A new Employment Appeal Tribunal (EAT) ruling raises important questions about when employees can have a reasonable expectation of privacy in respect of material on their personal devices. The EAT ruled that there was no breach of an employee's right to a private life when his employer used emails and photos obtained from his mobile phone by the police in the course of a criminal investigation for disciplinary purposes (Garamukanwa v Solent NHS Trust).
This follows last year's judgment of the European Court of Human Rights that an employer had not breached an employee's right to privacy when it reviewed Yahoo! Messenger conversations between an employee, his girlfriend and his brother, which contained intimate details about his health and sex life (Barbulescu v Romania). That case was hailed by many as conferring on employers the right to read their employees' private communications; but in reality, it did nothing of the sort. Barbulescu merely applied long-established principles from earlier case law, indicating that where an employee has an expectation of privacy, "monitoring should be a proportionate response by an employer to the risks it faces taking into account the legitimate privacy and other interests of workers".
There is, in effect, a two-stage test:
- Is there an expectation of privacy?
- If so, was there a legitimate reason for the intrusion and were the means chosen proportionate?
Garamukanwa concerned an NHS trust that used material obtained from the police in disciplinary proceedings against an employee. The police had previously seized the material in the course of a criminal investigation. The employee's complaint was that his right under Article 8 of the European Convention on Human Rights had been infringed by his employer examining matters relating purely or essentially to his private life and using evidence in relation to such matters to justify its decision to dismiss him.
After a relationship between Garamukanwa and a nurse ended, he suspected that she had started another relationship with another staff member. There was a campaign of anonymous letters and emails (some indicating that the author may have been following the couple) and a fake Facebook account to which the names of 150 trust employees were added. The nurse complained to the police, but no charges were brought against Garamukanwa.
When the trust began an internal investigation, the police handed over material taken from Garamukanwa's mobile phone. This included a photograph of a sheet from a notebook containing email addresses, which suggested that he was the author of the anonymous emails. The trust made a connection between Garamukanwa and the malicious emails and he was subsequently dismissed.
The EAT confirmed that whether an employee has an expectation of privacy depends on the facts of the individual case. Did Garamukanwa have a reasonable expectation of privacy in emails and photographs which the police had obtained? Based on these facts, the answer was no. He could not have an expectation of privacy in relation to material regarding a personal relationship with a work colleague, as his own conduct had turned this personal issue into a workplace issue.
Garamukanwa argued that the trust had failed to distinguish between public material (eg, the anonymous email sent to the trust's staff and managers) and private material (eg, emails sent to his former girlfriend about his feelings and their relationship, and photographs on his phone, which were not sent to anyone). Reliance on private material unjustifiably breached his right to a private life, rendering the dismissal unlawful.
The EAT disagreed with this contention, ruling that Garamukanwa had no expectation of privacy in respect of what he called "private" material because he brought it all into the workplace and used work email addresses. There were also adverse consequences in the workplace for employees to whom the trust owed a duty of care.
It is interesting that the EAT decided that Garamukanwa had absolutely no expectation of privacy regarding his interaction with his former girlfriend. It was perhaps not necessary to go that far. Many of the factors which the EAT considered would prevent an expectation of privacy arising were matters which would definitely justify the intrusion (because the trust had a duty to intervene to protect the other employees from the campaign of harassment). While it is clear on the facts why the EAT reached the conclusion it did, employers should be wary of assuming that an employee has no expectation of privacy just because something is on workplace systems or affects colleagues.
Instead, employers should consider what the relevant policies say (eg, any policy on acceptable use):
- Do these policies expressly indicate that communications may be monitored and, if so, in what circumstances?
- Do they go on to state that, because correspondence may be reviewed and read for business reasons, employees should have no expectation of privacy on anything sent or received via workplace systems?
- Do the policies apply to all users, as opposed to their application being confined to employees only?
- Is appropriate language concerning monitoring and investigations included not only in acceptable use policy, but also in social media and bring your own device/choose your own device policies?
Employers with policies of this kind will be well placed to defend any claim that a user's privacy has been infringed, but should not stop there. Before undertaking any form of monitoring or investigation, an impact assessment should be conducted and documented which balances the reason for the intrusion against the extent of the intrusion.
Referring back to the two-stage test, any intrusion should be a proportionate response to an identified risk. If an expectation of privacy arises on the facts, the employer needs to demonstrate that it satisfies the second limb of the test: namely, that it had a compelling reason and that its intrusion was no greater than necessary to address the identified risk.