The rise of hybrid and remote work has created a new anxiety for founders. You can’t see people working, so the temptation is to track them. Keystroke loggers on laptops. Software that photographs screens at random intervals. GPS tracking on company phones. Time-tracking apps that flag long periods of inactivity. Monitoring tools designed to tell you exactly where people are and what they’re doing at any moment.
I’ve seen this play out in several ways. Some founders are genuinely concerned about security and productivity. Some are managing trust issues they haven’t admitted to themselves. And some have picked up monitoring culture from larger corporates and assume it’s normal.
The problem is that Singapore’s privacy framework, particularly the Personal Data Protection Act (PDPA), sets clear limits on how far you can go. You can monitor far less than you’d think, and the monitoring you do implement creates its own problems.
Here’s what you need to know to stay on the right side of the law and the right side of your team’s trust.
What the Law Actually Says
Monitoring is largely permissible in Singapore, but it’s governed by the PDPA, the Employment Act, and MOM’s advisory on managing workplace absences. The key principle is that employees have a reasonable expectation of privacy even at work, and that expectation is taken seriously under the PDPA.
This is the fundamental tension that founders often miss. You own the company. You need to manage risk and productivity. But your employees haven’t signed away their right to privacy just by becoming employees. The law draws that line, and it’s more protective of employees than many founders assume.
The Transparency Requirement
The PDPA has a purpose limitation and notification obligation. In plain English: you need to tell people you’re monitoring them, and you need to tell them why. You can’t install hidden monitoring software and defend it later by saying it was for legitimate business purposes.
“We didn’t tell you we were watching” is not a defensible position under the PDPA. It violates the Act’s transparency principles. And it signals something about your management style that most good people will respond to badly: that you don’t trust them.
This doesn’t mean you need dramatic announcements. It means your monitoring policy should be clear, accessible, and specific about what’s being monitored and why. If that policy exists only in your head, or was mentioned casually once, it’s not sufficient notification.
What You Can Monitor With the Right Policy
With proper notice and a legitimate business purpose, you can monitor a fair amount. Company devices (laptops, phones), when they’re in use and what they’re being used for. Company email accounts. Network access logs. CCTV in common areas, provided it’s properly disclosed and not in private areas like toilets or changing rooms. Productivity tracking on work systems, provided employees know it’s happening.
The critical phrase is “with proper notice.” If your policy clearly states that email is monitored for security and compliance purposes, you can monitor email. If productivity tracking is disclosed upfront, you can track it. If CCTV cameras are clearly visible and there’s a sign indicating that monitoring is taking place, that’s legitimate.
But if you’re implementing any of these things without explicit notification, or if the scope of monitoring is broader than what employees understand, you’re creating PDPA exposure.
What Creates Exposure
Monitoring personal devices is fraught. Even if an employee uses their personal phone for work, monitoring their personal phone creates exposure. You’re potentially capturing personal communications and activities that have nothing to do with your business. Courts and regulators take a dim view of this.
Covert surveillance without notification is off the table entirely. Keystroke loggers installed without employee knowledge. Screenshots taken without disclosure. Location tracking without consent. All of this violates the PDPA and creates liability for the company and potentially personal liability for whoever implemented it.
Using monitoring data for purposes beyond what was originally stated is another common problem. You disclosed that you’re tracking productivity. Then you use that data to identify low performers and build a redundancy list. That secondary use wasn’t disclosed, and it’s a PDPA violation.
Email monitoring that sweeps up personal communications (messages with family, personal accounts accessed from work, etc.) is broader than most legitimate business purposes justify.
The Trust Equation
Here’s the thing that matters more than the law: even if you can monitor something, whether you should is a different question.
Excessive surveillance signals profound distrust. It tells employees that management assumes they’re shirking, that they need to be watched, that they’re not professionals who can manage their own output. The research on this is remarkably consistent. Surveillance reduces engagement, increases turnover, kills morale, and often makes productivity worse, not better.
In a startup, culture is one of your genuine competitive advantages. Good people want to work somewhere they’re trusted. The moment you install monitoring software that feels invasive, you’ve signalled to your team that you don’t trust them. And that doesn’t stay private. People talk.
I’ve seen founders lose good people over monitoring culture that felt heavy-handed. The person didn’t get fired; they just decided to work somewhere they felt trusted. You’ve created turnover without even knowing it.
What a Sensible Monitoring Policy Looks Like
If you’re going to monitor, here’s a sensible approach. Clear purpose: “We monitor email for security and compliance.” Not vague surveillance for general business purposes. Clear notification: “All company email is monitored.” Not assumptions or casual mentions. Limited to legitimate business needs: if you’re monitoring for security, you’re looking at whether external threats have compromised accounts. You’re not looking at personal email accessed from work. Proportionate: you’re monitoring systems and patterns, not individuals’ detailed activity. Data stored securely and only accessible to those who need it: you’re not storing screenshots indefinitely or sharing monitoring data casually with other managers.
A monitoring policy that passes the sniff test is one that you could explain to an employee without feeling defensive, and one that an external reviewer would see as proportionate to the business problem you’re trying to solve.
The Remote Work Context
Remote and hybrid work creates a specific tension. You can’t see people working, and that uncertainty is uncomfortable for some founders. The answer isn’t more surveillance. The answer is clearer output expectations and better management.
If you can articulate what done looks like—the deliverables, the quality, the timeline—then you can measure results rather than activity. That’s always been better management than surveillance, and it’s especially better in a distributed environment.
People who are outcome-focused and measured on results don’t need keystroke logging. People who are trusted to manage their own time and deliver their own work are more engaged and productive. This isn’t just philosophy; it’s what the data shows.
PDPA Compliance and When to Get Advice
If your monitoring approach has grown informally and you’re not sure it would stand up to scrutiny under the PDPA, you should review it. Some questions to ask yourself: Have I disclosed to employees that monitoring is taking place? Have I told them why? Is the scope of monitoring proportionate to the business purpose? Am I using the data for the purpose I disclosed it for? Is the data being stored securely?
If you can’t comfortably answer yes to all of these, your monitoring approach probably needs a revision.
The PDPA Compliance is getting more attention in Singapore as data breaches make headlines. Companies that are sloppy about privacy—including internal monitoring—are increasingly at risk. Getting ahead of this now is smart risk management.
Rethinking the Approach
If you’ve noticed that your team’s engagement has dropped since you implemented more monitoring, that’s worth paying attention to. If you’re spending energy policing tools rather than building trust, you’re optimising for the wrong thing.
The best-performing teams I’ve worked with operate on trust and clear expectations. Surveillance is background noise, deployed narrowly for genuine security purposes, not as a management tool.
If your monitoring approach feels heavy-handed, or if you’re not sure it would stand up to scrutiny under the PDPA, it’s worth a conversation about what you’re actually trying to achieve and whether monitoring is the right way to get there. I’m happy to talk it through.
