This year we have seen a high profile European court case and new guidance from the Article 29 Working Party (the data protection advisory body made up of representatives from the data protection authorities in each EU Member State) (“29 WP”) confirming the legal position and providing guidance on monitoring employees at work.
What is the legal position?
Monitoring of employees at work involves the processing of personal data and, as such, is regulated by data protection legislation (currently the Data Protection Act, soon to be replaced by the General Data Protection Regulation/the Data Protection Bill). The legislation is overseen by the Information Commissioner’s Office (the “ICO”) who has produced the Employment Practices Code (the “ICO Code”), providing guidance in this area to assist employers navigating the legal requirements.
The ICO Code emphasises that an employee’s private life extends to the workplace and employees have an expectation of privacy at work even when they have been informed that workplace monitoring may take place. This does not prevent employers from monitoring employees in the workplace, but careful consideration needs to be taken prior to any monitoring taking place.
Employers should, as a minimum, undertake the following steps prior to conducting monitoring:
- Undertake a data protection impact assessment (“DPIA”).
- This does not need to be formal or complicated, but should identify the purpose of the monitoring, the adverse impact on employees, whether there are less intrusive means of achieving the aim and whether the monitoring is justified.
- Consider and document the legal grounds for processing personal data in the context of monitoring.
- Consent will not likely be valid in employment context, but the employer’s legitimate business interests may be relied on depending on the circumstances.
- Inform employees that monitoring may take place.
- The policy should include the nature and extent of the monitoring and the fact that the content of messages may be accessed.
- Only use information obtained through monitoring for the purpose for which the monitoring was carried out.
- Unless the monitoring leads to the discovery of an activity that an employer could not reasonably be expected to ignore.
- Keep secure any personal data obtained through monitoring and permanently delete it when it is no longer necessary.
- This includes limiting the staff who have access to the data and providing appropriate data protection training.
29 WP Opinion
The 29 WP provided their opinion on data processing at work in June. This opinion reflects the same themes as the ICO Code but provides up to date guidance considering the latest technological developments that enable more intrusive and pervasive monitoring.
The opinion highlights that employers must consider the proportionality of the monitoring and whether other actions could be taken to mitigate or reduce the scale and impact of the monitoring on the employee’s privacy.
Employees should also be informed (via an understandable and readily accessible workplace monitoring policy) of any monitoring, its purposes and circumstances, and the level and areas of control that employees have over their data.
European court decision
The European Court of Human Rights (“ECtHR”) has recently ruled in the case of Bărbulescu, providing guidance on the extent to which employees’ communications can be monitored in the workplace.
This case concerned an employee (B) who was dismissed for breaching his employer’s policy which stated that the use of work computers for personal use was prohibited. The employer had produced transcripts of B’s personal communications during the disciplinary procedure to show that there had been a breach of policy.
The ECtHR held that the employer had breached B’s right to privacy because they didn’t inform him of the monitoring in advance and nor did they tell him that they may access the content of his communications.
The previous courts had also failed to determine the reasons justifying the monitoring and whether these were proportionate to the purpose or whether the employer could have used less intrusive measures to achieve the same result.
What does this all mean in practice?
- Employers can monitor employees’ emails at work but need to approach this with caution and careful consideration.
- Follow the ICO Code and 29 WP opinion, including conducting a DPIA prior to undertaking any monitoring, considering whether it is possible to achieve the objective through less instructive means and ensuring policies clearly notify employees that monitoring takes place, why and that the content of emails may be viewed.
- If emails are identified as or are clearly “personal” do not open unless there is a real risk of serious harm to the business and, where possible, inform the employee in advance that the content may be viewed.
By Sarah Thompson, employment lawyer, McGuireWoods