< Back

Share |

Employee monitoring update

March 2017

Employee monitoring is a contentious issue but employers often need to ensure that employees are performing their duties and not exposing the employer to risks or wasting company time. This creates an immediate tension with the privacy and data protection rights of employees.

The courts have attempted to find a balance between the "personal" or "private" and the "work" or "public", with varying degrees of success and some surprising results. High profile employment examples include Game Retail Ltd v Laws, Williams v Leeds United Football Club and the Barbalescu case, which triggered a spate of near-hysterical newspaper headlines.

The legal issues

As the various methods of monitoring have developed over recent years, so has the regulatory framework governing their use.

Electronic forms of workplace surveillance involve the processing of personal data and are, therefore, currently regulated by the Data Protection Act 1998 (DPA) in the UK. Since most typical forms of monitoring (intercepting and archiving employee emails, tracking internet history, recording employee telephone calls, etc) will be considered “processing personal data” under the DPA, such activities must comply with the data protection principles. The Employment Practices Data Protection Code (Employment Practices Code) issued by the Information Commissioner to assist employers with interpreting the DPA is a useful source of (non-binding guidance).

However, employers will also need to navigate:

  • the Regulation of Investigatory Powers Act 2000 (RIPA 2000).
  • the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) (Telecommunications Regulations 2000).
  • the European Convention on Human Rights (ECHR) as incorporated into UK law by the Human Rights Act 1998 (HRA 1998).

GDPR

The General Data Protection Regulation (GDPR) will apply from 25 May 2018. While the GDPR does not explicitly change rules on employee monitoring, there are a number of provisions which will make it more difficult:

  • Basis for monitoring and processing etc. information produced by monitoring

Employers rarely seek to rely on consent for monitoring in case it is withheld, and some currently try to get round this by using implied consent. As discussed in our article, valid consent will be extremely difficult to achieve in an employment context. For more sensitive activities like monitoring, this is especially true.

Employers will need to look for other bases to justify the processing, most likely to be justification on an alternative ground such as legitimate interests based on the reasons for the monitoring, or legal obligations to maintain the security of the employee data.

  • Monitoring carried out by Non-EU entities (such as a US parent)

Non-EU established organisations will be subject to the GDPR where they process personal data about EU data subjects in connection with “monitoring” their behaviour within the EU. There is no carve out for monitoring (unlike in respect of goods and services offered in the EU, where mere accessibility of a site from within the EU is not sufficient and it must be shown that the organisation “envisages” activities will be directed to EU data subjects). In other words, if you monitor UK activities from the US, this data will be subject to GDPR obligations and breaches will be subject to the penalty regime.

  • PIAs likely to be required prior to monitoring

Employee monitoring is likely to be considered as “high risk” processing in which case a detailed privacy impact assessment (PIA) must be undertaken and documented. If the PIA outcome shows there is a high, and unmitigated risk for the employees, the employer (and/or any other data controller – bear in mind any third parties involved in monitoring) must notify the national data protection authority and seek advice on the adequacy of any measures intended to reduce the risks as set out in the PIA.

While the GDPR will go some way to harmonising matters in the EU, transnational employers seeking to carry out monitoring in multiple jurisdictions may still find disparity between EU regimes with some applying greater restrictions. The Secrecy of Telecommunications Act in Germany, for example, makes it a criminal offence for employers to open and review personal emails of employees, and Germany has already indicated that it may impose greater restrictions than those imposed by the GDPR where there is scope to do so.

In addition, employers should remember:

  • the duty of trust and confidence implied into an employee's contract of employment is also relevant as the employer's monitoring activities may constitute a breach of this duty, depending on the circumstances;
  • if disciplinary action is taken against an employee, the concept of fairness as developed in the Employment Rights Act 1996 (ERA 1996) and unfair dismissal case law is relevant, as are the procedural requirements of the Acas Code of Practice; and
  • employees who believe they have been unfairly targeted by their employer's monitoring activities could also claim they have been unlawfully discriminated against as a result of their sex, race, age, disability, religion or sexual orientation.

Given that employees often do not distinguish between personal and business-related communications (even though employee handbooks often require them to do so), this creates a host of issues for employers seeking to legitimately monitor business-related emails.

If an employer's monitoring activities are aimed at uncovering illegal or unsafe practices in the workplace, the employer might cite their duty to provide a safe system of work for their staff and to take reasonable care of their employees' health and safety as a justification.

Monitoring of informal communications

Despite wild media reports, Barbulescu simply restates the existing case law and confirms that employers can access private communications but only where there has been an element of pre-warning and the premise of the intrusion is a legitimate one. The employee in question sent intimate messages to his fiancée and brother using his work-related Yahoo Messenger account, in breach of his employer's prohibition on personal use. The messages were printed by the employer and used in disciplinary proceedings, as well as in the consequent court proceedings.

The European Court of Human Rights held that the monitoring of the employee's internet usage and the use of Yahoo messages in disciplinary proceedings was a proportionate interference with his Article 8 right to privacy, and that it was not unreasonable for an employer to want to verify that employees are working during working hours, even where no actual damage has been alleged. This was despite the employee's claim that the Yahoo Messenger account contained only professional communications.

