In the recent case of Bărbulescu v Romania the European Court of Human Rights (ECtHR) handed down a decision on the right to privacy under Article 8 of the European Convention on Human Rights in the context of an employer’s monitoring of private messages sent by an employee.
Headlines in the press suggested that the law had changed and that employers were at liberty to do whatever they wanted to in relation to the interception and monitoring of employees. This is not true and the headlines are inaccurate. The law has not changed.
Before going further, the issue of monitoring employee communications at work is complex, fragmented and very dry. The law is not in one place and the rights of employees and employers has to be teased out of various sources. For those of you without a strong coffee in front of you, please feel free to go straight to the Speedread summary below.
The Bărbulescu Case
Mr Bărbulescu was an engineer working for a heating company. At his employer’s request he set up a Yahoo Messenger account to deal with client enquiries. Subsequently, Mr Bărbulescu’s employer informed him that they had monitored his Yahoo Messenger communications over the course of a week and that he had used it for personal purposes in contravention of the employer’s internal rules, which prohibited any personal use whatsoever of the company’s computers, internet or telephones.
Mr Bărbulescu was dismissed for personal internet use at work, contrary to the employer’s internal rules. As part of its investigation, the employer accessed his private messages sent to friends and family relating to personal matters and discovered he had used the internet for personal purposes, contrary to internal regulations. These messages were used in the disciplinary proceedings as well as in the subsequent court cases.
Mr Bărbulescu argued that the Romanian courts should have excluded all evidence of his personal communications on the grounds that it infringed his rights to privacy.
The Romanian courts upheld the employee’s dismissal, and so he applied to the ECtHR. The Court agreed with the Romanian court and held that the monitoring and use of the personal messages was a proportionate and reasonable interference in his Article 8 rights.
It is important for employers to have at least a broad understanding of the law surrounding the monitoring of employees and how it affects what monitoring employers are permitted to undertake:
- Human Rights 1998 (HRA) and European Convention on Human Rights (ECHR)
The HRA incorporates the ECHR into UK law. Only public authorities are expressly subject to the HRA. However, before private employers ignore this section, it is important to be aware that the HRA is relevant to all employers (including the private sector) because courts and tribunals must interpret all legislation (both past and future) consistently with the rights incorporated by the HRA as far as possible.
Article 8(1) of the ECHR states that “everyone has a right to respect for his private and family life, his home and his correspondence”.
However, this is not an absolute right and interference with the right is allowed where it is:
- in accordance with the law;
- in pursuit of one of the legitimate aims listed in Article 8(2), that is, national security, public safety, economic well-being, the prevention of disorder or crime, the protection of health or morals, or the protection of the rights and freedoms of others;
- necessary in a democratic society.
The legitimate aim for most employers will be protecting business interests and ensuring employees are working during work hours.
The ECtHR has previously concluded that Article 8 was infringed where:
- there was no IT policy in the workplace and
- the employee was not told that they might be monitored.
We refer to this below.
- Regulation of Investigatory Powers Act 2000 (RIPA)
Surveillance in the UK is governed by RIPA, which seeks to provide the legal basis in the UK as required by Article 8.
RIPA concerns the interception of communications in the UK “by, or with the express or implied consent of a person having the right to control the operation or the use of a private telecommunication system”. If such an interception is “without lawful authority”, it is actionable by the sender, recipient or intended recipient if the interception is either:
- an interception of the communication in the course of its transmission by means of the private system, or
- an interception of the communication in the course of its transmission, by means of a public telecommunication system, to or from apparatus comprised in the private telecommunication system.
So, if an employer’s internal telephone or computer systems are attached to public telecommunication systems, the employer’s interception of employees’ emails or messages would be caught by this legislation. If the interception is unlawful the sender, recipient or intended recipient of the communication can claim damages against the employer.
However, the employer will not be liable if it intercepts communications “with lawful authority”; that is, in the manner allowed by RIPA or the Telecommunications Regulations 2000.
- Telecommunications Regulations 2000
The next piece in the jigsaw for employers who wish to monitor employees is the Telecommunications Regulations 2000. These provide for circumstances where, in a business context, it is lawful (for the purposes of RIPA) to intercept communications without consent. RIPA provides:
- To establish the existence of facts relevant to the business, businesses can monitor or record communications without consent to:
- ascertain compliance with the regulatory or self-regulatory practices or procedures relevant to the business;
- ascertain or demonstrate standards which are or ought to be achieved by persons using the system;
- prevent or detect crime;
- investigate or detect the unauthorised use of the telecommunications system;
- ensure the effective operation of the system.
