User menu

Caerphilly Council warned after employee surveillance

A council that ordered covert surveillance on a sick employee must review its approach after an Information Commissioner’s Office (ICO) investigation.

The ICO found the Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick.

The surveillance was only authorised on anecdotal evidence and began only four weeks into the employee’s sickness absence. No other measures were taken to discuss the employee’s absence before the decision to use the covert surveillance and the report, which was produced by a third-party company, was never used.

The ICO determined the Council did not have sufficient grounds to undertake the surveillance, especially at such an early stage of the employee’s absence.

Anne Jones, Assistant Commissioner for Wales, said:

“It shouldn’t need to be said that spying on employees is incredibly intrusive and must only be done as the last resort.

“Organisations need to be absolutely clear why they need to carry out covert surveillance and consider all other alternatives first. If it cannot be completely justified, it shouldn’t be done.”

The ICO accepts in exceptional circumstances that covert surveillance of employees can be justified. The employer however must be satisfied there are grounds for suspecting criminal activity or equivalent malpractice and that notifying the individuals would prejudices prevention or detection. Covert surveillance should be used as a last resort when alternatives which respect the employee’s privacy have been considered and determined as not appropriate.

The ICO’s Employment Practices Code covers monitoring of employees at work.

The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

The ICO is onTwitter, FacebookandLinkedIn. Read more in the ICO blogand e-newsletter.Our Press Office page provides more information for journalists.

Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Not transferred to other countries without adequate protection