UK Employer Rules · 2026
Can my employer read my work emails or monitor my computer?
Legal basis
UK GDPR (Article 6 lawful basis, Article 88 employment context); Data Protection Act 2018 s.86 (employment); Investigatory Powers Act 2016 s.32 (workplace monitoring); ICO Employment Practices Code (Workers); Article 8 ECHR (right to privacy).
When they CAN do it
Your employer CAN monitor if: (1) you've been informed via a clear monitoring policy (in handbook or contract); (2) the monitoring is for a legitimate business purpose (e.g., security, performance, regulatory compliance); (3) it's proportionate to the purpose; (4) a DPIA has been completed for systematic monitoring; (5) personal use of email is restricted or prohibited (changes employee expectations of privacy); (6) specific covert monitoring is authorised to investigate suspected serious wrongdoing under specific circumstances.
When they CANNOT do it
Your employer CANNOT: secretly monitor without justification; monitor disproportionately (e.g., recording all keystrokes when only checking productivity); read emails clearly marked 'personal' even if sent on work systems; monitor union or whistleblowing communications; share monitoring data outside the legitimate purpose; retain monitoring data longer than necessary; use monitoring evidence in disciplinary proceedings if monitoring was unlawful.
What you should do
1) Read your contract and IT policy — most include monitoring notices. 2) Ask HR for the monitoring policy and DPIA. 3) Don't use work email/systems for personal matters where you have a non-work alternative. 4) Mark genuinely personal emails as 'PERSONAL'. 5) If monitoring seems disproportionate or covert, file a Subject Access Request (DSAR) — you have right to copy of monitoring data on you. 6) Complaint to ICO (free) for GDPR breaches. 7) Consider grievance and tribunal claim where monitoring breaches privacy or has been used to discriminate.
Worked example
David noticed his manager seemed to know details from his Slack messages he'd assumed were private. He filed a DSAR asking for all data about him collected through monitoring. The disclosure showed his manager had accessed his Slack DMs to investigate a 'culture concern' with no formal investigation, no DPIA, and no notice. David raised a grievance and complained to ICO. Employer rolled out a transparent monitoring policy and disciplined the manager.
Red flags — when to escalate
🚨 No monitoring policy in writing. 🚨 'Surprise' use of monitoring evidence in a disciplinary. 🚨 Monitoring of specific employees (likely covert, likely unlawful). 🚨 Use of webcam screenshots, keystroke logging, or AI productivity tools without DPIA. 🚨 Refusal to disclose monitoring data via DSAR.
Recruiter pro tip
The DSAR (Data Subject Access Request) is the most underused tool in employment law. It costs nothing, takes 1 month for the employer to respond, and forces disclosure of all data they hold on you including monitoring data, manager notes, performance ratings, and emails about you. If you suspect anything dodgy is going on, file a DSAR before raising a grievance — you'll know exactly what cards your employer holds.
Related questions
Can my employer share my personal data with others?
Only on a lawful basis under UK GDPR — usually consent, contract necessity, legal obligation, or legitimate in…
Can my employer stop me having a second job or working elsewhere?
Sometimes. Your contract may include an 'exclusivity clause' or a 'duty of fidelity' that limits second jobs. …
Can my employer refuse to give me a reference or give a bad one?
Mostly yes — there's no general legal duty to provide a reference (some regulated sectors like financial servi…
Related across UK Rights & Guides