All employers monitor their staff in some way or another. At one end of the spectrum this can involve simply requiring them to clock in or clock out. At the other end of the spectrum the form(s) of monitoring can be more intrusive, such as monitoring employee use of IT or email systems. For employees whose workplace is also a public place or an area where security is paramount, there may be CCTV cameras in the workplace as well.
So what do employers need to do to make this monitoring legitimate and what can they do with the information they gather through this monitoring?
The legal framework is relatively complex and relevant legislative provisions can be found in a variety of sources. These include the European Convention on Human Rights, Article 8 of which contains a general right to respect for private and family life and for correspondence. The Data Protection Act 1998 (the DPA) is also highly relevant. The DPA does not prevent monitoring but it does set out principles for gathering and using personal information.
The Employment Practices Code
The Information Commissioner has published a Code relating to employment practices, which includes monitoring staff activities. A breach of the Code will not equate to a breach of the Data Protection Act itself, but it may be taken into account in any enforcement action. The Code starts with the premise that “it will usually be intrusive to monitor your workers” and goes onto state that workers are “entitled to a degree of privacy in the workplace“.
Where monitoring is to be carried out, the Code recommends that an “impact assessment” should be carried out. As part of this an employer should consider, in particular:
- why the monitoring is being carried out (i.e. what is the benefit, or the risk, to the company that the monitoring is designed to achieve, or prevent?); and
- whether the intrusion into the workers’ privacy is justified (i.e. is the form of monitoring proposed no more onerous than is strictly necessary?)
In other words, for monitoring to be justified, the proportionality test must be met; i.e. is the reason for the monitoring sufficient to justify an intrusion into an employee’s privacy and are the means of monitoring proportionate. Employers should also consider whether there are any (less invasive) alternatives to the method of monitoring being considered. For example; can you use supervision or training rather than monitoring, can you investigate a specific incident rather than carrying out monitoring, can you limit monitoring to certain individuals about whom complaints have been received rather than the whole workforce, can monitoring be targeted at the areas of highest risk, can it be automated so that private information will only be seen by a machine, can spot checks or audits be carried out instead?
The Code also states that employers should tread carefully if relying solely on employee consent to monitoring taking place, noting that, in an employment context, employee consent is rarely “given freely“. It also states that workers should be aware of the nature, extent and reasons for any monitoring unless there are exceptional reasons to justify covert monitoring.
Emails and use of IT equipment
Employers might wish to monitor employees’ use of email and other IT systems for a variety of reasons. In part, employers will want to ensure that these facilities are used properly and in a way that doesn’t expose the employer to unnecessary risk (i.e. from viruses or the disclosure of confidential information). Such monitoring is also often used to ensure that employers are not using such systems for entertainment when they should be working and are not accessing things they shouldn’t be.
As above, the DPA and the Human Rights Act will apply to this form of monitoring, as will the Computer Misuse Act 1990 which makes it an offence to use a computer to obtain unauthorised access to any data or programme or data held on a computer. Also of relevance is the Regulation of Investigatory Powers Act 2000 (RIPA). Monitoring will be regulated by RIPA if it involves the “interception of a communication in the course of transmission“. Under RIPA the lawful interception of communications can take place if the interceptor has reasonable grounds for believing that both the sender and the recipient have consented to the interception. Clearly this will be easier to establish in respect of internal emails and calls than it will for external communications.
Where an employer does not have reasonable grounds to believe that both the sender and the recipient have consented to the communication being intercepted and monitored they may still be able to rely on the Telecommunications Regulations 2000. These provide that, in certain circumstances, communications that are relevant to the business can be intercepted even where consent hasn’t been given. The circumstances where this will apply includes when the communication is being intercepted in order to:
- Ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business
- Ascertain or demonstrate standards which are or ought to be achieved by persons using the system
- Prevent or detect crime
- Investigate or detect the unauthorised use of the telecommunications system
- Ensure the effective operation of the system
The requirement that the communication must be relevant to the business will make it harder for employers to rely on these regulations than it might first seem and it is likely that the courts would give this a narrow meaning. One of the more obvious effects of this requirement is that the interception of emails marked ‘Personal’, is unlikely to be justified unless serious wrongdoing (i.e. the commission of a crime) is suspected.
Employers who intend to monitor employees’ use of email and IT systems are well advised to ensure that they have a clearly drafted email and IT policy which they communicate to staff. This policy should make it clear what is and what is not considered acceptable in terms of internet use and emails (with particular emphasis on what level of personal use is tolerated), what the consequences of breach are and what methods the employer intends to use to ensure compliance (i.e. a full statement of the purposes for which monitoring will be undertaken and the form that monitoring will take). Any such policy should also cover the use of mobile telephones, laptops, BlackBerrys and similar devices.
The use of CCTV is referred to in the ICO’s Employment Practices Code, however there is also a separate CCTV Code of Practice (an updated version of which has recently been published following a consultation exercise).
In many workplaces where CCTV is used, the main reason for the use of CCTV will not be to monitor workers, rather it is likely to be there for the prevention of crime or for health and safety purposes. Where this is the case, if the employer wants to be able to use the footage in connection with its employees (i.e. as evidence in a disciplinary context), staff need to be told this. The same impact assessment described above should be conducted where an employer intends to monitor customers and/or staff through CCTV. The cameras should only be used in high risk areas, and cameras and listening devices should not be installed in private areas such as toilets and private offices (except in the most exceptional circumstances where serious crime is suspected).