The court was clear that warning the employee was key, as highlighted in Copland v United Kingdom. Here, since no pre-warning had been given with regard to monitoring of personal activities, the ECHR considered that the employee's Article 8 right had been breached even though the purpose of the monitoring was legitimate.

Use of historic correspondence

As was established in Williams v Leeds United Football Club, (and subsequently in British Waterways Board v Smith among others) employers can rely on historic emails as evidence of prior acts of gross misconduct. A senior employee received an email at his work address, containing a spoof Powerpoint presentation that included a series of pornographic images. He forwarded it to a junior female colleague and to two friends who worked elsewhere. The employer did not discover this until over five years later, on a 'fishing expedition' to find a way to avoid paying the employee his notice pay after giving him notice of termination. The employer had a policy forbidding use of the email system to send, among other things, obscene images, although the employee had never been given a copy of the policy.

How this will fit with the increased obligations under the GDPR with regard to the transparency and consent requirements, remains to be seen (and there are likely to be difficulties with this under the GDPR). That said, as long as employees have been clearly informed, and employers can justify the monitoring and related processing, storage and other handling of such data, any such risks will be limited and may pale into comparison when balanced against other commercial interests of the business.

Monitoring and use of non-work related social media

The Game Retail and Creighton v Together Housing cases (following a series of Employment Tribunal and EAT decisions in relation to social media, including Crisp v Apple Retail, Trasler v B&Q, Smith v Trafford Housing Trust), highlights the difficulties in distinguishing between the private and work spheres.

In Game Retail, the employee had posted 28 offensive tweets containing expletive and obscene language on his personal Twitter account during non-work time. They included "this week I have mainly been driving to towns the arse end of nowhere ... shut roads and twats in caravans = road rage and loads of fags smoked". The employee's personal Twitter account was followed by the Twitter accounts of 65 of the employer's stores, albeit this was a personal account which he used to follow store-based Twitter accounts in order to monitor any inappropriate activity by employees, which did not specifically associate him with the employer. The employer investigated and ultimately dismissed the employee, using the tweets from this account as evidence.

In this instance, the Tribunal and EAT struggled with the concept of what was private and what was work related. Very little, if any, consideration was given to data protection and privacy expectations from this perspective, and it would be tempting to speculate that the outcome might have been different under the GDPR.

What can employers do?

The starting point is that employers can still monitor employee activity. They simply need to be careful about the lawful basis for it, how they communicate the monitoring to employees and how they treat the data collected.

  • As good practice, employees should be fully informed as to what monitoring takes place and why (covert monitoring may only be justified where there are grounds for suspecting criminal activity).
  • Employers should put in place clear policies with regard to monitoring communications. These should be communicated and brought to the attention of staff members.
  • Where it is necessary for staff to have access to information obtained through monitoring, make sure that access is limited to those who need to have access (and consider why each individual requires access to that information). Further, those staff members should be given appropriate training on data protection and security.
  • Monitoring should be limited, targeted and time-bound. Monitoring of the content of emails, for example, should be proportionate to the purpose to be achieved.
  • Employers should have regard for private communications in which employees have an expectation of privacy. Emails that are clearly personal, for example, should not be opened unless there are clear grounds for concern and for doing so (such as grounds for suspecting criminal activity or the transfer of confidential or sensitive commercial data).
  • Employers should consult with employee unions and Works Councils if relevant

With regard to methods of communication which have not been part of traditional workplace communications (such as instant messenger and chat functions) or traditional monitoring (such as whatsapp communications on a work device), employers should:

  • set out clearly what their expectations are with regard to privacy and employee behaviour, and what monitoring will take place; and
  • make clear that any communications using employer devices or informal communication methods may be subject to monitoring and used as evidence in the event of inappropriate behaviour, breach of obligations and/or criminal activity.
  • Employers should carry out data protection Privacy Impact Assessments prior to any monitoring taking place, which should highlight specific concerns and risks and/or benefits to the business that the monitoring is designed to target, and ensure these are justified and balanced as against employee rights.
  • Employers should consider alternative and less intrusive ways to achieve business objectives and protect their business which could reduce any negative impact or intrusion on employees as well as the risk of any breach of obligations under the GDPR and protective legislation referred to above. The assessment should be appropriately documented and, provided the process has been carried out diligently, this should assist in the event of an alleged breach in tandem with other policy documents and training materials (particularly in light of the increased evidencing obligations under the GDPR).

What to take away?

In short, it is important for employees to understand how their use of email, communications and social media fits with their employer's policies. It is also important for employers to treat employees with respect, and to keep monitoring of their employees to no more than is needed to manage the business risks.

While this is a difficult balance to find, keeping these two basic principles in mind should promote both greater compliance on the part of the employee and better working relations. To put it another way, employers should be open with employees and if they feel uncomfortable informing employees about exactly how they intend to monitor them, it is probable that insufficient justifications exist for doing so.

By being transparent, employers are likely not only to protect the crucial relationship of trust with employees but also to be able to evidence compliance with accountability, information and transparency obligations. This will be particularly important under the GDPR.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Employee monitoring update
Stephanie Creed

Stephanie Creed      


Stephanie looks at the rules on employee monitoring in the context of the GDPR and recent case law.

"It is important for employers to treat employees with respect, and to keep monitoring of their employees to no more than is needed to manage the business risks."