The Information Commissioner has published guidance contained in the Employment Practices Data Protection code. This is made up of four different parts – Recruitment and Selection, Employment Records, Monitoring at Work and Information about Workers' Health.
Examples of monitoring can include:
- examining logs of websites visited to check that an individual worker is not downloading pornography;
- keeping a record of phone calls;
- a point of sales terminal which records an operator's mistakes or speed;
- checking a worker's emails.
Core principles for monitoring
- Workers have a legitimate expectation that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment.
- Workers should be aware of the nature, extent and reasons for any monitoring.
- Monitoring is often intrusive (and therefore must be justified by the benefits to the employer and others).
- Covert monitoring can only exceptionally be justified.
- Information derived from monitoring for one purpose should not be used for a different purpose.
- Where monitoring is justified, the information derived should be kept secure with limited access.
When monitoring is permitted
In order to carry out monitoring, any adverse impact on workers must be justified by the benefits to the employers and others. In order to decide whether the adverse impact is justified, the Code recommends that managers use Impact Assessments which involve:
- identifying the purpose behind the monitoring;
- identifying any likely adverse impact and the degree of intrusiveness involved;
- considering alternatives to monitoring or alternative ways of carrying it out;
- taking into account the obligations that arise from monitoring;
- deciding whether monitoring is justified.
Consent to monitoring is obviously relevant to the Impact Assessment, but is not necessarily with decisive or sufficient. It is clearly advisable for employers to keep a record of any such assessment.
Where electronic communications are concerned, it may be easier to justify monitoring traffic data (the use of telephones, email or the internet) rather than content. Monitoring content is likely to be much more intrusive and therefore requires clearer justification. Workers should be aware of the nature and extent of monitoring. The senders of communications should be made aware, where possible, as well as recipients.
Managing data protection and monitoring
The Code recommends that, if employers wish to monitor electronic communications, they should put in place a policy on their use and communicate is to workers. The Code suggests some features for employers to consider integrating into such a policy. It also suggests that employers should check their existing policies and make sure that practices are not out of line with those policies, for example, whether private calls are prohibited in the policy but allowed in practice.
The Code suggests that employers should not normally consider 'covert' monitoring. Covert monitoring includes any situation where it is likely that workers will not be aware that they are being monitored. Simply informing workers, perhaps at the beginning of their employment, that their activities may be monitored or recorded on CCTV will not be sufficient to prevent subsequent monitoring being covert. Specific information about the current use and extent of monitoring should be publicised and drawn to their attention. For example, it would be a breach of the Code to monitor access times to an office generated by electronic swipe cards on entry, unless workers are made specifically aware that this use is being monitored.
Covert monitoring should only be undertaken in exceptional circumstances, such as suspicion of criminal activity. Even then it should be:
- authorised by senior management;
- used to collect specific information;
- carried out within a set timeframe;
- carried out with restrictions on access and use.
It follows that covert monitoring should not be used on a random or deterrent basis. Moreover, covert monitoring should not be used in places where it would be reasonable for workers to expect to be genuinely private. It should not therefore be used in places such as toilets or private offices save where there is a suspicion of serious crime, where there should be an intention to involve the police.
The Data Protection Code sets out good practice, but has no particular legal status. The Code does not address the question of what happens if it is breached. On the face of it, the sanctions for a breach of the Data Protection Act (DPA) are wide ranging. Individuals affected can complain to the Information Commissioner who has a range of powers, including issuing Enforcement Notices and penalties of up to £500,000 for serious breaches. Alternatively they could sue in the courts for breach of a statutory tort, providing they can show damage. Faced with a complaint on monitoring, an employer who can show they take data protection seriously - by introducing a Data Protection Policy complying with the Code and by carrying out Impact Assessments where necessary - will be on much stronger ground.
In practice, the courts may allow employers who collect information in breach of the DPA to act on the information for disciplinary and dismissal purposes. However there has been little litigation on the DPA or the Code in an employment context and the position on the admissibility of such information is unclear. In any event, a major breach of privacy might lead to other serious legal consequences - for example, to a constructive unfair dismissal claim. Legal advice should be obtained in all such cases.
The Code provides good practice guidance and so reduced and minimises the risk of data protection claims. The Code does not forbid monitoring. A management which has considered the issues systematically and within the framework of the Code will still be able to monitor, and satisfy the Information Commissioner, if necessary. A key issue is likely to be whether the employer has established, documented and communicated a policy on the use of its electronic
New EU General Data Protection Regulation (GCPR)
New EU legislation was published in 2016, to take effect from May 2018. This is a complex new set of regulations which MPs have confirmed will come into effect in the UK, despite Brexit. Businesses will need to plan and prepare for the new regulations, which will see a complete overhaul of how businesses manage personal data, including that of their employees. For more information on this, please see the articles on Out-Law.com