Introduction to this document
GDPR employee monitoring clause
Insert our clause into employees’ employment contracts to reserve the right to monitor their use of your communications and computer systems. You’ll need a lawful basis for processing and you must limit monitoring to the minimum amount necessary to achieve your aims.
Consent
Under the UK GDPR, you can no longer rely on an employee’s consent to monitor their use of your communications and computer systems. So, if you have a consent clause in employment contracts relating to monitoring, delete it. Instead, you must look for an alternative lawful basis on which to justify your monitoring activities. Monitoring is covered by data protection provisions because it involves the processing of the employee’s personal data.
Lawful basis
Monitoring an employee’s email, internet and telephone usage is unlikely to be necessary for you to perform their employment contract or to enable you to comply with your legal obligations, so it’s probable that you’ll need to justify such monitoring as being necessary for the purpose of pursuing your legitimate interests. In that case, you’ll then need to identify what your legitimate interests are and carefully weigh these up against the privacy rights of the employee. At the end of this balancing exercise, you should be satisfied that the employee’s rights and interests don’t override your legitimate interests.
Proportionality and transparency
You’ll also need to limit any monitoring to the minimum amount that’s necessary to achieve your business aims, i.e. it needs to be undertaken in the least intrusive manner possible to limit the impact on an employee’s right to privacy. Additionally, the UK GDPR gives employees the right to greater transparency in relation to how they’re monitored. This means they need to know what monitoring is taking place and how. Our GDPR Employee Monitoring Clause is a starting point as it reserves the contractual right for you to monitor an employee’s use of your communications and computer systems, including email, the internet, messaging systems, telephones and voicemail. It then outlines the three lawful bases for processing set out above, although, in reality, it’s likely to be the legitimate interests basis that you will rely on in most employee monitoring scenarios. As you also need to identify what your legitimate interests are, our clause goes on to set out a list of business reasons for the monitoring, including ensuring there’s no unauthorised use of your systems and protecting your confidential information. You can amend or add to this list as appropriate. Finally, our clause requires the employee to comply with your various communications and computer systems policies. This would include, for example, your email and internet policy, telephone policy, social media policy, bring your own device policy and computer policy. These policies should tie in with the clause by reiterating the purposes for which monitoring may be undertaken and setting out in more detail what your monitoring activities are.
Document
11 May 2018