.Do I need to consider alternatives to using location tracking software or other geolocation data to monitor staff?
  4. 15.Do I need to carry out a data protection impact assessment when monitoring staff using location tracking software or other geolocation data?
  5. 16.How closely can I monitor staff using location tracking software or other geolocation data?
  6. 17.Am I still allowed to use location tracking software or other geolocation data to monitor my staff member if they sometimes use their vehicle or device for private purposes?
  7. 18.Do I have to tell my staff that I am monitoring their location tracking software or other geolocation data or can I do it covertly?

Monitoring staff using CCTV or live video feeds

  1. 19.Am I allowed to monitor staff using CCTV cameras or live video feeds?
  2. 20.Do I need a specific reason for monitoring staff using CCTV cameras or live video feeds?
  3. 21.Do I need to consider alternatives to using CCTV cameras or live video feeds to monitor staff?
  4. 22.Do I need to carry out a data protection impact assessment before I start monitoring staff using CCTV cameras or live video feeds?
  5. 23.Are there any limitations on where I can position cameras if I plan to monitor staff using CCTV or video surveillance?
  6. 24.What do I do if footage I do not need is captured on footage from CCTV or video surveillance?
  7. 25.Do I have to tell my staff that I am monitoring them using CCTV cameras or live video feeds?

Recording staff telephone conversations and meetings

  1. 26.Am I allowed to record staff telephone conversations or meetings?
  2. 27.Do I need to have a reason for recording staff telephone conversations or meetings with staff members?
  3. 28.Do I have to consider alternatives to recording staff telephone conversations or meetings?
  4. 29.Do I need to carry out a data protection impact assessment before I start recording staff telephone conversations or meetings with staff members?
  5. 30.What do I need to consider when considering which telephone conversations or meetings to record?
  6. 31.Do I have to tell my staff that I am recording their telephone conversations or meetings or can I do so covertly?

Carrying out drug and alcohol testing on staff

  1. 32.Am I allowed to carry out drug or alcohol testing on staff?
  2. 33.Do I need to have a specific reason for carrying out drug or alcohol testing on staff?
  3. 34.Do I need to consider alternatives to drug and alcohol testing on my staff members?
  4. 35.Do I need to carry out a data protection impact assessment before I carry out drug or alcohol testing on staff?
  5. 36.How do I decide on what type of drug or alcohol test to carry out on my staff?
  6. 37.How frequently can I carry out drug and alcohol testing?
  7. 38.Do I have to tell my staff that I am going to carry out drug or alcohol testing on them?

Storing and data collected through staff monitoring

  1. 39.How should I store the data I have collected through staff monitoring?
  2. 40.Am I allowed to use the data collected through staff monitoring for disciplinary purposes or as a basis for dismissal?

Consequences of unlawful monitoring

  1. 41.What are the consequences of unlawfully monitoring staff?

Impact Assessment (drug and alcohol testing)

Use this impact assessment (drug and alcohol testing) before beginning any staff alcohol or drug testing, to make sure you comply with data protection law. By completing this template impact assessment (drug and alcohol testing) you record that you have complied with the UK GDPR by carrying out a data protection impact assessment (DPIA). You are legally required to carry out these kind of assessments before monitoring staff through drug and/or alcohol testing.
£20 + VAT

Data protection impact assessment policy

A data protection impact assessment policy is an internal document setting out how and when your business will assess the data protection risks of its activities. It’s important to have proper policies and procedures in place when you’re handling personal data and carrying out a data protection impact assessment is sometimes mandatory under Article 35 UK GDPR. A data protection impact assessment might also be referred to as a privacy impact assessment, a DPIA or a GDPR risk assessment. This template DPIA policy will help you to comply with your data protection obligations by setting out when and how your staff should consider carrying out data impact assessments. It also includes a template DPIA form, which has been produced by the Information Commissioner’s Office (ICO). This provides an example of how you can assess, record and seek to reduce the privacy risks associated with your projects. Where applicable, it also includes a template DPIA form for use by online services which are directed at, or are likely to be used by, children, which has been produced by the ICO. This will help relevant online services to comply with their obligations under the ICO's Age Appropriate Design Code. You can also purchase this policy as part of the Data protection policy toolkit .
£25 + VAT
See all solutions