- Regulation 3 also allows businesses to monitor but not record without consent for the purposes of:
- determining whether the communications are relevant to the business;
- monitoring communications to a confidential anonymous counselling or support helpline.
This gives employers a fair amount of latitude to monitor.
- The Data Protection Act 1998 (DPA)
Monitoring an employee’s use of email and the internet involves the processing of personal data and so the DPA must be considered. It is important for employers to have an awareness of the eight key principles set out in Schedule 1 of the DPA which apply to the processing of personal data. For example, personal data should be processed fairly and lawfully and personal data shall be obtained only for specified lawful purposes.
- The Employment Practices Code
The Employment Practices Code is issued by the Information Commissioner to sit alongside the DPA. The Code contains the Information Commissioner’s recommendations on how to meet the legal requirements of the DPA. Employers should be aware of Part 3 of the Code which considers monitoring in the workplace. The main principles of the Code are:
- It will usually be intrusive to monitor your workers.
- Workers have legitimate expectations that they can keep their personal lives private and that they are also entitled to a degree of privacy in the work environment.
- If employers wish to monitor their workers, they should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
- Workers should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified.
- In any event, workers’ awareness will influence their expectations.
Speedread – What it all means
As we have said above, the law is disparate and in our view not clearly drafted. We have distilled the key points below.
- Monitoring of employees’ IT use and systems at work can be lawful. This is clear. There is no overarching right to privacy which allows employees to do what they like at work when using an employer’s IT systems, provided the use is private.
- Employers need to consider what monitoring they need and why they are monitoring.
- What is it you are trying to control?
- What types of monitoring are or could be carried out if the technology’s full capabilities are used.
- Who has authority to carry out the monitoring.
- For what purposes can monitoring be carried out.
- Carry out an impact assessment. The Employment Practices Code recommends that employers undertake impact assessments to demonstrate they have achieved the desired balance between:
- allowing workers to enjoy privacy in the workplace;
- ensuring the interests of the business are protected.
- Employees need to know. Employees must have a clear understanding of:
- when information about their email use will be obtained;
- why it is being obtained;
- how this information will be used;
- who it will be disclosed to.
- Employers should take advice. You might say this is an easy thing for us to say and that it suits lawyers to say this. Believe us, this is an area where it’s well worth spending a few pounds with your chosen lawyer.
- Do not try to do this without a policy. You need a set of written rules and guidelines. This is set out in a policy.
- Make sure your monitoring policy works with your other rules, such as working from home and your disciplinary policy.
- Data Protection. In your day to day monitoring, make sure you comply with the DPA.
- Personal devices and social media. Think also about related issues such as the use of personal devices and social media.
It is beyond the scope of this article to set out precisely what should go into a policy to address these issues. However we advise you not to lift a policy off the shelf or just accept what your lawyers or HR consultants give you. Tailor the policy to your business. You should have a policy or policies covering:
- IT use at work (use of email, message services and internet provided by the employer);
- social media use;
- personal IT use at work (using your own phone or tablet in work time).
Some employers have 1 policy covering all of the above; some split it up. Once you have your policy:
- issue the policy to all employees, existing and new;
- consult where appropriate;
- train employees and managers;
- review and revise it periodically (this is an area developing fast).
Where does this leave us?
In short, nothing has changed. The case of Bărbulescu should not be seen by employers as providing them with a laissez-faire right to access employees’ personal emails or messages. In this case, the ECtHR recognised the need for employers to be able to verify that employees are completing professional tasks during work hours. Importantly, the decision does not overrule previous ECtHR case law on the reasonable expectation of privacy, and nor does it override existing UK legislation, including the DPA and RIPA, which place important limitations on employers’ power to monitor their employees’ private communications.
There are clearly different levels of monitoring that can take place but whatever is done should be proportionate and with an awareness of an employee’s right to privacy. Employers, therefore, are still tasked with the tricky balancing act of an employee’s Article 8 rights to privacy and the employer’s own interests.