Unrestricted use of email, social media and file hosting services can have damaging effects on employers’ reputation and business. Bullying, discrimination, defamation, virus exposure, lost productivity and transferring confidential information and trade secrets are just some of the issues that can arise from misuse of telephone, email and Internet at work.
Monitoring workers’ use of communication systems or their surveillance by CCTV may seem like a good way to protect business interests. However, this must be balanced with, and not infringe, workers’ privacy and data protection rights.
Expectation of Privacy
Workers do not leave their privacy and data protection rights at the door when they come into work each day. Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (“ECHR”) provides that “everyone has a right to respect for his private and family life, his home and his correspondence”. The European Court of Human Rights (“ECtHR”) has found that this privacy right applies in the workplace, as workers are not limited to life within the home. In Copland v United Kingdom the ECtHR concluded that Article 8 was infringed where there was no IT policy in the workplace and the employees were not told they may be monitored.
However, a worker’s right to privacy at work is not absolute. In Pay v United Kingdom the ECtHR held it was not disproportionate to dismiss an employee where public knowledge of his personal lifestyle could compromise his work with sex offenders. It was held in the recent UK EAT case of Atkinson v Community Gateway Association that an employee did not have a reasonable expectation of privacy when, having written the organisation’s email policy, he breached it by using his work email to send sexually explicit messages (see our previous post on this case). Although non-binding in Ireland, this decision shows the importance of notifying employees of IT policies and their enforcement through monitoring.
Data Protection Principles
The broad definitions given to ‘personal data’ and ‘processing’ under the Data Protection Acts 1988 and 2003 (“DPA”) means workers’ personal data obtained by monitoring and surveillance practices is covered by the DPA. Normal data protection principles apply to this data so employers must ensure they obtain and process it fairly and lawfully; it is adequate, relevant and not excessive; they keep it safe, secure and up-to-date; and they hold it for no longer than is necessary. Workers’ rights in respect of this data include the right to (i) establish what personal data is held by their employer; (ii) access this information; (iii) request the rectification or erasure of inaccurate information; and (iv) object to the processing of their personal data in certain circumstances.
Processing personal data in the context of employee monitoring may be unfair even if the worker has consented to it. Worker consent must be freely given and fully informed. However, if consent is a condition of employment it cannot be said to be freely given where an employee cannot refuse or withdraw their consent.
Employers generally rely on Section 2A(d) of the DPA to legitimise their monitoring activities. This is where an employer considers the processing of workers’ personal data through monitoring and/or surveillance as necessary for its legitimate interests. However, this legitimisation cannot override workers’ privacy rights. Therefore, any monitoring must be targeted on the area of risk taking into account the data protection principles and balanced against workers’ expectation of a certain degree of privacy in the workplace.
Extent of Monitoring
The Article 29 Working Party (“WP”), the collective body of European data protection authorities, such as Ireland’s DPC, has provided a list of questions each employer should ask before monitoring workers’ use of email and the Internet:
- Is the monitoring transparent to workers?
- Is the monitoring necessary or could the objective be achieved by traditional methods of supervision?
- Is the processing of workers’ personal data fair?
- Is the monitoring proportionate to the concerns it tries to allay?
Any monitoring must be carried out in the least intrusive manner possible and must be targeted at an identifiable risk. The WP’s view is that it would only be necessary to monitor workers’ electronic communications in exceptional circumstances, such as to (i) obtain proof of certain actions by the worker; (ii) detect unlawful activity; (iii) detect viruses; or (iv) guarantee the security of its systems. Covert monitoring and surveillance are generally unlawful.
In the absence of clear policies, workers may be assumed to have a reasonable expectation of privacy in the workplace. Therefore, employers should have policies in place notifying workers if it intends to limit workers’ privacy through monitoring and/or surveillance. These policies should be tailored according to the type and the degree of risk which the employer encounters and should be clear, accurate and readily accessible.
Having acceptable use policies will not permit an employer to ignore workers’ privacy rights and will not justify infringement of their data protection rights. However, as seen in the Atkinson v Community Gateway Association decision, an employer’s policy will be taken into account and may reduce workers’ legitimate expectation of privacy.
It’s important to keep policies up-to-date and in line with technological developments. Policies should be applied and enforced on a consistent basis so workers know the policy (i) is mandatory; (ii) requires compliance at all levels of the organisation; (iii) is enforced; and (iv) carries serious consequences if breached.