Module 8 · Lawful employee monitoring & whistleblowing

Lawful employee monitoring must pass four tests - it must be necessary, have a legitimate, lawful basis, be proportionate and be transparent. Monitoring data must be held securely, accessed only by those with a need, and deleted when finished. Whistleblowing systems rose with the US Sarbanes-Oxley Act (2002); the EU Whistleblower Directive (2019) mandates reporting channels and protection from retaliation.

The four tests for lawful employee monitoring
Test	What it requires
Necessary	Monitoring must be needed for the stated aim - not just convenient.
Legitimate, lawful basis	A valid Article 6 (and, if sensitive, Article 9) basis must apply.
Proportionate	The least-intrusive method; scope and intensity matched to the aim.
Transparent	Workers must be informed; covert monitoring is exceptional and tightly limited.

Beyond the four tests, monitoring data must be held securely, accessed only by those with a legitimate need, and deleted when no longer needed.

Whistleblowing systems for anonymous reporting of fraud or misstatement rose with the US Sarbanes-Oxley Act (2002). The EU Whistleblower Directive (2019) requires Member States to give public- and private-sector whistleblowers effective reporting channels and protection against retaliation.

Key terms - quick answers

What is “Employee monitoring”?

Observation of workers' activity (email, internet, calls, location); lawful only if necessary, lawfully based, proportionate and transparent.

What is “Sarbanes-Oxley Act (2002)”?

US law that drove adoption of anonymous reporting systems for fraud and financial misstatement.

What is “Whistleblower Directive (2019)”?

EU directive requiring Member States to give public- and private-sector whistleblowers effective reporting channels and protection against retaliation.