Data Protection Code Part 3 Briefing
Monitoring at Work– core principles
The UK Information Commissioner, responsible for ensuring compliance
with the 1998 UK Data Protection Act, published the third part
of the Employment Practices Data Protection Code entitled 'Monitoring
at Work' in June 2003. Part 3 of the Code spells out the basic
Do's and Don'ts for employers who monitor the activities of their
employees, or who are thinking of doing so. The 'core principles'
of the Code are:
- It will usually be intrusive to monitor workers.
- Workers have a legitimate expectation that they can keep their
personal lives private and that they are entitled to a degree
of privacy in the work environment.
- If employers wish to monitor their workers, they should be
clear about the purpose of the monitoring and be satisfied that
the particular monitoring arrangement is justified by the real
benefits that will be delivered.
- Workers should be aware of the nature, extent and reasons
for any monitoring, unless (exceptionally) covert monitoring
- In any event, workers' awareness will influence their expectations.
Monitoring at Work – Good Practice Recommendations
The Code recommends good practice in seven key areas related
to monitoring in the workplace. The recommendations are relevant
to large and small employers alike and the Code applies to both
systematic as well as occasional monitoring. Important points
for workers to bare in mind under this section of Part 3 of the
- Managing data protection
- Employers must attempt to eliminate the collection of personal
information that is irrelevant or excessive to the employment
- Employers should consult workers, and/or trade unions or other
representatives, about the development and implementation of
employment practices and procedures that involve the processing
of personal information about workers.
2. General approach to monitoring
- Employers must inform workers what monitoring is taking place
and why, and keep them aware of this, unless covert monitoring
- If information gathered from monitoring might have an adverse
impact on workers, employers must present them with the information
and allow them to make representations before taking action.
3. Monitoring electronic communications
- Employers who wish to monitor electronic communications, must
establish a policy on the use of electronic communications and
inform workers about its contents.
- If telephone calls or voice-mails are, or are likely to be,
monitored, employers must inform workers about the nature and
extent of such monitoring.
- If e-mails and / or Internet access are, or are likely to
be, monitored, employers must inform workers about the nature
and extent of all e-mail and Internet access monitoring.
4. Video and audio monitoring
- Employers must give workers a clear notification that video
or audio monitoring is being carried out and where and why it
is being carried out.
5. Covert monitoring
- Senior management should normally authorise any covert monitoring.
They should satisfy themselves that there are firm grounds for
suspecting criminal activity or equivalent malpractice and that
notifying individuals about the monitoring would prejudice its
prevention or detection.
- Employers must not use covert audio or video monitoring in
areas, which workers would genuinely and reasonably expect to
6. In-vehicle monitoring
- Employers should set out a policy that states what private
use can be made of vehicles provided by, or on behalf of, the
employer, and any conditions attached to use.
7. Monitoring through 3rd parties.
- Employers must tell workers what information sources are to
be used to carry out checks on them and why the checks are to
be carried out.
- Employers must ensure that, if workers are monitored through
the use of information held by a credit reference agency, the
agency is aware of the use to which the information is put
Information for Branches:
Workers – as well as employers have responsibilities for data
protection under the Act. Line managers have responsibility for
the type of personal information they collect and how they use
it. No one at any level should disclose personal information outside
the organisation's procedures, or use personal information held
on others for their own purposes. Anyone disclosing personal information
without the authority of the organisation may commit a criminal
offence, unless there is some other legal justification, for example
under 'whistle-blowing' legislation.
Action for Branches:
Branches should read Part 3 of the Code and discuss the implications
and responsibilities for members under this part of the Code
Review policies and agreements on monitoring with particular
reference to Good Practice Recommendations 1 & 2
Part 3 of the Employment Practices Data Protection Code can be
Website of the Information Commissioner can be accessed at:
@ the P&I Team
14 West Campbell St
Tel: 0845 355 0845
Fax: 0141 221 8953