‘My office is using spyware to make sure I attend two days a week – can I stop them?'

Yahoo

26-03-2025

Do you have a legal question to put to Gary? Email askalawyer@telegraph.co.uk or use the form at the bottom of the page.
Dear Gary,
I must prefix this query by first saying I enjoy going to my office. The office manager has made the environment great, and all my colleagues are fantastic to work with.
However, my employer has started using the building security badge swipes in and out of the building to monitor who is complying with the pretty relaxed two-days-a-week return to office mandate. We can basically choose if we work from home or in the office, but we should be doing at least two days a week in the office.
In my opinion, this is a draconian measure. We already work on laptops filled with corporate spyware, so this tracking feels like one more step into working in a panopticon.
My legal concern is whether this change breaches the General Data Protection Regulations (GDPR).
The data collected for badge swipes was never intended to be used for attendance. Is this now classed as a disproportionate amount of data to collect?
– Mark
Dear Mark,
I am very glad you enjoy going into your office. I have said before that I am a big fan of office working, rather than home working. But my personal preference does not make something lawful!
To have a legally enforceable working environment which requires hybrid working between remote home working and physical office attendance, employers must comply with some basic protocols.
First and foremost, the location of your place of work should be specified in your employment contract. And remember, all workers are entitled to a copy of their employment contract including key terms and conditions.
You describe a working environment which is a hybrid model where you are permitted to work at home some of the time and be in the actual office premises at other times. In your case, you say the requirement is to be in the office at least two days every week.
Your words also indicate this 'mandate' to work from the office at least two days a week is a policy change. In that case, your employer should have gone through a process of reevaluating relevant roles and deciding that they should no longer be fully remote working.
I say all this to add context and to allow you to consider if hybrid working itself has been introduced in the appropriate manner.
Regarding the particular concern you have about your employer edging you and your colleagues towards working in a 'panopticon', while I enjoy the rich language you used, I think you are being somewhat overdramatic.
More to the point, you are losing sight of the fact that your employer is entitled to monitor you at work.
Monitoring employees is about ensuring they are adhering to their employment contract and other rules of conduct in the workplace. But it can also be about protecting employees from unsafe working practices and ensuring they are working to their optimal ability.
The legal starting point is therefore that employers can monitor employees. The question is if and when that becomes excessive and, therefore, a breach of employee rights.
You mention 'spyware' within your IT. Some employers also use CCTV. And now you say data from your staff cards are to be tracked. All of these devices are acceptable if used across the board and not targeting any one individual employee.
In 2023, the Information Commissioner's Office (ICO), which is the UK's data regulator charged with overseeing the General Data Protection Regulations (GDPR) which you mention, issued guidance on employers monitoring workers. Do have a read of it.
The ICO guidance says that any tracking must be done in the 'least intrusive' way possible and that workers must be made aware explicitly of the 'nature, extent and reasons for monitoring'.
By your own admission, you have been told of what is to happen and why, and what your data will be used for. In your case, the purpose is to ensure you are complying with your employment contract.
To be pitch perfect in their approach, your employer should refer to your data protection and privacy rights in the staff handbook for your organisation and explain what data will be collected and how it will be stored.
Cases of excessive employee surveillance that contravene workers' privacy rights can result in enforcement action by the ICO, including fines against the employer. But in this case, I do not see what is happening as being excessive. In my view, it is proportionate.
It seems to me one problem here is that you say the two days in the office rule is 'pretty relaxed', but to my mind that interpretation is at odds with the conduct of your employer who clearly wishes to ensure it is a rule which is complied with.
I think there needs to be transparency on both sides.
Your employer needs to be very clear you are all expected to be in the office at least two days a week. It needs to explain that one way of monitoring this will be use of the data harvested from your swipe cards.
And as an employee, who enjoys your job and values it, you should be very visibly there at least two days a week.
I always find with employees at my law firm that those who get it and fully play by the rules are the ones who are allowed the most flexibility because I am confident that they are fulfilling their side of the employment contract. In that sense, I am more relaxed about how and when they do their role.
In other words, be careful not to impose a panopticon on yourself by your own inflexible approach and conduct.
Ask a Lawyer should not be taken as formal legal advice, but rather as a starting point for readers to undertake their own further research.
Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.