Monitoring & Tracking Staff – What Employers Need to Know

Monitoring and tracking staff is now part of day-to-day business life, whether that’s checking email use, managing IT security, using CCTV, or keeping an eye on social media and company devices. As an employer, you’re trying to protect your business, your clients and your people – but you also need to stay on the right side of UK law and avoid damaging trust with your team. This guide walks you through what’s legal, what’s sensible and what’s fair when it comes to monitoring & tracking staff, so you can put clear, practical policies in place with confidence.

Key takeaways

• Yes, employers can monitor staff in the UK, but only where there is a clear business reason and the method used is proportionate.
• In most cases, employees should be told about monitoring in advance through policies, privacy notices, contracts or other clear communications.
• Monitoring staff emails, internet activity or social media without a proper legal basis can create data protection, privacy and employee relations issues.
• Covert monitoring and recordings without the employees knowledge in advance are high-risk steps.
• A written impact assessment, clear policy wording and manager training can add real value by helping you justify your decisions and apply monitoring fairly across the business.

In this guide

• What counts as staff monitoring and tracking in the workplace.
• When it is legal to monitor emails, internet use, CCTV, calls, social media and location data.
• What to do if you are considering covert monitoring or recordings without consent.
• How UK GDPR, the Data Protection Act 2018 and wider employment law affect your approach.
• Practical steps to build policies, reduce legal risk and maintain trust with your team.

What monitoring and tracking includes

Workplace monitoring covers much more than checking inboxes. It can include staff email reviews, internet and app usage, call recording, CCTV, swipe-card or access control data, GPS vehicle tracking, webcam use, screen monitoring, keystroke logging and recordings of meetings or conversations.

For many SMEs, the issue is not whether some monitoring exists already, but whether it has been properly documented and communicated. A door-entry system, company mobile tracking, website filtering tool or CRM activity log can all amount to employee monitoring where personal data is involved.

Why employers need to monitor staff

There are several legitimate reasons to monitor and track staff. These include protecting confidential information, reducing cyber risk, investigating misconduct, maintaining service quality, preventing harassment, defending legal claims and checking that business systems are being used appropriately.

For small and medium-sized businesses, monitoring can also help spot practical risks early. For example, it may identify data being sent outside the business, repeated access to unsafe websites, misuse of company devices or problematic communications with clients that could lead to complaints or reputational damage.

Is it legal to monitor employee emails?

In short, yes. It is legal to monitor employee emails where there is a valid business purpose and the employer follows UK data protection and privacy rules.

That said, legal does not mean unlimited. Monitoring staff emails should be tied to a clear reason, such as protecting confidential information, checking compliance with workplace policies, investigating suspected misconduct or managing cybersecurity risks.

Employers also need to remember that work emails can still contain personal data and, in some cases, sensitive information. That means any monitoring must be necessary, justified and proportionate, and not a fishing exercise carried out without cause.

Monitoring staff emails in practice

If you are monitoring staff emails, your policy should explain what is being checked and why. That might include traffic data such as senders, recipients and timestamps, or in more limited circumstances, access to the content of messages themselves.

A useful way to add value beyond basic legal compliance is to separate routine monitoring from investigatory access in your policy. Routine monitoring can focus on system security, traffic patterns and automated keyword alerts, while investigatory access can be reserved for specific concerns such as suspected misconduct, client complaints or data loss incidents.

This distinction helps SMEs avoid over-monitoring and gives managers a clearer escalation path. It also makes it easier to show that you considered less intrusive options before reviewing message content.

Can my employer track me without telling me?

Usually, employees should be told if they are being monitored at work. The core principle should be transparency, whether the monitoring concerns emails, CCTV, internet use or other workplace systems.

So, can my employer track me without telling me? In most day-to-day situations, the answer should be no. Employers are generally expected to inform staff about monitoring and explain what happens to the data collected.

There are limited exceptions. Covert monitoring may be justifiable where there is reason to suspect serious misconduct or criminal activity, and telling the employee first would prejudice the investigation.