The growth in recent times of use of social networking sites such as Twitter and Facebook has complicated matters further. A thread of case law involving employee misconduct through their use of social media has developed over the last decade and one of the consistent themes emerging from those cases is the extent to which the employers in question have infringed the relevant employees’ right to privacy by accessing the employees’ social networking accounts.
Some of these cases have involved consideration of Article 10 of the European Convention on Human Rights as well as Article 8. Article 10 provides that everyone has a right to freedom of expression which can only be restricted in certain circumstances. One of which is for “the protection of the reputation or rights of others“. In Preece v JD Wetherspoons plc the Employment Tribunal considered the extent to which Ms Preece’s Facebook comments (concerning a customer) were private, before concluding that her comments on Facebook could not be considered to be private and that the action taken by Wetherspoons (Ms Preece’s dismissal) was justified in view of the risk of damage to its reputation.
However, another consistent theme to emerge from the relevant case law is the need for employers to draft and publish clear policies on the use of social media and IT systems generally. Excessive personal use of internet and email is one area where the courts have been quick to find that dismissals can be unfair if the rules haven’t been clearly communicated to staff. Organisations need to ensure that if they want to take a ‘zero tolerance’ approach to use of social media or personal email accounts at work, that this is communicated to staff. Similarly, dismissing an employee for making negative comments about an employer (or its representatives/staff), is more likely to be held to be fair if employees are given an indication as to what is, and what isn’t, likely to be acceptable to the employer.
Covert monitoring can be justified but only in exceptional circumstances, for example as part of a specific investigation into a serious matter, i.e. the prevention or detection of criminal activity or equivalent malpractice. An example of how this has played out in an Employment Tribunal is the case of City and County of Swansea v Gayle. In this case the employee was dismissed for fraudulently completing timesheets stating he was at work when he was in fact at the local sports centre playing squash. A senior manager had seen him when he was meant to be at work and the employer hired a private investigator to video him entering and leaving the sports centre.
The Employment Tribunal at first instance found the dismissal unfair as it said the employer did not have a legitimate reason for covert surveillance – it already had all the evidence it needed to discipline Mr Gayle (i.e. the senior manager’s witness evidence). The EAT found this did not make the dismissal unfair; stating that the employer should not have been criticised for carrying out too thorough an investigation. Taking this a bit further (a bit too far in some commentator’s views), the EAT stated that the employee had no reasonable expectation of privacy when he was on public premises and was defrauding his employer. It is suggested though that this case be treated with some caution, whilst the covert monitoring did not, in the end, render the dismissal unfair, employers should ensure that they consider less intrusive alternatives before embarking on this course of action.
Monitoring of staff activity at work can be necessary for a variety of reasons. Generally speaking, as long as staff are aware of what is being monitored and why, this should cause no significant difficulties. However, an impact assessment should be conducted whenever any form of monitoring is being conducted. The more intrusive the monitoring is, the more serious the reason for it needs to be. Any information obtained through such monitoring must be kept securely and processed in accordance with the provisions of the DPA.
Employers also have to be mindful of the implied term of trust and confidence. An employer’s monitoring activities may, in some circumstances, constitute a breach of this duty, enabling the employee to resign and claim constructive dismissal or breach of contract.
Top tips for employee monitoring
- Carry out an impact assessment – the assessment should identify whether monitoring is necessary and, if so, what form it should take to achieve the best balance between employees’ rights to privacy and the employer’s needs for carrying out its business. Alternatives should be considered. A written record of the impact assessment should be kept, including the process used, the findings made and the conclusion reached
- If the monitoring is necessary, is it proportionate? If not, don’t do it
- Establish an electronic communications policy – the policy should include: the circumstances in which employees can use the employer’s systems for private communications; the extent and type of private use that is allowed; any restrictions on internet material that can be viewed or copied; what alternative methods of communication can be used to ensure confidentiality; the reasons, methods and extent of monitoring; how the policy is enforced; and the penalties for breaching it. Other policies will be relevant and you should ensure they are up to date, eg IT policy, disciplinary procedure, data protection policy, bullying and harassment policy, equal opportunities policy, social media policy and any BYOD (Bring Your Own Device) policy. Policies should be issued to staff at the outset of their employment and they should be asked to confirm that they have read and accepted its terms. Updates to any policies should be clearly communicated to staff
- Do you need employees’ consent – consider whether employees need to be asked for their consent to be monitored. This will be required if the monitoring cannot be brought within any of the “necessary” grounds in the DPA. Consent must be freely given and unambiguous
- Notify employees of any intention to monitor in order to overcome any expectation of privacy – if CCTV footage is to be used to monitor employees (particularly if this is not the primary purpose for which it has been installed), they need to know
- Communicate the rules (particularly around personal use of internet and email) to all staff and ensure those rules are applied consistently and fairly
- Conduct training – training may be carried out to raise awareness of monitoring and its purposes. Managers should also be trained on what can and can’t be monitored and what they can do with information gathered
- Carry out regular audits – audits should be carried out at least annually to ensure that policies are current, relevant and being followed