The extent to which employers can monitor the use of their telephone, email and internet services by their employees is a controversial issue. Monitoring is important for quality control, crime prevention, regulatory/ self-regulatory compliance and many employers are keen to appreciate the extent to which the services they provide are being used by their employees for personal use rather than work.
In the recent European case of Copland -v- the United Kingdom (3 April 2007, European Court of Human Rights), Ms Copland, an employee of Carmarthenshire College, successfully brought a claim against the UK that her right to privacy under Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms (the "Convention") had been violated by her employer monitoring her telephone calls, emails and internet usage.
Ms Copland was employed as a personal assistant to the Principal of Carmarthenshire College and worked closely with the Deputy Principal. During her employment Ms Copland's telephone, email and internet usage were subject to monitoring at the Deputy Principal's request. The UK government (as defendant in the case) stated that this monitoring occurred to check whether Ms Copland was making excessive personal use of the College's services.
The monitoring involved an analysis of telephone bills, website addresses visited and email addresses together with times and dates of each communication made. The monitoring did not extend to interception (see below). At the time that the monitoring occurred there was no policy in force at the College for monitoring telephone, email or internet use by employees.
The ECHR upheld Ms Copland's right to privacy under Article 8 of the Convention holding that telephone calls and emails sent from business premises, and information derived from the monitoring of personal internet usage are covered by the notions of "private life" and "correspondence" in Article 8. The Court found that the collection and storage of personal information on the employee though monitoring without her knowledge could amount to an interference with her private life. Ms Copland received damages for non-pecuniary damage.
The monitoring of Ms Copland's telephone, internet and email use took place in 1999, prior to UK legislation in this area.
Monitoring of communications in the workplace is governed in England by the Regulation of Investigatory Powers Act 2000 ("RIPA") and Telecommunications (Lawful Business Practice) Regulations 2000 (the "Regulations"), both enacted after the monitoring in Copland. RIPA provides for the regulation of, amongst other things, interception of communications.
Under RIPA it is unlawful for a business to intercept an electronic communication on its or any other system (subject to exceptions). Exceptions include:
- Where the interception is necessary for the operation of the communication service itself (e.g. to test the line).
- Where both parties (sender and recipient) have consented to the interception.
- When the employee has not consented but the employer is acting within the scope of the Regulations, which were made under RIPA.
An "interception" of a communication occurs when, during the transmission of the communication, someone other than the intended recipient or sender accesses the communication. An interception would occur for example where someone listened into a telephone conversation or where emails were opened by an employer before the email was opened by its intended recipient.
Under the Regulations employers can record or monitor employees' communications (intercept) without consent of either the employee or the other party to the communication, where the interception is for the purpose of monitoring business related communications. For example, interceptions are permitted "to prevent or detect crime, to investigate or detect unauthorised use of telecommunication systems or to secure, or as an inherent part of, effective system operation". Employers can also intercept received communications to establish whether they are business or personal.
Interception is not allowed if it is carried out with the purpose of gaining access to employee's personal communications. Interception of purely personal communications is prohibited unless it is incidental/ unavoidable. Interception to monitor (but not record) whether an electronic communication is business related is allowed, for example it is permissible for an employer to intercept an email whilst an employee is on holiday to check whether it is a business communication requiring attention in the employee's absence.
These activities are permitted under the Regulations for business purposes only if the employer has "made all reasonable efforts" to inform users that their communications might be intercepted. For example this could be done in a contract of employment.
What if it is not an interception?
An action is not an interception if it does not occur during the transmission of the communication. For example accessing a stored collection of emails on a server which have already been received and opened or deleted by the intended recipient is not an interception and does not fall within the Regulations. Such employer monitoring should however be governed by an appropriate policy, to ensure transparency for employees.
"Traffic data" such as the email addresses of the sender and recipient(s) or a telephone number dialled can always be lawfully recorded.
In monitoring, employers must have regard to the Data Protection Act 1998 in respect of any personal data of employees collected, stored or used. The exceptions afforded to employers for interceptions by the Regulations are not exemptions from that Act. Application
In practice, to monitor communications employers must have a clear telephone, email and internet use policy which is readily available and brought to the attention of all users of the system, including temporary employees and contractors. Employers should ensure that monitoring is for a business specific purpose that is clearly communicated to the employees.
The telephone, internet and email policy should make clear the business' position on the use of the systems for personal use and explain (if it is to be the case) that the employer will monitor and may intercept communications. In addition it must be consistently applied to all users. In Long -v- SP Dataserve Ltd an employee successfully claimed unfair dismissal following dismissal for abuse of the employer's email system when the policy stated "limited and reasonable personal use" was allowed but it was unclear within the business what this meant and different managers applied the policy in different ways.
Impact of Copland
In Copland the Court would not exclude that "the monitoring of an employee's use of a telephone, email or internet at a place of work may be considered "necessary in a democratic society" in certain situations in pursuit of a legitimate aim". Since the time of the monitoring in Copland, RIPA, the Regulations and the Human Rights Act ("HRA") have come into force in England. The HRA requires courts to read legislation in line with the Convention.
Therefore, there is a good argument that employer interceptions are not in contravention of Article 8 and it seems unlikely that it would be open for an employee to successfully challenge an interception on the grounds of human rights within current domestic Law, provided the employer falls within the Regulations or another RIPA exception. It should also be noted that only an employee of a public body or quasi-public body could rely on the HRA or Convention to bring a breach of privacy claim. To aid transparency and for fairness as well as ensuring employers have made "all reasonable efforts" employees should be made aware of the employer's telephone, email and internet use policy and how it is policed.