What would happen if a senior member of staff approached a

member of your department and asked for the activities of a certain member of

staff to be monitored?  Do you have definite

procedures in place to deal with this type of request?  If the answer to that question is no, even if

you’re a small company–the consequences could be quite serious.So what is the official line on monitoring of staff


In the UK,

the ‘Data Protection Act’ and the ‘Employment Practices Code’

would be the main reference points for anyone wanting to know if and how they

can legally monitor staff activities. The current Data Protection Act

(1998) came into force on 1 March 2000. The act applies to personal data

(data collected while monitoring staffs’ usage of internet/email, for example,

could be personal in nature and would therefore be deemed as personal data)—and

works to protect individuals by giving the data controllers clear guidelines on

how their data should be handled. There are eight principles set out which

require that data must be:

  • Fairly and lawfully
  • Processed for limited
    purposes and not in any manner incompatible with those purposes;
  • Adequate, relevant and not
  • Accurate;
  • Not kept for longer than is
  • Processed in line with the
    data subject’s rights;
  • Secure;
  • Not transferred to
    countries without adequate protection.

The act also stipulates the conditions under which processing

of data may be carried out. For more information on the ‘Data Protection Act’

take a look at this


Perhaps a more useful (or useable) guide when it comes to

monitoring of staff activities would be the ‘Employment Practices Code’—this code

is regulated and enforced by the Information

Commissioner’s Office; the same office which regulates the ‘Data Protection

Act’ and the ‘Freedom of Information Act’.

The employment practices code and its supplementary guides

can be found here. Section

three of the act specifically covers the topic of monitoring in the workplace;

while the act doesn’t prohibit monitoring, it notes that any monitoring activities

must adhere not only to the ‘Data Protection Act’ but also the ‘European

Convention on Human Rights,’ which dictates respect must be shown for an

individual’s private life and correspondence.

Section five of the quick guide

covers recommends that it should be considered whether there are alternative

approaches which could deliver similar benefits while being more acceptable to

workers. Paragraph 3.1.4 of the Supplementary

Guidance states, “Workers who are subject to monitoring should be aware

when it is being carried out, and why it is being carried out. Simply telling

them that, for example, their e-mails may be monitored may not be sufficient.

They should be left with a clear understanding of when information about them

is likely to be obtained, why it is being obtained, how it will be used and

who, if anyone, it will be disclosed to. The necessary information can be

provided, for example, through signage in areas subject to monitoring or

through details given in a staff handbook. Workers should be kept aware of

existing monitoring, perhaps by reminding them periodically. Where significant

changes to monitoring arrangements are introduced, they should be told about

these.” This basically means that unless criminal activities are suspected,

employees must be fully aware that monitoring is in progress, what form that

monitoring takes, and how the information collected is being used.

As can be seen, this area is a legal minefield, which should

be avoided in most cases—there have been cases of employers being ordered to

halt unannounced monitoring of Internet usage (this

case in 2001 was by a group of federal judges!). Our company has the policy

that any requests for systems usage, telephone, email, or security logs must be

submitted to the CEO in writing for consideration.

It seems that in the States these issues are handled quite

differently (going on the information here)—I would be interested to hear how these issues are handled from any readers in the U.S. Do you think Europe’s data protection laws are more

stringent? Is employee monitoring more a matter of routine in the States? How

do you usually handle requests to monitor staff activity?