Surveillance in the workplace
Your privacy in the workplace is protected by law. However, your right to privacy is balanced against the rights of your employer to run their business and protect their company.
Your employer has an interest in protecting their business, reputation, resources and equipment. To achieve this, they may want to monitor your use of email, internet and phone. They may also want to use CCTV to monitor your workplace.
When your employer collects, uses or stores information about you – including monitoring emails, internet use or using a CCTV system – they must comply with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.
This document explains the rules that employers must follow when monitoring you in the workplace. If you are an employer, prevention is more important than detection when monitoring your employees. The Data Protection Commission has produced useful guidance notes for monitoring of staff under the new data protection requirements. You can also read the general rules for data protection in the workplace.
Monitoring emails and internet use
Information that your employer must give you
Your employer should give you their policy on email and internet use in the workplace, which should include the use of social media. This is known as an Acceptable Usage Policy (AUP). The AUP should clearly describe how much you can use company devices for your own personal or private communication. You can find an example of an AUP on the Data Protection Commission website.
If your employer is monitoring your email and internet use, they must tell you their reasons for doing this.
They must give you details of the monitoring, including:
- Who is monitoring you?
- What are they monitoring?
- How are they monitoring you?
- When are they monitoring you?
They must also tell you the procedures for how and when you will be told if you break the rules for internet and email use and how you can respond to these claims.
Is the monitoring necessary, legitimate and proportionate?
If your employer wants to monitor your internet use or your emails, it must be:
- Necessary – your employer must be sure that monitoring is necessary and should consider less intrusive ways of supervising you before deciding on monitoring. For example, blocking websites would be less intrusive - and generally more acceptable - than monitoring internet search history.
- Legitimate – the monitoring should have a legal basis, for example, to ensure that employees are not using the internet to download pornography, or to disclose confidential company information to people outside the organisation.
- Proportionate – your employer’s monitoring must be proportionate to the risk of the perceived threat happening. Monitoring all of your emails to ensure that you are not passing on confidential information about the company would not be proportionate. However, monitoring your emails using an automated system to scan for viruses would probably considered be proportionate.
Telling you when there is a concern
Your employer should tell you immediately if they detect that you are misusing electronic communications, unless there are important reasons for continuing the monitoring (see ‘monitoring you without you knowing’ below). Your employer can use software such as pop-up warning windows to let you know that you are misusing the company’s systems.
Using CCTV in the workplace
Your employer must inform you if there is CCTV in your workplace
If your employer has CCTV in your workplace, they need to display signs telling you where the cameras are located. The signs should be easy to read, well-lit and positioned in places where they can be easily seen. The signs should also provide contact details for someone whom you can discuss the processing of your data with, for example the owner of the premises or the security company operating the CCTV system.
Your employer must clearly state why they are using CCTV if it is not obvious. For example, the reason for having a camera placed at the entrance of a building to detect intruders would be obvious. If your employer is using CCTV to monitor your behaviour or performance, this is not obvious and the employer must inform you before recording for these reasons. Similarly, if CCTV is installed for health and safety reasons, this should be clearly stated and made known to everyone in the workplace.
Your employer should have a written CCTV policy which includes the following information:
- The identity of the company holding the CCTV footage
- The reasons why the CCTV footage is being used
- Any third parties the footage may be given to
- How you can request to see the footage held of you
- How long the footage can be held for
- How the footage will be secured
Reasonable and unreasonable use of CCTV in the workplace
Your employer must have a valid reason to use CCTV to monitor your workplace. They must also consider if using CCTV is reasonable. For example, using CCTV to detect intruders, vandals or thieves may be reasonable. However, using CCTV to constantly monitor employees would be intrusive and would only be justified in special circumstances.
It would be very difficult for an employer to justify the use of CCTV to monitor areas where you would expect privacy, for example, in bathrooms. If your employer wanted to do this, they would need to demonstrate that a number of security breaches had taken place in these areas. Even if your employer could justify using CCTV in a bathroom, the cameras should never be able to capture images from cubicles or urinal areas.
Monitoring you without you knowing
Generally, it is against the law to collect someone’s data or monitor them without them knowing – this is called covert surveillance. This is only allowed in very special circumstances where the data will be used to detect, prevent or investigate crime or to apprehend and prosecute offenders.
You should only be monitored covertly if you or your workplace are relevant to a criminal investigation. Covert surveillance must be focused and can only last for a short amount of time. If no evidence is found within a reasonable amount of time, the employer should stop the covert surveillance.
A specific written policy must be put in place to allow for covert surveillance. This policy must detail the purpose and justification for the covert surveillance and provide details of the procedures, measures and safeguards that will be implemented while this type of surveillance is ongoing. The final objective of the covert surveillance should be the involvement of An Garda Síochána or other prosecution authorities who can investigate any alleged criminal offence(s). This should also be added to the policy.
Personal devices at work
Using your own device for work (smartphones, tablets) can raise issues for data protection compliance. Your personal device contains information about your personal life that your employer would not normally be allowed to access. However, your employer might have reason to be concerned over your device for various reasons. For example, your employer is responsible for any personal data that you process using the work email settings. The device might also contain important information about the business that the employer might want to protect.
If your employer allows you to use your own device for work, they should:
- Have a bring your own device (BYOD) policy that explains how you can use your device at work and what your responsibilities are
- Be clear about where the data processed by the device is stored and what measures must be taken to keep the data secure
- Ensure that data is kept secure when transferring it from your personal device
- Consider how to manage data held on your device when you leave the company or if the device is stolen or lost
Accessing the data that your employer holds about you
You can ask your employer to give you the data that they have collected about you when monitoring your email or internet use. You can also ask to see the images that they have captured of you on CCTV. This is called a Data Subject Access Request.
Your employer must be able to respond to your request within 1 month. This can be extended by a further 2 months if your request is complex or if you have made numerous requests.
Where to make a complaint
You should contact the Data Protection Commission if you have a complaint about how your employer has collected your data when using CCTV or when monitoring your email or internet use. The website is dataprotection.ie – see address below.