< Back

Share |

Monitoring employee communications

April 2013

It is, of course, now well established by the Human Rights Act 1998, that every individual has the right to respect for his or her private and family life, home, and correspondence; but what about employers who wish to keep tabs on their employees’ use of company equipment? Can employees rely on privacy laws to prevent employers from doing so?

There are many highly persuasive arguments available to employers who wish to monitor employee communications. Employers need to ensure that employees are performing their functions diligently and are not wasting company time or increasing exposure to unnecessary risks. Breaches of confidence, reputational damage and discrimination claims, not to mention system failures due to viruses and malware, are all serious issues that employers will want to take steps to manage. Furthermore, with the increasing use of mobile devices and the near complete synergy of work and home life, employers may feel justified in taking a more proactive approach to managing these risks.

NotesThe European Court of Human Rights has held that telephone calls made from business premises as well as from the home may fall within the definition of “private life” and “correspondence”. The same is true of emails sent from work and the monitoring of internet usage by employers. This is readily understandable; most employers realise that a certain amount of personal correspondence is necessary for most employees during the course of their working day, and it would be strange indeed if employees were expected to waive any rights to privacy in such circumstances.

Since most typical forms of monitoring (intercepting and archiving employee emails, tracking internet history, recording employee telephone calls, etc) will be considered “processing personal data” under the Data Protection Act 1998, such activities must comply with the data protection principles, including that data must be processed “fairly and lawfully”, processed “only for specified, lawful purposes”, and that the data processed “shall be adequate, relevant and not excessive in relation to the purposes for which they are processed”.

In addition, employers must ensure that their practices do not fall within the prohibition on “unlawful monitoring” under the Regulation of Investigatory Powers Act 2000 (RIPA). RIPA makes it unlawful for a person having the right to control a private telecommunications system (such as an employee email network) to intercept a communication in the course of its transmission, unless such interception takes place “with lawful authority”. To determine whether an employer has lawful authority, the Telecommunications Regulations 2000 must also be consulted.

As if that weren’t enough, employers seeking to carry out monitoring in multiple jurisdictions may find other regimes even more restrictive; the Secrecy of Telecommunications Act in Germany, for example, makes it a criminal offence for employers to open and review personal emails of employees. Since employees often do not distinguish between personal and business-related communications (even though employee handbooks often require them to do so), this creates a host of issues for employers seeking to legitimately monitor business-related emails.

So, how should employers go about taming this Lerneaen Hydra of employee monitoring?

HighlighterFortunately, the Information Commissioner’s Office has provided some assistance through the publication of the Employment Practices Code (Code). The Code contains specific recommendations as to good practice for employee monitoring aimed primarily at large organisations carrying out systematic monitoring. Employers wishing to depart from it should have a good reason for doing so.

The key practical recommendations regarding employee monitoring can be summarised as follows:

  • employees should be fully informed as to what monitoring takes place and why (covert monitoring may only be justified where there are grounds for suspecting criminal activity);
  • staff with access to information obtained through monitoring should be limited and given appropriate training on data protection and security;
  • monitoring should be limited, targeted and time-bound;
  • employers should consult with employees and their unions (if any);
  • monitoring of the content of e-mails should be proportionate to the purpose to be achieved; and
  • e-mails that are clearly personal should not be opened.

Most importantly, employers should carry out an impact assessment prior to any monitoring taking place. This should highlight the specific concerns or benefits to the business that the monitoring is designed to target, and ensure these are justified and balanced against their employees’ right to privacy. In particular, employers should consider any alternative, less intrusive ways to achieve their business objectives which might eliminate or minimise any negative impact on employees. Having carried out this impact assessment it should be appropriately documented and provided the process has been carried out diligently, this will be a handy document to have should a regulator come calling.

As a general rule, employers should aim to be as open with their employees as possible. If you feel uncomfortable informing your employees exactly how you intend to monitor them, the chances are that insufficient justifications exist for doing so. By being transparent you will not only protect the crucial relationship of trust with your employees but will also be off to a good start in fulfilling your compliance obligations.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Eye
Richard Craig

Richard Craig      


Richard looks at the potential pitfalls for employers seeking to monitor their employees.

"Employers should carry out an impact assessment prior to any monitoring taking place. This should highlight the specific concerns or benefits to the business that the monitoring is designed to target and ensure these are justified and balanced against their employees’ right to privacy."