“Workers do not abandon their right to privacy and data protection every morning at the doors of the workplace” – so says the EU Working Party set up to consider the processing of personal data in an employment context.
There has been much hype over the course of the last few days about the European Court of Human Rights (“ECHR”) decision in the Barbulescu case. The word on the street this week is that employers now have carte blanche to go and snoop around their employees’ email accounts. However, a word of caution to employers – this is absolutely not the case!
The ECHR’s decision does not give or offer unlimited justification for employers to access, monitor, review or generally snoop around their employees’ use of computers, emails or indeed internet access and the decision is very specific to its facts.
Mr. Barbulescu was asked, by his employer, to set up a Yahoo Messenger account for the purpose of communicating with clients and contacts. Mr. Barbulescu did as he was asked and went on to use the Yahoo Messenger account for its intended purpose.
Mr. Barbulescu’s employer had in place a very clear policy which expressly stated that employees were “strictly forbidden…to use computers, photocopiers, telephones, telex and fax machines for personal purposes…”. When Mr. Barbulescu denied having used his employer’s Yahoo Messenger account for personal purposes, his employer was able to produce 42 pages of Mr. Barbulescu’s communications with his brother and fiancée.
In subsequent dismissal proceedings, Mr. Barbulescu tried to argue that his rights to personal privacy had been breached. The Romanian Courts held that his employer’s conduct had been reasonable and that the monitoring of his communications had been the only method of establishing if there had been a disciplinary breach. A view with which the ECHR agreed.
The ECHR held that Mr. Barbulescu’s employer’s actions, and specifically their monitoring of the company Yahoo Messenger account, were limited in scope and proportionate.
Tuesday’s decision of the ECHR does not change the current Irish position in relation to accessing employee communications. If an employer has a very clear policy on what an employee can and can’t do on employer devices and systems and the employee has been given that policy, an employer can access and review an employee’s use and communications but only to the extent that such access is reasonable and proportionate.
What Tuesday’s decision does is reiterate the importance of issuing clear guidelines to employees around the use and monitoring of employer devices and internet usage. The ECHR placed particular importance on the fact that the employer had a specific policy which contained a blanket ban on the use of work computers for personal purposes. This is most unusual – the reality is there are few workplaces where some element of personal use of telephones, computers, mobiles, email accounts etc is not permitted or tolerated. The ECHR also placed importance on the fact that the employer had accessed the Yahoo Messenger account in the belief that it contained only work-related messages. Thus the access was reasonable and not excessive.
Employees in Ireland, and all over Europe, are entitled to a reasonable expectation of privacy including in the workplace. This entitlement is enshrined in common law, under statute, in the Irish Constitution and in the European Convention on Human Rights. It is an expectation and a right which has been upheld time and time again.
That expectation of privacy can sometimes be limited and narrowed, but only in very limited circumstances. So, our top tips to employers are:
- Think about who your employees are, what they do, why they do it and what equipment/access to systems they need to do it
- Think about whether it is actually practical or workable to try to prevent employees from using any employer devices or systems for personal purposes
- Have a policy and spell out what you are prepared to tolerate, when, how and to what extent
- Include a right to monitor usage but bear in mind that any monitoring should be reasonable, proportionate and not excessive
- Only monitor when such monitoring would be considered reasonable and proportionate in all of the circumstances
- Do not snoop and do not access anything which is clearly marked personal unless you have reason to do so
- Make sure your employees are aware of and familiar with your policy and remind them of it regularly