UK Home >  Legal Info About... >  Employment >  The laws relating to monitoring your employees

The laws relating to monitoring your employees

This article is based on UK law. It was last updated in September 2008

Introduction

This article covers the monitoring of employees by intercepting email, telephone and internet use, the use of CCTV, in-vehicle tracker systems and automated decision making in the context of the Data Protection Act 1998 Act. (See also: An introduction to monitoring employees.)

With employee access to the internet and external email networks quickly becoming the norm, employers are becoming increasingly concerned with monitoring the activities of their employees at work. Within certain constraints, employers are vicariously liable for the actions of their employees, and many employers feel that giving employees access to the internet and email increases their chances of incurring liability, for example, for sexual harassment claims or for defamatory statements made on email networks. Employers are not only concerned with their potential liability to third parties but also with the potential to become the target of fraud. Breaches of security or confidentiality are also of concern.

These concerns have led to a tightening of email policies and many companies have sacked employees for misusing internet and email systems in breach of such policies.

Technology allowing employers to monitor every movement of their employees is readily available: tiny CCTV cameras can watch employees from air vents, every key stroke an employee makes can be logged by desktop software, emails can be intercepted, telephones can be tapped and the movements and use of company vehicles can be tracked.

However, employers who decide to monitor their employees must have regard to the legislation and guidance which limits the scope of a "Big Brother" style approach. The Human Rights Act 1998, the Regulation of Investigatory Powers Act 2000 (known as RIPA) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 apply. There is also guidance from the Information Commissioner on employment practices and monitoring.

Monitoring under the Data Protection Act 1998

Monitoring

Employers have various reasons for using CCTV, intercepting calls, emails and monitoring internet use. CCTV is used for the purposes of training or for security, for example, at petrol stations and in shops where staff and goods may be at risk. Telephone calls to call centres are often recorded for training purposes. These examples are not likely to require the use of covert surveillance.

Employees and the public are usually notified that CCTV is in operation by notices and employers will not usually have a problem with telling employees that telephone calls are monitored for training purposes. Employees are also unlikely to object to such monitoring. However, it is where the behaviour of employees is the target of monitoring that the matter becomes more complex. The question of employee monitoring brings data protection and human rights issues into play.

The use of CCTV, telephone, email and internet monitoring of employees will be covered by the Data Protection Act 1998 if they involve the processing of information by automated means from which a living individual can be identified. For the purposes of the Act, the employer is a Data Controller and must adhere to eight principles set out in the Act. The employer must inform employees that processing is taking place and comply with the conditions of the Act in relation to personal data and in relation to sensitive personal data. For example, personal data relating to the commission or alleged commission of an offence is sensitive personal data, which is exactly the kind of information an employer is likely to want to monitor.

Informing employees, processing fairly

The requirement to inform employees about monitoring is only excepted in limited circumstances.  This requirement can be achieved by publishing a corporate policy which is circulated to employees, and/or posting notices/signs in places where monitoring takes place.

Rights and remedies

Under the Data Protection Act, employees who are being monitored in a way which involves processing their personal data can require the employer to cease or not to begin the monitoring. The employee can use this right if the processing is causing or is likely to cause substantial damage and distress to the employee or any other person. The damage or distress must be unwarranted. An employee who suffers damage or distress can also claim compensation under the Act for a breach of any requirement of the Act. The employer has a defence to a compensation claim if it took such care that was reasonably required in all the circumstances to comply with the Act.

The Employment Practice Code (the Code)

In June 2005, the Information Commissioner's Office launched a new version of the guide on data protection at the workplace. The new Code is more user-friendly, and incorporates and updates all four individually published parts of the previous Code of Practice on the Use of Personal Data in the Employer/Employee Relationships. The Code applies to systematic and occasional monitoring. The key message is that covert monitoring of employees' can rarely, if ever, be justified. Employees should be told if they are being monitored. The Code states that employees have a right to respect for their autonomy and privacy in the workplace and to expect a degree of trust from their employers. Any intrusion on this privacy and autonomy must be in proportion to the benefits of the interception to a reasonable employer. Less intrusive alternatives should be considered where available.

In relation to the recording of telephone conversations, the Code requires employers to make all staff and other parties to telephone conversations aware that interception is taking place and should only monitor the content of calls where an itemised call record is insufficient for the employer's purposes.

The Code also provides specific guidance on the use of video and audio monitoring. CCTV should not be used to monitor the employee's compliance with their employment contract. The Code recommends that the routine monitoring of employees by CCTV is only likely to be justified in circumstances where there are particular safety or security risks that cannot be dealt with by a less intrusive means. In particular, CCTV operations should not involve the random selection of employees for surveillance. Under this guidance employers must ensure that not only employees are made aware of the operation of CCTV but also any other people who are likely to be caught, such as visitors. Covert monitoring by CCTV or other interception of communications may only take place if the following exceptional circumstances apply:

  • the monitoring relates to behaviour, not to contract performance;
  • it is carried out to investigate a suspected criminal activity or malpractice; and
  • informing staff is likely to prejudice the above purpose and certain standards for covert monitoring are complied with.

