Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Where employers end and employee privacy begins has become one of the most contested areas of modern workplace law. With remote working tools, email tracking, productivity software, CCTV and access logs all generating personal data, the boundaries between legitimate business oversight and unwarranted intrusion are easy to cross without realising it.
For staff, this raises genuine concerns about dignity and fair treatment. For employers, it creates real exposure to grievances, tribunal claims and regulatory action. This guide walks through the main legal frameworks that shape how personal data can be handled at work in England and Wales, the most common forms of workplace monitoring, and the kinds of disputes that tend to follow.
Whether you are an employee worried about being watched or an employer trying to stay on the right side of the rules, the aim here is to give you a clear picture of what the law expects.
Overview
Employee data privacy covers the way personal information about workers is collected, used, stored and shared by an employer. That includes obvious things like payroll and HR records, but also extends to emails sent on company systems, internet browsing history, CCTV footage, location tracking in company vehicles, keystroke or productivity software, biometric entry data, and recordings from work calls or video meetings.
In the UK, this area sits at the intersection of the UK GDPR, the Data Protection Act 2018, the Human Rights Act 1998, and employment law principles around trust and confidence. Employers are generally entitled to monitor staff for legitimate reasons, such as security, regulatory compliance or protecting business interests, but they are expected to be transparent about it, keep monitoring proportionate to the issue at hand, and avoid going further than is genuinely necessary. When those boundaries are crossed, or when employees feel they have been watched without warning, disputes often follow.
Key steps
Check the workplace privacy notice and policies. Employers are expected to tell staff, in plain terms, what personal data is collected, why, how long it is kept and who sees it. Start by reading the privacy notice, staff handbook, IT acceptable use policy and any monitoring policy, as these documents usually set the framework for what is and is not permitted.
Identify what monitoring is actually taking place. Think through the systems you interact with day to day, including email, messaging platforms, CCTV, access cards, vehicle trackers and productivity tools. Understanding the full picture matters because concerns about privacy are often about the combined effect of several systems, not just one.
Assess whether the monitoring looks proportionate. The key test under UK data protection law is whether the monitoring is necessary and proportionate for a legitimate aim. Covert surveillance, blanket recording of private messages, or intrusive productivity tracking with no clear justification are the kinds of practices that tend to attract scrutiny from the Information Commissioner's Office.
Raise concerns internally before escalating. If something feels wrong, a written question to HR or your line manager is usually the sensible first step. You can also make a subject access request to see what personal data the employer holds about you. Keep copies of what you send and what you receive, as this paper trail can matter later.
Consider formal routes if issues are not resolved. Where internal steps do not work, options may include a formal grievance, a complaint to the ICO about data handling, or in more serious cases a tribunal claim linked to discrimination, detriment or constructive dismissal. The right route depends heavily on the facts, and getting guidance early tends to save time and stress.
In many cases yes, provided the employer has told staff that email use may be monitored and there is a legitimate reason for doing so, such as security or compliance. What they cannot usually do is secretly read private correspondence with no warning and no clear business justification. The ICO expects monitoring to be proportionate, and blanket access to personal messages is often hard to defend.
Q Is CCTV in the workplace legal?
CCTV is generally lawful where it is used for a clear purpose, such as security or health and safety, and where staff and visitors are informed through visible signage. Cameras in sensitive areas like toilets or changing rooms are very difficult to justify. Covert CCTV is only acceptable in narrow circumstances, usually linked to suspected serious wrongdoing, and should be a last resort.
Q What is a subject access request and how do I make one?
A subject access request, sometimes called a SAR, lets you ask your employer for a copy of the personal data they hold about you. You can make the request in writing or by email, and in most cases the employer must respond within one month. There is usually no fee, and you can ask for things like HR records, emails that mention you, and CCTV footage.
Q Can my employer track my location through a company phone or vehicle?
Location tracking is possible but needs to be justified. Employers should explain why tracking is in place, what data is collected, and whether it continues outside working hours. Tracking that covers personal time, or that captures far more information than the business purpose requires, is the kind of practice most likely to lead to complaints or regulatory interest.
Q What can I do if I think my privacy at work has been breached?
Start by raising the issue internally, ideally in writing, and making a subject access request if you want to see what data is held. If the response is unsatisfactory, you can complain to the Information Commissioner's Office. Depending on the circumstances, there may also be employment law routes, for example where the breach links to discrimination or a breakdown in trust.
Q Does GDPR apply to small employers too?
Yes. The UK GDPR and the Data Protection Act 2018 apply regardless of how many staff an employer has. Smaller businesses sometimes have lighter record-keeping obligations, but the core duties around lawful processing, transparency, security and respecting individual rights still apply in full. Size is not a defence to mishandling personal data.
Q Can I be disciplined based on evidence from workplace monitoring?
Employers can use monitoring evidence in disciplinary processes, but only if the monitoring itself was lawful and the employee was reasonably aware it could happen. Evidence gathered through disproportionate or covert surveillance may be challenged, and a tribunal can take the way evidence was obtained into account when deciding whether a dismissal was fair.
Worried about how you are being monitored at work?
Workplace privacy questions rarely have a simple yes or no answer, and the right approach often depends on small details in your situation. An experienced legal adviser can talk you through what UK data protection and employment rules tend to expect, based on what you describe on the call.
✓Plain-English answers to your specific questions about workplace monitoring
✓Practical perspective on your rights based on what you describe
✓What to watch out for if you want to raise a concern or make a subject access request
✓A clearer sense of your options and sensible next steps
Personal call · For information only · Independent advisers
Written & reviewed by
Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.