Employers should be cautious after a recent decision was widely reported as a 'green light' to read employees' person communications at work; this is not the case.
The European Court of Human Rights (ECtHR) recently ruled on the right to privacy at work in the case of Barbulescu v Romania. The case received considerable media coverage and involved an employee who was dismissed for using his employer's internet for personal purposes during working hours.
The Claimant was an engineer who sent private messages to his family using his business Yahoo Messenger account on his employer's equipment. Acting upon a suspicion, the employer took action and during the disciplinary process, it reviewed the usage of the Claimant's Yahoo Messenger correspondence for a number of days collating a 45 page transcript. It discovered that the Claimant, despite his denials, had been using the account to contact his girlfriend and brother during working hours. Some of the messages reviewed referred to the Claimant's health and sex life (both amounting to sensitive personal data).
The Claimant was dismissed and brought proceedings against his employer in Romania; he then took his case to the ECtHR, arguing that his dismissal was based on a violation of his right to privacy. The Court considered the extent to which the Claimant's employer was legally entitled to read his private messages before breaching his right to respect for private and family life, home and correspondence (enshrined in Article 8 of the European Convention on Human Rights).
Although deciding that Article 8 was relevant, the ECtHR ruled, by a majority, that the monitoring of the Claimant's messenger usage and the reliance on the private messages in the disciplinary process and the later Court proceedings in Romania was acceptable. Ultimately it was held to be a 'proportionate interference' with the Claimant's rights under Article 8.
The Court held that the monitoring of the communications was both pursuant to the employer's existing rules and policies and proportionate in the context of the disciplinary proceedings.
Media commentary on the decision suggested the ECtHR's ruling was an infringement of basic civil liberties and Article 8 rights. The impression has been given that the case means employers can freely monitor their employees' personal communications but, this is misleading and the case is not necessarily as significant as it has been portrayed.
Not a new concept
Unusually the employer had a blanket ban on sending personal messages whilst at work and the employee was aware of this and had been given prior warning that his employer could check his messages. He had also been instructed by his employer to set up the Yahoo Messenger account solely to answer client queries; this was then accessed on 'the assumption that the information in question had been related to professional activities'. The employer also owned the device which was used and the monitoring was in accordance with their policies.
The ECtHR held it was, 'not unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours'.
The ruling is, in reality, reemphasising the current position and follows the previous stance of the ECtHR on employees' expectation of privacy at work. The decision does not override the position under the Data Protection Act 1998 (DPA) or the Regulation of Investigatory Powers Act 2000 in the UK which impose significant limitations on the ability of employers to carry out monitoring of their employees both on and offline.
The current position
The DPA does not prohibit employers from monitoring their employees as long as personal data is 'fairly and lawfully processed for specified purposes'. Employers are able to monitor communications where this is objectively justified and strikes a fair balance between individuals' rights and the interests of employers. What does that mean?
Generally, that employers have a good business reason for the monitoring, for example, to check the quality and quantity of work or to fulfil a legal obligation and that employees are aware of the nature, extent and reasons for the monitoring being carried out. This could be achieved by setting out the information in a workplace policy and making sure this is brought to the individual's attention for example, in an induction or training session.
Individuals may have a legitimate expectation of privacy even where they are sending and receiving communications at work and on their employer's equipment. Interference with that privacy must therefore be for a good reason and done in a reasonable and proportionate way.
The Information Commissioner's Office (ICO) has issued good practice guidance in relation to employee monitoring. In particular, the ICO suggests that businesses conduct a privacy impact assessment to determine whether or not employee monitoring is justified and proportionate. This will involve: identifying the purpose(s) for the monitoring, identifying the benefits it is likely to deliver, identifying any adverse impact on employees (or others) of the monitoring, considering what if any alternative arrangements could be put in place, taking into account the obligations which arise from monitoring (i.e. ensuring any data gathered is processed in accordance with the DPA) and, taking the above into account, accessing whether monitoring can be justified?
Considerations for employers:
- Where employees are expected to work long hours a blanket ban on personal internet usage at work is unlikely to be practical (or popular) particularly in office based roles. Employers should have a clear policy that sets out what is and is not acceptable together with details of what access the employer will have to communications in the workplace and on company devices. Such policies should be brought to the attention of employees. Where appropriate, express consent to monitoring should be sought from employees
- A balance must be struck which allows employees to manage their work and home lives concurrently but within reason. Employers should recognise that policies and procedures should allow for a reasonable amount of flexibility but when necessary be enforced fairly and consistently
- Employers should take steps to ensure that any policies or procedures governing monitoring are reasonable and justified by a legitimate aim and supported with companywide compliance with the DPA. To be compliant employees should be made aware of the nature, extent and reasons for the monitoring being carried out and how their personal data will be processed.