Be very wary of sending personal emails at work as there is a strong chance your employer is monitoring them. A recent European Court judgment found that Article 8 of the European Convention on Human Rights (‘ECHR’) (the ‘right to a private life’) was engaged when an employer monitored an employee’s messaging account, but that this interference was justified.
Mr Bărbulescu worked in sales and was asked to create a Yahoo Messenger account by his employer to respond to client enquiries. In July 2007 he was informed that communications through this account had been monitored for a period of 9 days. The employer’s records demonstrated that he had used the account for personal purposes, something expressly prohibited by the company’s policies.
When Mr Bărbulescu argued that he had only used the service for professional purposes, his employer presented him with transcripts of his communications, including personal messages to his brother and fiancée, including some messages of an intimate nature. The company subsequently dismissed Mr Bărbulescu.
The Court found that “it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours” and that the employer’s monitoring in this instance was “limited in scope and proportionate”. It dismissed Mr Bărbulescu’s claim for breach of Article 8 of the ECHR.
The Court placed reliance on the fact that the employer had accessed Mr Bărbulescu’s account believing it contained client-related communications, and his employer sought to rely solely on the proof that personal communications had taken place but not the content of those communications. Further, the employer had not looked at any other data or documents on Mr Bărbulescu’s computer. It is therefore important to note that this judgment does not (yet) give a legal basis for employers to necessarily monitor the content of employees’ private communications. There is always a balancing act to be carried out on the specific facts of each case. For example, if an email obviously referred to an employee’s medical information, whether or not it was on a work account, then as sensitive personal data it is likely to be regarded as a breach of privacy for an employer to read it.
The decision in this case does not overrule previous ECHR case law on the reasonable expectation of privacy. Existing UK legislation such as the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000 also remain unaffected. These place important limitations on employers' powers to monitor employees' private communications, which must also be considered.
This case serves as a useful reminder to employers about the requirement for clear and effective policies covering the acceptable use of IT, internet and social media. These policies should, at the very minimum, make clear when or if personal use may be permitted, and the level of monitoring the employer carries out.
Company devices such as smartphones can cause particular difficulties. To remove any doubt about whether personal use is permitted and, if so, to what extent, all employees should read and be required to acknowledge the organisation’s internal policies. Any specific incidents of misconduct should be dealt with following the usual disciplinary procedures.