Watching brief
Employers monitor their communication systems for a variety of reasons, including the protection of data and intellectual property. They’re at risk because they’re also liable for the actions of their employees when tasks are performed during normal hours of work.
Many employers take the view that, although affording employees access to the Internet and external e-mail facilities has benefits (among them increased productivity and efficiency), it has also increased the potential for problems.
A recent case tried in the European Court of Human Rights should act as a sharp reminder to employers of what happens when employee monitoring ‘goes wrong’. The UK Government was ordered to pay GB pound 2,400 in damages and GB pound 4,780 covering legal costs when a Welsh college unlawfully monitored the Internet, telephone and e-mail use of an employee.
The actual interference with Ms Copland’s privacy came about before the implementation of the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. Along with the Data Protection Act 1998, these laws provide a regulatory framework for monitoring communications in the workplace.
The monitoring of Ms Copland’s telephone, e-mail and Internet usage was considered a breach of her Human Rights, in particular the right to privacy of communications. It was irrelevant that the college was entitled to receive the information it used to monitor her. Nor was it relevant that the information wasn’tt used in disciplinary proceedings. Ms Copland only needed to prove the college collected and stored information on her telephone, e-mail and Internet use without her consent (and thus interfered with her private life). For its part, the college didn’t have an employee monitoring or communications policy in place.
This decision is a clear reminder that employees’ telephone calls, e-mails and Internet access are afforded protection under Human Rights legislation. Employers must tread carefully – simply informing employees that monitoring is taking place doesn’t allow carte blanche monitoring to occur.
Employee monitoring is a minefield for employers, so what should they do to protect themselves? The hints and tips that follow overleaf are based on a communications policy which permits limited personal telephone, e-mail and Internet usage.
Clear policy, often stated The company’s communications policy should stipulate the exact level of permitted personal use and possible consequences for failure to comply. Ensure that all existing and new employees are aware of – and sign up to – this policy prior to accessing any internal communication systems.
More and more employees now have personal ‘blogs’ or web sites, such as can be found on MySpace or Bebo. These are a potential minefield of liability for employers, and clear policies must be in place to deal with them (maybe stating that updating personal blogs at work is prohibited due to the risk of the employer being associated with the blog).
Policies should also specify that employees’ personal blogs or web sites (which are created outside business hours) should not make any reference to the employer, disclose any confidential business information or belittle/ harass any colleagues or line managers.
An employer should regularly remind employees of the communications policy by sending updates via e-mail, the Intranet or newsletters and, if necessary, provide training on correct e-mail, Internet and telephone use.
Simply making sure all employees sign up to the communications policy when they begin their employment may not be enough to satisfy an Employment Tribunal if that policy is relied upon to dismiss an employee.
Compliance with the DPA
For employers wishing to comply with their obligations under the Data Protection Act (DPA) 1998, they should:
l ensure that the policy is comprehensive and covers the nature, extent and reasons for the monitoring that takes place; l ensure that employees are informed when information is being obtained, how it will be used and to whom it will be disclosed;
l restrict access to the personal information collected via monitoring to a limited number of people and ensure they are aware of their obligations under the Data Protection Act
l have appropriate security measures in place to prevent unauthorised access or disclosure.
Always conduct an impact assessment prior to monitoring. An Employment Practices Code was published by the Information Commissioner which provides Best Practice guidance for employers in relation to Data Protection in the workplace. Part 3 of that Code recommends employers must ensure that any monitoring is reasonable and proportionate, and that they should undertake an impact assessment prior to introducing a communications policy.
The impact assessment need not be detailed. Indeed it could simply be a mental evaluation, though a written record would be useful if a complaint arose. The impact assessment may deduce, for example, that there are alternative technical means for monitoring which will have less impact on employees’ liberty (for instance monitoring traffic data rather than content).
Lawful business practices
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 were introduced to provide a statutory framework whereby employers could lawfully monitor communications on their own communications systems provided the monitoring falls under one of the lawful purposes set out in the Regulations.
These purposes are to establish the existence of facts, ascertain compliance with internal/external practices/polices, ensure the system is operating effectively, protect national security or detect/prevent crime, the framework for confidential counselling, detecting unauthorised use of the system and determining whether the communications are relevant to the business.
Any business that wishes to monitor its communications under the Lawful Business Practice Regulations must make reasonable efforts to inform every person involved that communications may be monitored. Individuals could be informed via an e-mail disclaimer, web site terms of use or via a pre-recorded message at the beginning of every telephone call (if appropriate).
Don’t view personal items
It’s generally recognised that the Lawful Business Practice Regulations don’t allow the monitoring of non-business related communications, except to initially ascertain whether the communications are in fact business related.
For this reason, employers should not view communications which the employee has clearly marked as ‘Personal’ in the subject heading or filed in a folder designated ‘Personal’. Employers should encourage employees to adopt these practices and, likewise, employees should encourage anyone who might be sending them personal communications to also mark e-mails as ‘Personal’ in the subject heading.
Part 3 of the Employment Practices Code also deals with the use of CCTV. If CCTV is used in the workplace or surrounding buildings, employers should ensure that there are clear signs stating the nature, extent and reasons for any CCTV monitoring. Covertly monitoring employees inside or outside the workplace (for example by using hidden CCTV cameras) will amount to a breach of the Human Rights Act 1998, unless serious criminal activity malpractice is suspected (ie it would merit police involvement, involve gross misconduct or jeopardises the safety of others).
If malpractice/criminality is suspected then covert CCTV monitoring may only be used:
- when a written assessment has been carried out and a conclusion reached that overt monitoring would prejudice the investigation;
- when it’s authorised by senior management;
- when it is targeted to the relevant individual(s) with any irrelevant information deleted;
- provided it’s not carried out in areas where there’s an expectation of privacy (in rest rooms or locker rooms, for instance), unless in response to a serious incident or crime which is specifically identified;
- provided it’s not carried out for any longer than is necessary, and within a set timeframe.
There’s a risk that material obtained from covert monitoring will not be admissible as evidence due to a breach of the individual’s right to privacy. On occasion, such evidence has proven admissible.
Address breaches consistently
Employers should address any breaches of th their communications policy consistently to avoid allegations of discriminatory enforcement. For this reason, it’s also important to have clear evidence of an audit trail of all monitoring which has taken place.
Failure to consistently enforce a communications policy runs the risk that an Employment Tribunal might deduce waiving previous breaches of the policy meant the policy could no longer be relied upon, and that a dismissal for any breach of it was unfair.
If an employer’s existing communications policy hasn’t been consistently enforced, it may be worthwhile updating that policy and informing employees that the revised procedures will be consistently enforced.
Aonghus Martin is a solicitor in the Technology Group at international law firm Eversheds LLP (www.eversheds.com)
Watching brief
Employers monitor their communication systems for a variety of reasons, including the protection of data and intellectual property. They’re at […]
IFSEC Insider
IFSEC Insider | Security and Fire News and Resources