Workplace Surveillance and AI Monitoring: What UK Law Allows in 2026

Most employers now have tools that can watch their staff far more closely than the law comfortably allows: productivity dashboards, keystroke and screenshot capture, location tracking, call and message analysis, and a growing layer of AI that scores, ranks, and flags workers automatically. The technology has run ahead of the question that decides whether any of it is lawful: is this necessary, proportionate, and fair?

UK law does not ban workplace monitoring. It conditions it. This article sets out where the line sits in 2026, what changes when AI does the watching, and the one form of AI monitoring that is now banned outright next door in the EU.

Article 88 and where the rules actually live

Article 88 of the UK GDPR is the provision that allows a country to set more specific rules for processing employee data. The UK has not enacted a comprehensive set of those rules, so workplace monitoring runs on the general UK GDPR principles, the Data Protection Act 2018, and the ICO's guidance on monitoring workers, published in October 2023 to replace the old Employment Practices Code.

So there is no single "surveillance statute" to point to. The lawfulness of monitoring is decided by applying the ordinary data protection principles to the employment relationship: a lawful basis, necessity, proportionality, transparency, and a documented assessment of the risk to workers.

The lawful basis: legitimate interest, almost never consent

Every monitoring activity needs a lawful basis under Article 6. For most monitoring the right one is legitimate interest under Article 6(1)(f).

Consent is usually the wrong answer. The ICO's position is that consent is unlikely to be valid in the employment context, because the imbalance of power means a worker cannot freely refuse without fear of consequence. An employer who builds a monitoring programme on consent and is later told that consent was not freely given is left with no lawful basis at all.

Legitimate interest is not a free pass. It requires a Legitimate Interest Assessment on file: the legitimate aim (security, safety, regulatory obligation, protecting assets), the necessity (monitoring is genuinely needed to achieve it), and a balancing test weighing the intrusion against the worker's rights and reasonable expectations. The assessment is the document a regulator asks for first.

Necessity, proportionality, and transparency

Three tests decide most cases.

Necessity. Monitoring has to be genuinely needed for a real aim, and it has to be the least intrusive way of achieving it. If a narrower measure would do the job, the broader one is unlawful.

Proportionality. Continuous, blanket monitoring of everyone, all the time, rarely survives. The more intrusive the method, the stronger the justification has to be, and the narrower the scope should be.

Transparency. Workers generally have to know what is monitored, why, and how. Secret monitoring is the exception, not the default. Covert monitoring is lawful only in narrow circumstances, where there is a genuine suspicion of serious wrongdoing and telling people first would defeat the purpose, and it is almost never lawful in places with a heightened expectation of privacy such as toilets, changing areas, or break rooms.

When monitoring is high-risk: the DPIA

Systematic monitoring of workers is one of the clearest triggers for a Data Protection Impact Assessment under Article 35. Large-scale monitoring, monitoring using new technology, and monitoring that evaluates workers all push the processing into the high-risk category that makes a DPIA mandatory. Our guide to when a DPIA is needed for an AI system covers the threshold. For AI monitoring it is hard to argue a DPIA is not required.

What changes when the watcher is AI

AI monitoring adds a distinct layer of risk on top of the ordinary rules: bias in how the system scores different groups, opacity in how it reaches a score, and function creep as a tool bought for one purpose drifts into others. Two issues bite in law specifically.

It can trigger the automated-decision regime. If the monitoring output drives a significant decision about a worker by solely automated means, for example an AI productivity score that feeds performance management, pay, or dismissal without meaningful human involvement, the decision falls under the new Articles 22A to 22D of the UK GDPR, in force since 5 February 2026. The worker is then owed the four safeguards: information about the decision, the ability to make representations, human intervention, and the ability to contest it. The full regime is set out in our reference on automated decisions under Article 22A to 22D. A manager who rubber-stamps the AI's score does not take the decision out of scope.

It often involves special category data. Monitoring that infers health, emotional state, trade union activity, or similar is processing special category data under Article 9, which needs a separate condition and far stronger justification. Inferring these things by accident, through behavioural or sentiment analytics, does not avoid the rule.

The line the EU has already drawn: emotion recognition

The sharpest current development sits across the Channel. The EU AI Act prohibits AI systems used to infer the emotions of a person in the workplace, outside narrow medical or safety uses. This is one of the Act's prohibited practices, and the ban has applied since 2 February 2025.

The UK has no equivalent outright ban. But workplace emotion recognition is high-risk under the UK GDPR for the reasons above: it usually processes special category data, it rarely passes the necessity and proportionality test, and it would need a DPIA and a strong justification to stand up. The practical position on both sides of the Channel is that AI reading workers' emotions is very hard to do lawfully, and in the EU it is simply off the table.

What workers can do

If you are monitored and want to understand or challenge it:

• Make a subject access request. You are entitled to the personal data held about you, which includes monitoring data, and meaningful information about any automated decision-making.
• Ask for the lawful basis and the assessment. If monitoring relies on legitimate interest, there should be a Legitimate Interest Assessment behind it.
• Object. You have the right to object to processing based on legitimate interest, and the employer then has to show compelling grounds to continue.
• Use the automated-decision safeguards. Where a significant decision about you was made by an automated monitoring system, you can ask for human intervention and contest the outcome.

If you are the employer

The same rules read as a checklist:

• Lawful basis chosen per monitoring activity, with a Legitimate Interest Assessment where you rely on Article 6(1)(f).
• A DPIA for systematic or AI-driven monitoring, completed before it goes live.
• A clear, accessible notice telling workers what is monitored and why.
• The least intrusive method that achieves the aim, scoped as narrowly as possible.
• Genuine human involvement in any consequential decision the monitoring feeds, with records that show it was real.
• Extra care, and a separate Article 9 condition, wherever monitoring could infer special category data. Treat emotion recognition as a line not to cross.

When to take advice

Monitoring becomes a legal problem at the point it feeds a decision that affects someone's job, or strays into private space or special category data.

Instruct a specialist when:

• Monitoring data is being used in a disciplinary, capability, or dismissal process
• You are deploying AI scoring or analytics that rank or flag workers
• The system could infer health, emotion, or other special category data
• A worker has objected, made a subject access request, or challenged an automated outcome
• You are rolling out monitoring across the workforce and need the DPIA and the assessment to stand up

---

Current as at 18 June 2026. This is educational. For your specific situation, instruct a qualified data protection or employment adviser.

Part of the Janus Compliance AI and your rights theme and the Employment Law cluster. See also: Automated Decisions Under UK Law: Article 22A-22D, AI Rejected Your Job Application, Do I need a DPIA for my AI system?.