Monitoring employees is not a new phenomenon, yet it continues to give rise to difficult and often conflicting issues requiring careful consideration on a case by case basis. While the law allows employers to monitor its employees, there are limitations to how and when an employer may do so, writes Shaun Hogan, Associate at Stevens & Bolton LLP.
Why monitor emails
There are several reasons an employer might wish to monitor its employees’ use of emails at work. For example, excessive use of work time for personal matters can lead to performance concerns; emails can be used to transmit confidential information; can inadvertently create contractual obligations; can jeopardise the integrity of IT security and can be the source of grievances and employment claims due to allegations of harassment at work.
Monitoring emails may not altogether avoid some of the issues above, but it can help highlight problems before they escalate, giving the employer time to begin remedial action as soon as possible.
The legal framework
As the breadth of monitoring techniques has widened, so has the legal framework governing such monitoring. The result is a complex legal environment in which employers must operate. Legislation which must be considered includes:
- The European Convention on Human Rights (“ECHR”), as incorporated in the UK by the Human Rights Act 1998;
- The Data Protection Act 1998 (“DPA”);
- The Regulation of Investigatory Powers Act 2000 (“RIPA”); and
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (“Telecommunications Regulations”)
Other legal considerations may come into play, such as the implied term of trust and confidence and discrimination legislation, if the employee considers that they are being unfairly or discriminatorily targeted.
Article 8(1) of the ECHR entitles everyone to respect for their private and family life, their home and their correspondence. However, this is not an absolute right and the law has developed to recognise that a balance must be struck between the interests of the individual and the rights and freedoms of others more generally.
In the employment context, this has come to mean that although employees will generally have a reasonable expectation of privacy in their communications (unless notified to the contrary – see below), interference with that privacy can take place provided that it is carried out in accordance with the law and is proportionate.
Employers therefore need to ensure that they comply with the above legislative framework in order to avoid breaches of the right to privacy. They also need to consider the effect of the proposed monitoring on employees and the benefit gained by monitoring to ensure that it is proportionate. Employers should think through the aim to be achieved by monitoring and whether there is a less intrusive way to achieve it. If there is a less intrusive method, this should be used instead.
Monitoring emails will engage the DPA as it will involve the processing of personal data. Employers must therefore comply with the 8 data protection principles set out in the DPA. These include (amongst others) requirements for personal data to be:
- processed fairly and lawfully;
- obtained and processed only for specific lawful purposes;
- adequate, relevant and not excessive for the purposes; and
- processed in a manner compatible with the employee’s rights under the DPA and with appropriate measures in place to protect against unauthorised or unlawful processing.
As with the ECHR, in order to comply with the DPA, employers must satisfy a proportionality test requiring the monitoring to be carried out for a reason which is sufficient to justify intrusion into the employee’s private life and for the method of monitoring to be appropriate in the circumstances.
RIPA and the Telecommunications Regulations
The provisions of RIPA and the Telecommunications Regulations govern the interception of emails before they reach the intended recipient. They provide that in certain circumstances (including where the individuals have given consent, or where the interception is needed to detect crime or unauthorised use of the telecommunications system), such interceptions may be lawful.
Consequences of unlawful monitoring
Breaches of the relevant legislation can lead to claims for damages and criminal prosecutions. Further, employees who have been the subject of unlawful monitoring may resign and bring claims of constructive unfair dismissal on the basis of a breakdown in trust and confidence. If monitoring has led to an actual dismissal (for example due to misconduct in the use of emails), whether the monitoring was lawful could affect the fairness of such a dismissal in an unfair dismissal claim.
Aside from the legal consequences, unlawful monitoring has the potential to cause reputational damage to the employer both internally and externally. It is therefore essential that employers comply with their obligations.
Practical tips to implement monitoring
It is recommended that employers carry out an impact assessment prior to monitoring emails to help demonstrate that they have considered the balance between intrusion into employees’ private lives and the legitimate interests of the business. Such an impact assessment should identify the aims to be achieved by monitoring, the type of monitoring to be implemented and consider whether there are any less intrusive ways to achieve the aims.
Central to compliance with the legislation is warning staff that monitoring will or may take place. This usually involves introducing an electronic communications policy, which should set out how the employer’s IT systems may be used (including the extent of any acceptable personal use) and state that inappropriate use may lead to disciplinary action being taken. The policy should also set out who will have access to the information obtained through monitoring and should explain the employee’s right to access such information. As a minimum, the policy should be brought to the attention of employees both at the start of employment and when any changes are made.
Information collected through monitoring should be held securely and only for so long as is necessary. Those individuals who have access to the information should be limited and should be given training where appropriate to minimise the risks of unauthorised use.