The standards relating to covert monitoring are satisfied if:

  • specific criminal activity has been identified;
  • a need to obtain evidence by covert monitoring is established;
  • following assessment, it is concluded that informing employees would prejudice the gathering of evidence;
  • a time period for monitoring has been identified; and
  • the provisions of RIPA are complied with.

The employer should document the decision making process when it decides to monitor its employees to provide evidence that the conditions in the Code are satisfied. This is especially important given the Human Rights Act 1998. If an employee feels that his or her privacy has been infringed, he or she may claim constructive dismissal for breach of the implied duty of trust between employer and employee. In such a case, the employer must prove that it acted proportionately and that the invasion of privacy was justified. Documenting the decision making process and following the guidance in the Code will go far in helping the employer's case. Employers must use the information which is gained through the covert monitoring only for the prevention or detection of the criminal activity at which the monitoring was directed.

Importantly for the privacy of employees, the Code recommends that any other information collected in the course of covert monitoring must be disregarded unless it relates to criminal activity or equivalent malpractice.

Even where the above conditions for covert monitoring are satisfied, employers must not monitor employees in locations where employees have a reasonable expectation of privacy. The Code gives cloakrooms, toilets, vehicles and even private offices as examples of places where employees are entitled to a reasonable expectation of privacy. If an employer feels that monitoring employees in such locations is justified, then it should only do so with the involvement of the police. CCTV is a particularly intrusive method of monitoring employees and the Code draws a clear line between the investigatory powers of the employer and the role of the police. Where the employee has a reasonable expectation of privacy at work it may only be intruded upon by CCTV monitoring where the circumstances are such that a full police investigation is justified.

As regards in-vehicle monitoring, the Code provides that where private use of a company vehicle is permitted, monitoring of its movements during such private use will rarely be justified, and the monitoring system should be capable of being deactivated during such use.

Summary

To reiterate the provisions of the Data Protection Act, in obtaining personal data by CCTV or otherwise, the employer must comply with all the data protection principles. This means:

  • obtaining the data fairly and lawfully;
  • informing employees of the types of monitoring that are being used;
  • using the data obtained from monitoring only for a specific purpose;
  • limiting the data to adequate and relevant data; and
  • not holding the data for longer than necessary.

The employer should inform employees of the CCTV operation, its purpose and of any likely recipients of the footage. This can be done by publishing a corporate policy of required behaviour.

Automated decision making

Employees' performance is often monitored through software designed to count the amount of time spent at a workstation or the number of keystrokes per minute. Under the Data Protection Act 1998, an employee has the right to require that no decision which significantly affects him is taken solely on the basis of automated processing of personal data. Furthermore, where such a decision has been made, the data controller must notify the employee, who may then require the employer to take the decision again.

However, certain decisions are exempt from these provisions. For example, if the decision is taken in the course of steps taken for the purpose of considering whether to enter into a contract with the employee, it will be exempt, provided that steps have been taken to safeguard the legitimate interests of the data subject, e.g. a right of appeal. This area is complicated and it is recommended that you seek advice on your particular circumstances.

Interception and RIPA

The Regulation of Investigatory Powers Act (RIPA) came into force in October 2000 and has added to the difficulties of interception of communications for employers.

Under RIPA, employers are restricted in their interception of communications which take place on private and public networks as long as the private network is connected to the public network. It covers the interception of telephone calls, email and internet use.

On a public network, it is an offence to intercept any communication without lawful authority. Lawful authority can be obtained by the issue of a warrant under RIPA or the Lawful Business Practice Regulations, which came into force on the same day.

On a private network, it is an offence for someone who does not control the system, or have express or implied consent from that person, to intercept communications. An employer who controls the system will be open to a civil action from either party to the communication if it intercepts communications without either:

  • reasonable belief that both parties to the communication consent to the interception; or
  • lawful authority.

This includes communications made on a public system which are sent to, or received from, a private system. Therefore, RIPA applies to internal telephone calls and emails on an employer's internal network as well as calls and emails that enter and leave the internal network via a public service.

Under the Lawful Business Practice Regulations, interception is 'authorised' for the purposes of RIPA in the following circumstances:

  • monitoring business communications to ascertain whether business standards and procedures are being complied with and establishing the existence of facts;
  • national security;
  • preventing or detecting crime;
  • detecting unauthorised use; or
  • charitable help lines.

These provisions are designed to strike a balance between the privacy of individuals and the need for businesses to get the maximum benefit from their investment in telecommunications technology. After the consultation in relation to the Lawful Business Practice Regulations, the main concerns of businesses were that they wanted to ensure the effective operation of their systems and be able to intercept to protect against viruses and to route traffic.