Even then, covert monitoring should be targeted, time-limited and used only where less intrusive options are unlikely to work. Blanket covert surveillance is far harder to justify and carries significant legal and employee relations risk.

Social media monitoring in the workplace

Social media monitoring in the workplace is a growing issue for employers, especially where brand reputation, confidentiality and staff conduct are important. However, employers should not assume that they can freely monitor an employee’s social media activity simply because it is public or because the person uses a company device.

A sensible approach is to focus on business-related risks. For example, monitoring may be justified where there is evidence of harassment, disclosure of confidential information, misuse of company time or posts likely to damage the organisation’s reputation.

For SMEs, this is an area where policy drafting makes a real difference. A strong social media policy should explain expected standards of conduct, when online behaviour may become a disciplinary matter, and whether work devices or networks are monitored for social media use.

CCTV, calls and device tracking

Many employers use CCTV, call recording and device or vehicle tracking for safety, security and service reasons. These tools are often lawful, but employees should normally be informed that they are in place, why they are used and how long the data will be kept.

Cameras should not be placed in areas where employees would reasonably expect privacy, such as toilets or changing rooms. Tracking tools on vehicles or phones should also be limited to genuine business needs and not used in a way that intrudes into private life more than necessary.

A practical point that is often missed is this: if a company vehicle or phone is allowed for personal use, your policy should address how tracking works outside working hours. That extra clarity can help reduce disputes and demonstrate that you have considered privacy more carefully.

Being recorded at work without consent

Being recorded at work without consent is one of the most sensitive monitoring issues. In the UK, recording a conversation is not automatically unlawful in every situation, but it can create serious privacy, data protection and disciplinary concerns depending on who is recording, why, and what happens to the recording afterwards.

For employees, covertly recording a manager, colleague or workplace meeting may breach internal rules and could amount to misconduct. Even so, employment tribunals may still admit the recording as evidence if it is relevant and the person making it was present during the conversation.

For employers, recording meetings without proper notice or consent can be especially risky. If you want to record a disciplinary hearing, grievance meeting, training session or formal consultation, you should explain the purpose, obtain consent, limit access to the recording and set a clear retention period.

What the law says regarding monitoring and tracking staff

Several legal frameworks apply to monitoring and tracking staff in the UK. The main ones are UK GDPR, the Data Protection Act 2018, the Human Rights Act 1998, the Employment Rights Act 1996 and rules around interception of communications, including the Regulation of Investigatory Powers Act 2000.

The legal thread running through all of them is fairly consistent: employers need a lawful reason, clear justification and a proportionate approach. They also need to avoid unnecessary intrusion into private communications or personal information.

This matters just as much from an HR perspective as a legal one. Monitoring that is poorly explained or inconsistently applied can damage trust, increase grievances and make disciplinary decisions harder to defend.

UK GDPR and data protection duties

Where monitoring involves personal data, employers must identify a lawful basis for processing it and explain what is being collected, why it is needed and how it will be used.

They should also make sure that the information gathered is relevant, kept secure, accessible only to those who need it and retained only for as long as necessary. Data collected for one reason should not then be repurposed casually for something else.

One practical addition that can strengthen your process is creating a simple monitoring register. For each monitoring activity, list the purpose, lawful basis, data involved, who can access it, retention period and review date. For SMEs, this is a manageable way to show accountability without building an overly complex compliance framework.

Why an impact assessment matters

Before introducing intrusive monitoring, employers should carry out an impact assessment, often called a Data Protection Impact Assessment or DPIA. This helps you test whether the monitoring is really needed, whether there are less intrusive alternatives and what effect it may have on employees.

Useful questions include: what problem are you trying to solve, what will the monitoring achieve, are there other measures available, what private information could be captured, and can you justify the approach if challenged?

For SME owners, this is not just a paperwork exercise. A well-drafted assessment can become your decision-making record if an employee raises a grievance, a regulator asks questions or a tribunal later examines whether your actions were fair.

