Surveillance in the workplace

Introduction

You have a right to privacy in the workplace. However, your right to privacy is balanced against your employer's rights to run their business and protect their company.

Your employer has an interest in protecting their business, reputation, resources and equipment. To do this, they may want to monitor your use of email, internet and phone. They may also want to use CCTV to monitor your workplace.

When your employer collects, uses or stores information about you – including monitoring emails, internet use or using a CCTV system – they must comply with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

This page explains the rules employers must follow when monitoring you in the workplace. You can also read the general rules for data protection in the workplace.

Monitoring emails and internet use

Information your employer must give you

Your employer should give you their policy on email and internet use in the workplace, including the use of social media. This is known as an Acceptable Usage Policy (AUP). The AUP should clearly describe how much you can use company devices for your own personal or private communication. You can find an example of an AUP(pdf) on the Irish SME website.

If your employer is monitoring your email and internet use, they must tell you their reasons for doing this.

They must tell you:

  • Who is monitoring you
  • What they are monitoring
  • How they are monitoring you
  • When they are monitoring you

They must also tell you the procedures for how and when you will be told if you break the rules for internet and email use, and how you can respond to these claims.

Is the monitoring necessary, legitimate and proportionate?

If your employer wants to monitor your internet use or emails, it must be:

Necessary

Your employer must be sure that monitoring is necessary. They should consider less intrusive ways of supervising you before deciding on monitoring. For example, blocking websites would be less intrusive - and generally more acceptable - than monitoring your internet search history.

Legitimate

The monitoring should have a legal basis. For example, to make sure employees are not using the internet to download pornography, or to disclose confidential company information to people outside the organisation.

Proportionate

Your employer’s monitoring must be proportionate to the risk of the perceived threat. Proportionality means it must be fair, measured and reasonable in terms of its objectives. Monitoring all of your emails to make sure you are not passing on confidential information about the company would not be proportionate. However, monitoring your emails using an automated system to scan for viruses would probably be considered be proportionate.

Telling you when there is a concern

Your employer should tell you immediately if they believe you are misusing electronic communications, unless there are important reasons for continuing the monitoring (see ‘monitoring you without you knowing’ below). Your employer can use software such as pop-up warning windows to let you know that you are misusing the company’s systems.

Using CCTV in the workplace

If your employer has CCTV in your workplace, they must display signs telling you where the cameras are located. The signs should be easy to read, well-lit and positioned in places where they can be easily seen. The signs should also give contact details for someone you can discuss the processing of your data with. This could be, for example, the owner of the premises or the security company operating the CCTV system.

Your employer must clearly state why they are using CCTV if it is not obvious. For example, placing a camera at the entrance of a building to detect intruders is obvious. However, if your employer is using CCTV to monitor your behaviour or performance, this is not obvious and the employer must tell you before recording for these reasons. Similarly, if CCTV is installed for health and safety reasons, this should be clearly stated and made known to everyone in the workplace.

Your employer should have a written CCTV policy including:

  • The identity of the company holding the CCTV footage
  • The reasons why the CCTV footage is being used
  • Any third parties the footage may be given to
  • How you can request to see the footage held of you
  • How long the footage can be held for
  • How the footage will be secured

Reasonable and unreasonable use of CCTV in the workplace

Your employer must have a valid reason to use CCTV to monitor your workplace. They must also consider if using CCTV is reasonable. For example, using CCTV to detect intruders, vandals or thieves may be reasonable. However, using CCTV to constantly monitor employees would be intrusive and would only be justified in special circumstances.

It is very difficult for an employer to justify using CCTV to monitor areas where you expect privacy, for example, in bathrooms. If your employer wants to do this, they must show that a number of security breaches have taken place in these areas. Even if your employer justifies using CCTV in a bathroom, the cameras should never be able to capture images from cubicles or urinal areas.

Monitoring you without you knowing

Generally, it is against the law to collect someone’s data or monitor them without them knowing – this is called covert surveillance. This is only allowed in very special circumstances where the data will be used to detect, prevent or investigate crime, or to catch and prosecute offenders.

You should only be monitored covertly (without you knowing) if you or your workplace are relevant to a criminal investigation. Covert surveillance must be focused and can only last for a short amount of time. If no evidence is found within a reasonable amount of time, the employer should stop the covert surveillance.

A specific written policy must be put in place to allow for covert surveillance. This policy must explain:

  • The reason and justification for the covert surveillance
  • Details of the procedures, measures and safeguards that will be implemented while this type of surveillance is ongoing.

The final objective of the covert surveillance should be the involvement of An Garda Síochána or other prosecution authorities who can investigate any alleged criminal offence(s). This should also be added to the policy.

Personal devices at work

Using your own device for work (such as your laptop, smartphone, or tablet) can raise issues for data protection compliance. Your personal device has information about your personal life that your employer would not normally be allowed to access. However, your employer might have reason to be concerned about your device. For example, your employer is responsible for any personal data you process using your work email settings. The device might also have important information about the business that your employer wants to protect.

If your employer allows you to use your own device for work, they should:

  • Have a 'bring your own device' (BYOD) policy explaining how you can use your device at work and what your responsibilities are
  • Know where the device's processed data is stored, and what measures must be taken to keep the data secure
  • Make sure that data is kept secure when transferring it from your personal device
  • Consider how to manage data held on your device when you leave the company, or if the device is stolen or lost

Monitoring your activities when working from home

When you work from home (also called remote working), your employer should follow the same rules in relation to monitoring your work. This should include telling you:

  • Who is monitoring you
  • What they are monitoring
  • How they are monitoring you
  • When they are monitoring you

Your employer should tell you if they are using employee surveillance software, for example, to track your mouse and keyboard activity, your use of email, social media, files and applications, and so on. This may be contained in a policy provided by the employer. Read ‘Monitoring emails and internet use’ above.

You can also read about your rights and responsibilities when working from home.

Accessing the data that your employer holds about you

You can ask your employer to give you the data they have collected about you when monitoring your email or internet use. You can also ask to see the images they have captured of you on CCTV. This is called a Data Subject Access Request.

Your employer must respond to your request within 1 month. This can be extended by a further 2 months if your request is complex or if you have made numerous requests.

Where to make a complaint

If you have a complaint about surveillance at work, you should discuss this with your employer.

If you cannot resolve your complaint with your employer, you should contact the Data Protection Commission.

Data Protection Commission

21 Fitzwilliam Square South,
Dublin 2,
D02 RD28
Ireland

Opening Hours: 09:15 – 17:30 Mon – Thurs, 09:15-17:15 Friday
Tel: +353 57 868 4800 / +353 0761 104800

Page edited: 15 June 2021