Use of the internet and email by employees can lead to issues for employers including discrimination and harassment, loss of confidential information, defamation and loss of reputation. There is now a wealth of technology which will allow employers to monitor their staff but there are limits on what an employer can do with this technology. The Information Commissioner’s Employment Practices Code (November 2011) states as a general principle that employees have a legitimate expectation that they can keep their private lives private and that they are also entitled to a degree of privacy in the workplace. If employers wish to monitor their workers, they should be clear about the purpose of the monitoring and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
An employer will also need to ensure that by using such technology, it does not risk an employee arguing that trust and confidence between employer and employee has broken down which could lead to the employee resigning and claiming unfair dismissal, or that it breaches the legislation which governs what employers can do in relation to monitoring their staff (e.g. the Data Protection Act 1998, the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000). This article explores some of the steps that an employer should take to ensure that monitoring is lawful.
If an employer is proposing to monitor its employees, it should first conduct an impact assessment. The assessment should examine whether the monitoring will achieve a balance between allowing employees to enjoy privacy in the workplace and ensuring that the interests of the business are protected. The employer should also consider the purpose for which it wishes to carry out the monitoring, the adverse impact the monitoring will cause employees, alternatives to carrying out monitoring and the justification for the monitoring. The outcome of the assessment, including the reasons why the monitoring can be justified, should be recorded in writing.
Employers should tell employees: what type of monitoring is taking place, the reasons why it is monitoring its employees, the information that will be obtained from the monitoring, how the information will be used and who will have access to the information. The Employment Practices Code states that, if monitoring is to be used to enforce an organisation’s rules and standards, then the rules and standards should be clearly set out in a policy which also refers to the nature and extent of monitoring. It will not be enough to bury the policy in a Handbook. Instead, employers should be pro-active in ensuring their workers are aware of the policy and remain aware of it and are also aware of any changes to the policy. Practical steps that the employer could take to do this include: making training on the policy part of the employee induction process, continuing to train employees throughout their employment on its meaning and effect and setting up its IT system so that employees have to read the policy from time to time when accessing the internet. Messages on the IT system could also be used to highlight changes in the policy to employees. Employers should also inform third parties that their communications may be monitored (e.g. in the footer of emails) so far as it is possible to do so.
Some employers may feel that they would prefer not to tell employees that they are being monitored. However, covert monitoring can only be justified on a very limited basis (e.g. if an employer suspects criminal behaviour) and should only be used in exceptional circumstances as part of a specific investigation. Such monitoring must be strictly targeted and the information obtained as a result of the monitoring should be used for no longer than is necessary. Additionally, the evidence obtained from covert monitoring should only be available to a limited group of people.
Finally employers should note that informing employees is not the same as having their consent to being monitored, even if the employees do not object to the monitoring being carried out. Although consent is not defined under the Data Protection Act 1998, Directive 95/46/EC (which governs the protection of individuals with regard to the process of and free movement of personal data) states that consent must unambiguous, freely given and informed. There has been some debate over whether a clause in an employment contract stating that an employee consents to monitoring will fulfil these requirements due to the inequality in bargaining power between the parties. Even if an employer has the consent of its workers to monitoring, it will still need to fully inform employees that monitoring is being carried out.
It is important that any information gained as a result of employee monitoring is stored correctly. Employers should have a retention policy which explains to employees how much information about calls, emails and internet access is kept in the system and for how long this information will be kept. As stated above, it should also be made clear to employees who will have access to the information.
Employers should be aware that laws which deal with the interception of communications will also be relevant when it is proposing to monitor its employees. The Regulation of Investigatory Powers Act 2000 (RIPA) makes it unlawful in certain circumstances to intercept a communication in the course of its transmission in the UK. Interception is defined in RIPA as “monitoring or interference” with a private telecommunications system making some or all of the contents of the communication available to a person other than the sender or intended recipient while the communication is being transmitted. If the interception of a communication is unlawful then the sender, recipient or intended recipient can claim damages against the employer.
The best way in which an employer can get lawful authority under RIPA to be able to intercept a call is to obtain consent from both the sender and recipient of the email. However, it is likely to be impractical for employers to get consent from both parties for every email that is sent and received by its employees and/or every call that is sent or received by its employees. Instead, employers who wish to carry out such monitoring should consider whether they can monitor communications under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the Regulations). The Regulations allow monitoring to establish the existence of facts relevant to the business for a list of purposes specified in the Regulations. This list includes compliance with regulatory or self-regulatory practices or procedures, detecting unauthorised use and preventing or detecting criminal activity.
The Regulations allow employers to carry out such monitoring on business communications systems if they have made reasonable efforts to inform people of the interception. If an electronic communications policy has been put in place then this may be sufficient to inform employees (as long as the policy provides sufficient details to employees as to what may happen to their emails/phone calls etc). There is some debate about whether employers need to inform third party users of the system. The Information Commissioner’s Office has stated that outside callers or senders of emails will not fall within the definition of users of the system and this was also the view of the Government at the time that the Regulations were made. However, employers may want to include notice of the monitoring at the beginning of calls as a recorded message, in email disclaimers at the end of an email and/or on their websites. The limitation which only allows monitoring emails/calls that are business communications may also be problematic for employers because, until they have opened an email or listened to a call, it will be difficult for them to know whether it is a personal or business communication. Employers should look carefully at the subject or sender of each email and avoid opening anything which is clearly personal unless there is a very good reason to do so (e.g. it is concerned that a criminal offence may be or has been committed). If an employer has intercepted a call and it becomes obvious that it is a personal call, the employer should immediately cease listening to the call.
Finally, employees have a right to privacy under the Human Rights Act 1998 which extends to the workplace. An employer would therefore need to have a strong justification for carrying out covert monitoring.
The information contained in this document is intended for general guidance only.
If you would like further information on the above, or advice on any other employment law issues, please do not hesitate to contact a member of our employment team.