The Code is based on the Data Protection Act of 1998 and should be followed by every employer.
The Commissioner commented today:
"Monitoring in the workplace can be intrusive, whether examining e-mails, recording phone calls or installing CCTV cameras. Employees are entitled to expect that their personal lives remain private and they have a degree of privacy in the work environment."
He continued:
"The fundamental message is that, where monitoring does take place, employees should be made aware of its nature and extent and the reasons for carrying it out. Only in exceptional circumstances will it be appropriate for employers to monitor their employees without their knowledge."
The 1998 legislation places responsibilities on any organisation to process personal data that it holds in a fair and proper way. Failure to do so can amount to a criminal offence.
The general position is that, while the Act does not prohibit the monitoring of employees, it does place restrictions on the way that this may be carried out. Other legislation does, however, lay down rules about the interception of communications. The Code is intended to aid compliance with the Data Protection Act; it does not address compliance with other laws – which makes it difficult for an employer to navigate the monitoring minefield.
As for the Code itself, it contains guidance and is not legally binding, it contains the benchmarks that the Commissioner will use when deciding whether or not to enforce the Act. Consequently, organisations should consider its contents very carefully.
Essentially, the Act provides that the "adverse impact" of the monitoring on employees must be justified by the benefits. The Code recommends that this is best carried out by an "impact assessment". Such an assessment must consider:
The purposes behind the monitoring;
Any likely adverse impact on the employee(s) or others – such as customers;
Alternatives to monitoring, or to the type of monitoring suggested;
The obligations that will arise; and
Whether the monitoring is justified.
In considering any likely adverse impact the employer must take into account:
The likely intrusion into employees' private lives
The extent to which the employee will be aware of the monitoring
Who will see the information, which may be sensitive
The impact on the employment relationship
The impact on other professionals – e.g. solicitors – who may have confidentiality issues
How the monitoring will be perceived – e.g. will it be seen as "oppressive" or "demeaning"?
"In reality," commented Richard Thomas, "there are few circumstances in which covert monitoring is justified."
The Code makes good practice recommendations to ensure compliance with the 1998 Act. In summary these are:
Managing data protection: identify the person with compliance responsibility, and set in place a mechanism to check that procedures are being carried out.
The general approach to monitoring: monitoring is intrusive and employees are entitled to keep their private lives private. Monitoring should take place for a clear, justified purpose, and employees should be aware that it is taking place.
Monitoring electronic communications: create a policy on the use of such communication tools and let employees know what it is. Make sure that the Regulation of Investigatory Powers Act, and the Lawful Business Practice Regulations, which govern interception of e-mails, telephone calls etc, are complied with.
Video and audio monitoring: let employees, and all others who may be caught on camera, or on tape, know when this is being carried out, and why.
Covert monitoring: should be authorised by senior management, and strictly targeted. Only to be used for suspected criminal activity, where notification would hinder the detection of the activity.
In-vehicle monitoring: develop a policy on private use for work vehicles, and let employees know about it.
Monitoring through information from third parties: let employees know what sort of checks are going to be made, and why.
On the Information Commissioner's site you can find:
Data Protection Code, Part 3: Monitoring at Work;
Guidance for Small Businesses.
OUT-LAW.COM will soon be providing more information on monitoring in the workplace, in light of today's Code.