Businesses also wanted to gain access to business communications, for example, to allow colleagues to check emails during the absence of employees. Businesses also expressed concerns about the cost of implementing quality control monitoring if they were required to obtain consent from each caller. As a result of the consultation, businesses may now monitor for purposes such as staff training without obtaining consent from customers as long as every reasonable effort is made to inform them.

Another concern of businesses was the ability to monitor communications in order to detect unauthorised use. This is provided for in the Regulations and the response to the consultation advises employers to circulate notices explaining what is or is not authorised. Again, this demonstrates the importance of having a published policy.

Finally, businesses argued that a proportionality test should be applied to interception by employers to ensure that interception activities would be in proportion to the requirement for interception. However, the final Regulations did not include such a test since it was thought that this test might lead to uncertainty.

Under the Regulations the interception must always be:

  • in connection with the employer's business;
  • on a telecommunications system provided wholly or partly in connection with the business; and
  • employers must make all reasonable efforts to inform employees or other callers of the possibility of interception or have grounds to believe that callers are aware of the possibility.

However, merely informing employees of the fact of interception may not be enough. The Lawful Business Practice Regulations only apply to business communications and do not legitimise interception of personal communications. To intercept personal communications, the employer must fall back on RIPA and obtain consent from both parties or have reasonable grounds to believe that both parties consent. Employers must also respect the privacy of their employees. Guidance from the Home Office in a Circular in 1999 warns that it is not reasonable to expect that employees will never be contacted for domestic reasons or have reasons to make personal calls even though informing employees of the possibility of interception may remove the expectation of privacy.

Communications policies

Employers should have an adequate policy in place which describes the employer's policy and procedures for all communications and compliance. This will help to clarify where an employee has a legitimate expectation of privacy.

Having a clear and fair policy on the use of the telephone, internet and email at work is advisable in the light of cases in which failure to implement an IT policy led to the conclusion by the Employment Tribunal that a summary dismissal was unfair. The best way to approach the issue of such a policy is to publicise it and make it clear that non-compliance will lead to disciplinary action.

The Code of Practice advises employers to establish policies on the use of electronic communications which set out clearly how employees are authorised to use the employer's systems for private communications. Although this advice goes beyond the requirements of the Act, having a policy is consistent with the requirements of the Act and is considered good practice by the Commissioner. Having a policy on communications is a practical method of dealing with the issue of information and consent. If an employer establishes the practice of circulating a policy to every employee stating the circumstances in which monitoring will take place, this will satisfy the requirement to inform employees for the purposes of the Data Protection Act and the Lawful Business Practice Regulations. The employer may also incorporate a return slip at the end of the policy which employees should sign and return indicating their consent.

However, employers must be careful how they word the policy and ensure that they put the policy into practice since if the stated policy differs from the employer's practice, employees may be lead into false expectations that their communications are private.

Conclusion

Employers who monitor their employees must bring their activities within the legislative framework and conduct their activities with a respect for the privacy of their employees. The visions of a Big Brother society have become a technical possibility. However, protections are afforded to individuals and employers must ensure that those protections are implemented.

Contacts

Simon Horsfield

Simon Horsfield
Biography
email Simon
+44 (0) 161 250 0213

Ben Doherty

Ben Doherty
Biography
email Ben
+44 (0) 141 249 5420

Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please contact us. See also: our full disclaimer

OUT-LAW Recommends

This week's podcast
Handbags and bad rags

Advert: How can I manage the costs of my litigation? Our forensic accountants can help

Advanced Search
UK Home
OUT-LAW News
Legal Info About...
Accessibility and Usability
Branding and Intellectual Property
Companies
Competition
Confidentiality
Consultancy
Contracts
Copyright
Crime and Security
Data Protection
Designs
Development
Dispute Resolution and Litigation
Domain names
E-commerce
Email
Employment
Internet and Email policies
The laws relating to monitoring your employees
Cyberslackers - all in a day's work?
Equal Opportunities Policies
Offshore outsourcing - what happens to the employees
Contracts of employment - the rules
Issues for Employers
An introduction to pension schemes
Monitoring your employees' emails - legally
When is a contractor not a contractor?
Key employment issues around home working
Checklist for Teleworkers for Employers
Data protection and monitoring at work
Basic Guide to TUPE
Free communications policy
Disciplining an employee
An introduction to monitoring employees
References: How to write them
Mediation: how it can help to resolve employment disputes
Restrictive covenants in employment contracts
Staff and their personal blogs
Directors' pensions (menu of articles)
Directors' remuneration issues
Snow chaos and employment law
Environment
Financial Services
Freedom of Information
Funding
Games
Hosting and Maintenance
Jurisdiction
Marketing and Advertising
Media and Creative Industries
Outsourcing
Patents
Pensions
Procurement
Software
Tax
Trade Marks
User-generated Content
Legislation
Case reports
Legal Info For...
Our Services
Our clients
Events and Training
Fun
About Us
Contacts
Legal Notices

 

Pinsent Masons named Legal Firm of the Year 2009 at Finance Directors' Excellence Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility Logon
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.