Building the right policy framework

If your business monitors staff in any form, you should have clear written policies rather than relying on custom and practice. As a minimum, this usually means an IT and communications policy, privacy notice, data protection policy, disciplinary rules and, where relevant, CCTV, call recording and social media policies.

Those documents should explain:

• What monitoring takes place.
• Why it happens.
• When content may be reviewed rather than just usage data.
• Whether personal use of devices, email or social media is allowed.
• How long data will be stored.
• Who can access the information.
• What happens if someone breaches the rules.

It is also good practice to make sure new starters acknowledge these policies and that managers are trained to apply them consistently. A fair process can be undermined quickly if one manager acts informally while another follows policy to the letter.

Common mistakes employers make

In practice, the biggest risks often come from poor implementation rather than bad intentions. Employers can get into difficulty by monitoring without a documented purpose, collecting more information than they need, failing to tell staff what is happening or using monitoring data for unrelated issues later on.

Another common mistake is relying on generic policy wording. Broad statements such as “we may monitor communications from time to time” are less helpful than explaining what types of monitoring happen in your business and under what circumstances message content, call recordings or social media activity may be reviewed.

Finally, there is the HR point many businesses overlook: monitoring should sit alongside training, supervision and a sensible line management approach. It is rarely a complete substitute for them.

Practical steps for SMEs

If you are reviewing your current approach to monitoring and tracking staff, these steps are a sensible place to start:

1. Audit the monitoring you already carry out, including systems that may not be labelled as monitoring tools.
2. Document the purpose and lawful basis for each activity.
3. Carry out an impact assessment for intrusive or higher-risk monitoring.
4. Update your policies, contracts and privacy notices so staff know what to expect.
5. Train managers on how monitoring data can and cannot be used in investigations or disciplinary processes.
6. Review retention periods, access controls and internal approval steps for investigatory monitoring.

Taken together, these steps help you stay compliant while still protecting the business. Just as importantly, they show employees that your approach is measured and fair rather than intrusive for the sake of it.

FAQs

Can my employer track me without telling me?

Usually, no. In most workplace situations, employees should be told about monitoring in advance, including what is being monitored and why. Covert monitoring is generally reserved for exceptional cases involving suspected serious misconduct or criminal activity, and even then, it should be targeted and proportionate.

Is it legal to monitor employee emails?

Yes, if there is a valid business reason and the monitoring complies with UK GDPR and the Data Protection Act 2018. The employer should be able to justify why the monitoring is needed and avoid excessive or routine intrusion into private communications.

Can employers monitor staff emails all the time?

Not without careful justification. Continuous or excessive monitoring is harder to defend than targeted, proportionate monitoring linked to a specific purpose such as security, compliance or an investigation.

Can employers monitor social media in the workplace?

Yes, but only within clear limits. Employers should not assume they can monitor any social media activity they can see; they need a legitimate reason, a proportionate approach and clear policy wording, especially where disciplinary action may follow.

Is being recorded at work without consent illegal?

Not always, but it can still create legal and disciplinary issues. Whether it is lawful depends on the context, the purpose of the recording, who made it and how the recording is later used or shared.

Can an employer record a disciplinary or grievance meeting?

They can, but best practice is to explain why they want to record it, obtain consent from all parties, limit who can access the recording and confirm how long it will be retained.

What happens if workplace monitoring is handled badly?

Poorly managed monitoring can lead to employee grievances, complaints to the ICO and wider reputational harm for the business. It can also weaken the employer’s position in a disciplinary process if the evidence was gathered unfairly or without clear policy support.

Need Further HR Support?

Monitoring and tracking staff is not something most businesses want to get wrong. If you are reviewing your email monitoring, social media rules, recording practices or wider staff monitoring policies, Norton Loxley can help you put a clearer, more practical and legally informed framework in place.

Working with the right HR support can help you protect your business without creating unnecessary risk or damaging trust with your people. Speak to Norton Loxley for advice on policies, processes and practical next steps around monitoring & tracking staff.