Corporate Investigations and the UK Data Protection Act

First published September 2007

by Rowenna Fielding


A number of requirements of the Data Protection Act apply to workplace monitoring. While the DPA does not prohibit employee monitoring and investigation, any such activity must conform to the requirements of the Act in order for it to be lawful.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

The DPA act refers to both “systematic monitoring” (where automated systems are used to perform routine analysis of all workers’ activity) and “occasional monitoring” (where monitoring is introduced as a short-term response to a particular problem or need)

While there is no formal definition of “monitoring” within the terms of the DPA, it is generally accepted that the following activities are included, and to which the DPA should be applied:

– Viewing users’ email in search of evidence of misconduct or malpractice.
– Examining logs of websites visited to check that Internet privileges are not being abused (by proportion of time spent surfing, or visiting inappropriate sites)

Obligations under the Data Protection Act

When employee monitoring is implemented, certain steps must be taken to ensure that all procedures and processes for gathering and examining information are in compliance with the DPA.

Requests for investigation of employee activity for evidence of systems misuse or policy violation may often been so broad or nebulous in their terms so as to constitute a breach of the Data Protection Act where it applies to employee monitoring and corporate forensics.

Under the terms of the Data Protection Act, the following requirements are mandatory, and failure to comply with them may constitute a criminal offence and can certainly lead to claims for civil damages in cases where employees have been the subject of investigations which have not conformed to the premises of the DPA.

1. Employees must be notified that monitoring is taking place.

a. Simply advising that “email and internet use may be monitored” is not sufficient in a case where an employee’s activity on these systems is being actively observed. b. If an employee is actively monitored without their knowledge, this is known as “covert monitoring”. Only in cases where criminal activity or equivalent malpractice is suspected can covert monitoring be legally justified and this should be authorised at the highest level of management before taking place.

2. The employee must be kept informed as to:

a. What data is being monitored
b. What the data gathered will be used for
c. Who will have access to the data
d. The retention policy of the data

Where an employee is not informed of these aspects of monitoring, the monitoring is classified as “covert” and must be legally justified at senior management level to prevent breach of the DPA.

3. The data gathered during the course of monitoring must be kept strictly confidential, and accessible only to those individuals who are directly involved with monitoring.

a. This means that sharing a user’s entire mailbox with HR in order for them to search it for evidence of wrongdoing is not permitted within the terms of the DPA. HR should define the “evidence of wrongdoing”, and the investigator should search for such evidence. Where it is found, only such evidence should be passed to HR, and nothing else.

4. Only data directly concerned with the cause of the monitoring may be used in an investigation.

a. Where possible, the reading of emails should be avoided, and anything indicated to be “Personal” (whether by storage location or content itself) should be strictly excluded from the process of the investigation.

5. The focus of the monitoring should be clearly defined, and monitoring should not exceed the boundaries of this definition.

a. For example, where email harassment is suspected, the investigation cannot be widened to include web surfing activity.
b. The type of misbehaviour suspected should be clearly defined in a request for an investigation, and the investigation should not exceed these parameters.

6. The monitoring should be time-limited and geared towards a specific result.

a. It is not legal to monitor an employee for an undefined amount of time “just in case they are doing something wrong”. The time frame for monitoring, or investigation should be clearly defined, and cannot be extended just because no evidence is found within the original time frame.


Adherence to the Data Protection Act should be explained and defined by corporate policy. The policy should sets out the terms of the DPA, and state that all individuals have rights to their personal data. (Personal data does not just include HR, payroll and clearance information, but also the product and results of any investigation of that individual that may take place within the company)

These rights include:

– The right to a copy of the data made by written request. Any individual can request the data collected from an investigation pertaining to them.
– The right to prevent processing likely to cause damage or distress. This may apply to the access of personal communications (eg: email) during an investigation that has been conducted as a “fishing expedition” and not a properly targeted investigation.
– The right to take action for compensation if the individual suffers damage by any contravention of the DPA by the data controller (ie: the company). This is a potentially serious issue: where an employee has faced dismissal or disciplinary action following an investigation; that employee may have the right to compensation if the investigation was not conducted in accordance with the DPA.

The DPA policy should also provides guidance as to the Data Protection Act, describing the premises of the Act, and the responsibilities of the company to ensure that the DPA is complied with.

It appears however, that the results of internal employee investigations are not usually considered as “personal data”. However, under the definition contained within the DPA, this data should most definitely be included, and provided for in order to avoid compensation claims for contravention of the Data Protection Act.


The terms of the Data Protection Act require that personal data be processed fairly and lawfully. “Fair and lawful” processing requires that the data controller (in this case the Company monitoring or investigating the employee) ‘ensures so far as practicable’ that persons whose personal data is processed (which would include monitoring of e-mails) should be informed of:

(a) The identity of the data controller and any nominated representative;
(b) The purposes of the processing; and
(c) Any further information which is necessary, having regard to the specific circumstances of the processing.

With these provisions in mind, it may be necessary to review the investigations process to ensure that compliance with the Data Protection Act is achieved. This would involve the following areas of discussion:

The requirements and process of requesting an investigation

The Employment Practices Code, as published by the Information Commissioner states that monitoring should only be used in cases where other action (for example, management intervention, verbal warning) is judged not to be effective.

– To commence surveillance of an employee without attempting other avenues of approach to a disciplinary problem is unethical, and can result in any disciplinary action being challenged.

Before taking the decision to monitor an employee, an impact assessment must be undertaken.

– If the potential impact of monitoring the employee cannot be justified by the magnitude of the suspected misbehaviour, then monitoring is unethical and cannot be justified.

When a user is investigated, they must be informed of the following:

– What activity is being monitored,
– Who will see the resulting data,
– What the resulting data will be used for
– How long it will be retained for.
– The only exceptions to the requirements for employee notification are when either criminal activity or equivalent professional malpractice are suspected.

When an investigation is required, the information that is sought must be clearly defined in the investigation request.

– It is not lawful to request “all emails sent by this user” as the subject of an investigation, as this contravenes the DPA which requires the collection of personal data to be kept to the minimum amount necessary.

The data provided must adhere to the DPA – therefore, only data relevant to the investigation can be shared with other parties (eg: management, HR).

– If a user’s mailbox is monitored, and incriminating evidence found; only that evidence (and no other data) may be shared as a result of the investigation.
– If no evidence is found, there can be no further pursuit of the investigation without just cause – to do otherwise may potentially make the company vulnerable to compensation claims for breach of the DPA (or even possibly harassment or “hostile workplace” claims, depending on the outcome of any disciplinary action taken as a result of an investigation which does not conform to the DPA)

The data gathered as a result of an investigation or employee monitoring must be kept only as long as required for the investigation and subsequent action to take place.

– After this time, all data pertaining to an investigation of an employee must be destroyed in all forms – ie; data stored on hard drives, optical storage, printouts of investigation results. Failure to destroy this data in a timely fashion will constitute breach of the DPA.

REFERENCES /employment_practices_code001.pdf

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles