Surveillance at work

You have a right to privacy at work. However, this right must be balanced with your employer's need to run and protect their business.

Your employer wants to protect their business, reputation, resources, and equipment. To do this, they may want to monitor how you use email, internet, and phones, or use security cameras (CCTV) in your workplace.

When your employer collects, uses or stores information about you they must comply with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

This page explains the rules employers must follow when monitoring you in the workplace. You can also read the general rules for data protection in the workplace.

Information your employer must give you

Your employer should give you their policy on email and internet use at work, including the use of social media. This policy is known as an Acceptable Usage Policy (AUP). The AUP should clearly state how much you can use company devices for personal communication. You can find an example of an AUP (pdf) on the Irish SME website.

If your employer is monitoring your email and internet use, they must tell you their reasons for doing this.

They must tell you:

• Who is monitoring you
• What they are monitoring
• How they are monitoring you
• When they are monitoring you

They must also tell you about the procedures they will take if someone breaks the rules for using the internet and email, and how you can respond to these claims.

The monitoring must be necessary, legitimate, and proportionate

If your employer wants to monitor your internet use or emails, it must be:

Necessary

Your employer must be sure that monitoring is necessary. They should consider less intrusive ways to supervise you before deciding on monitoring. For example, blocking certain websites would be a less intrusive and generally acceptable option compared to monitoring your internet search history.

Legitimate

The monitoring should have a legal basis. For example, it may be necessary to stop employees from using the internet to access inappropriate content or to share confidential company information outside the organisation.

Proportionate

Your employer’s monitoring must be fair, reasonable and proportional to the perceived threat. For example, monitoring all your emails to make sure you are not passing on confidential information about the company would not be proportionate. However, using an automated system to scan for viruses in your emails would likely be seen as proportionate.

Telling you when there are concerns

Your employer should tell you immediately if they suspect you are misusing electronic communications unless there are important reasons to continue monitoring without your knowledge (see more below). Your employer can use pop-up warnings to alert you if you are misusing company systems.

If your workplace has CCTV, there must be clear signs indicating where the cameras are placed. The signs should be easy to read, well-lit and located in visible areas. They should also give contact information for discussing the handling of your data. For example, the owner of the premises or the security company operating the CCTV system.

Your employer must clearly state why they are using CCTV if it is not obvious. For example, placing a camera at the entrance to detect intruders is obvious. However, monitoring your behaviour or performance using CCTV is not obvious. In such cases, your employer must tell you before recording for these reasons. Similarly, if CCTV is installed for health and safety reasons, this should be clearly communicated to everyone in the workplace.

Your employer should have a written CCTV policy that includes:

• The identity of the company holding the CCTV footage
• The reasons for using CCTV footage
• Any third parties the footage may be shared with
• How you can request to see the footage of yourself
• How long the footage will be held for
• How the footage will be secured

Reasonable and unreasonable use of CCTV

Your employer must have a valid reason and consider whether using CCTV is reasonable. For example, using CCTV to detect intruders, vandals or thieves may be reasonable. However, using CCTV to constantly monitor employees is intrusive and only justifiable in special circumstances.

It is very difficult for an employer to justify using CCTV to monitor areas where you expect privacy, for example, in bathrooms. If your employer wants to do this, they must show that several security breaches have occurred in these areas. Even if they justify using CCTV in a bathroom, the cameras should never capture images from cubicles or urinal areas.

Generally, it is against the law to collect someone’s data or monitor them without them knowing, called covert surveillance. This is only allowed in exceptional circumstances where the data is used to detect, prevent, or investigate crime, or to prosecute offenders.

Covert surveillance can only take place if you or your workplace are relevant to a criminal investigation. It must be focused and for a short period. If no evidence is found within a reasonable time, the employer should stop covert surveillance.

A specific written policy must be put in place to allow for covert surveillance. This policy must explain:

• The reason and justification for covert surveillance
• Procedures, measures, and safeguards during ongoing surveillance
• The goal of involving An Garda Síochána or other prosecution authorities to investigate alleged criminal offences

Using your own device for work can raise data protection issues. Your personal device has personal information that your employer would not normally access.

However, your employer may have legitimate concerns, like protecting personal data processed using your work email settings or protecting business information on your device.

If your employer allows you to use your personal device for work, they should:

• Have a 'bring your own device' (BYOD) policy explaining how you can use your device at work and your responsibilities
• Know where data from your device is stored and implement security measures
• Make sure data is kept secure during transfers from your personal device
• Consider how to manage data on your device when you leave the company, or if the device is stolen or lost

When you work from home (remote working), your employer should follow the same rules for monitoring your work. This includes telling you about:

• Who is monitoring you
• What they are monitoring
• How they are monitoring you
• When they are monitoring you

Your employer should tell you if they use employee surveillance software, such as tracking your mouse and keyboard activity, email usage, social media, files, and applications. This information may be included in a policy provided by your employer.

You can also read about your rights and responsibilities when working from home.

You can ask your employer to give you the data they have collected about you while monitoring your email or internet use. You can also ask to see the images captured of you on CCTV. This is called a Data Subject Access Request.

Your employer must respond to your request within 1 month. This can be extended by a further 2 months if your request is complex or if you have made numerous requests.

If you have a complaint about surveillance at work, discuss this with your employer first.

If you cannot resolve the issue with your employer, you should contact the Data Protection Commission.