Skip to main content
Book a call — £89
Menu

Employee Data Privacy UK: Workplace Monitoring Rules

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofUK Employment Law Advice

Updated June 2026 · England & Wales
Where employers end and employee privacy begins has become one of the most contested areas of modern workplace law. With remote working tools, email tracking, productivity software, CCTV and access logs all generating personal data, the boundaries between legitimate business oversight and unwarranted intrusion are easy to cross without realising it. For staff, this raises genuine concerns about dignity and fair treatment. For employers, it creates real exposure to grievances, tribunal claims and regulatory action. This guide walks through the main legal frameworks that shape how personal data can be handled at work in England and Wales, the most common forms of workplace monitoring, and the kinds of disputes that tend to follow. Whether you are an employee worried about being watched or an employer trying to stay on the right side of the rules, the aim here is to give you a clear picture of what the law expects.

Overview

Employee data privacy covers the way personal information about workers is collected, used, stored and shared by an employer. That includes obvious things like payroll and HR records, but also extends to emails sent on company systems, internet browsing history, CCTV footage, location tracking in company vehicles, keystroke or productivity software, biometric entry data, and recordings from work calls or video meetings.

In the UK, this area sits at the intersection of the UK GDPR, the Data Protection Act 2018, the Human Rights Act 1998, and employment law principles around trust and confidence. Employers are generally entitled to monitor staff for legitimate reasons, such as security, regulatory compliance or protecting business interests, but they are expected to be transparent about it, keep monitoring proportionate to the issue at hand, and avoid going further than is genuinely necessary. When those boundaries are crossed, or when employees feel they have been watched without warning, disputes often follow.

Key steps

  1. Check the workplace privacy notice and policies. Employers are expected to tell staff, in plain terms, what personal data is collected, why, how long it is kept and who sees it. Start by reading the privacy notice, staff handbook, IT acceptable use policy and any monitoring policy, as these documents usually set the framework for what is and is not permitted.
  2. Identify what monitoring is actually taking place. Think through the systems you interact with day to day, including email, messaging platforms, CCTV, access cards, vehicle trackers and productivity tools. Understanding the full picture matters because concerns about privacy are often about the combined effect of several systems, not just one.
  3. Assess whether the monitoring looks proportionate. The key test under UK data protection law is whether the monitoring is necessary and proportionate for a legitimate aim. Covert surveillance, blanket recording of private messages, or intrusive productivity tracking with no clear justification are the kinds of practices that tend to attract scrutiny from the Information Commissioner's Office.
  4. Raise concerns internally before escalating. If something feels wrong, a written question to HR or your line manager is usually the sensible first step. You can also make a subject access request to see what personal data the employer holds about you. Keep copies of what you send and what you receive, as this paper trail can matter later.
  5. Consider formal routes if issues are not resolved. Where internal steps do not work, options may include a formal grievance, a complaint to the ICO about data handling, or in more serious cases a tribunal claim linked to discrimination, detriment or constructive dismissal. The right route depends heavily on the facts, and getting guidance early tends to save time and stress.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Common questions

Q Can my employer read my work emails?
In many cases yes, provided the employer has told staff that email use may be monitored and there is a legitimate reason for doing so, such as security or compliance. What they cannot usually do is secretly read private correspondence with no warning and no clear business justification. The ICO expects monitoring to be proportionate, and blanket access to personal messages is often hard to defend.
Q Is CCTV in the workplace legal?
CCTV is generally lawful where it is used for a clear purpose, such as security or health and safety, and where staff and visitors are informed through visible signage. Cameras in sensitive areas like toilets or changing rooms are very difficult to justify. Covert CCTV is only acceptable in narrow circumstances, usually linked to suspected serious wrongdoing, and should be a last resort.
Q What is a subject access request and how do I make one?
A subject access request, sometimes called a SAR, lets you ask your employer for a copy of the personal data they hold about you. You can make the request in writing or by email, and in most cases the employer must respond within one month. There is usually no fee, and you can ask for things like HR records, emails that mention you, and CCTV footage.
Q Can my employer track my location through a company phone or vehicle?
Location tracking is possible but needs to be justified. Employers should explain why tracking is in place, what data is collected, and whether it continues outside working hours. Tracking that covers personal time, or that captures far more information than the business purpose requires, is the kind of practice most likely to lead to complaints or regulatory interest.
Q What can I do if I think my privacy at work has been breached?
Start by raising the issue internally, ideally in writing, and making a subject access request if you want to see what data is held. If the response is unsatisfactory, you can complain to the Information Commissioner's Office. Depending on the circumstances, there may also be employment law routes, for example where the breach links to discrimination or a breakdown in trust.
Q Does GDPR apply to small employers too?
Yes. The UK GDPR and the Data Protection Act 2018 apply regardless of how many staff an employer has. Smaller businesses sometimes have lighter record-keeping obligations, but the core duties around lawful processing, transparency, security and respecting individual rights still apply in full. Size is not a defence to mishandling personal data.
Q Can I be disciplined based on evidence from workplace monitoring?
Employers can use monitoring evidence in disciplinary processes, but only if the monitoring itself was lawful and the employee was reasonably aware it could happen. Evidence gathered through disproportionate or covert surveillance may be challenged, and a tribunal can take the way evidence was obtained into account when deciding whether a dismissal was fair.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.