On 12 January 2016, the European Court of Human Rights (ECtHR) handed down its decision in the case of Barbulescu v Romania. The employee, Mr Barbulescu, had been dismissed for breaching his employer’s rules regarding personal use of the internet at work. In investigating the allegation against Mr Barbulescu, the employer had accessed private messages relating to personal matters sent by him to friends and family over Yahoo Messenger, an online chat service. Mr Barbulescu used the Yahoo Messenger account for both his professional and personal contacts. The question the ECtHR had been asked to consider was whether the employer, in accessing the personal communications and using them as evidence in the disciplinary proceedings that ultimately led to Mr Barbulescu’s dismissal, had been guilty of breaching Mr Barbulescu’s right to privacy under Article 8 of the European Convention of Human Rights.
The ECtHR determined that the monitoring and access to the messages, and their subsequent use, were a proportionate interference in Mr Barbulescu’s Article 8 rights, and as such there had been no breach of Article 8. The decision created quite a buzz in the media, with outlets reporting the case under headlines such as “Private messages at work can be read by European employers” (BBC) and “Bosses can snoop on workers’ private emails and messages” (Telegraph). From reading such articles you would be forgiven for thinking that this decision has given employers carte blanche to read any private messages sent by employees during working hours. However, the issue is neither new nor quite so straightforward.
Firstly, it should be noted for UK employers that the decision of the ECtHR is not binding on UK courts, but rather they are under a duty to take into account the decision. Secondly, there is pre-existing European case law regarding employees’ reasonable expectation of privacy which is not overruled by this decision, and any determination on whether an employer has acted in breach of Article 8 would need to consider the factors in those cases as well. In addition, existing legislation in the UK regarding such communications, which includes the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000, is not affected. An employer’s freedom to monitor private communications of its employees therefore remains subject to various limitations. So, what is permitted and what is not?
As can be clearly seen from the Barbulescu decision, employees do not have an absolute right to privacy at work. Employers may monitor their employees’ communications in certain circumstances, although this must generally be proportionate for the monitoring to be justified. What is proportionate will depend on the reason used to justify the intrusion into the employee’s private life, and the means of monitoring used.
There are numerous ways employers could potentially monitor their electronic communications, whether this is in respect of emails, telephone calls or internet usage. The manner and frequency of the monitoring can also be varied, for example the use of random spot checks, specific checks on individuals and automatic monitoring of email or call content. Each method, and the reason for the monitoring, would need to be considered on the facts in order to determine whether it would be a breach of Article 8.
A good starting point for any employer wishing to be able to monitor the electronic communications of its staff would be to conduct an impact assessment in order to show that they have considered and achieved the necessary balance between their employees’ rights and their need to monitor internal or external communications.
Having an electronic communications policy in place not only means that employers can expressly advise employees that monitoring may occur and the parameters of such monitoring, but the policy can also include standards and rules regarding other areas of concern, such as intellectual property, bullying and harassment, and contractual liability. It can also feed into a disciplinary process regarding allegations of misconduct or concerns about poor performance or dereliction of duties.Once the assessment has been carried out and the employer is satisfied that they have considered whether monitoring is justified and proportionate in the circumstances, the next step would be to prepare and communicate an IT and communications policy. By conducting an impact assessment and communicating the fact that employees may be monitored, an employer does not require express consent from an employee to check their communications, although any processing of sensitive personal information would remain subject to the Data Protection Act and express consent may be required in certain circumstances.
Even where a policy is in place, employers should be careful not to unnecessarily and/or disproportionately invade an employee’s privacy. They should also take reasonable steps to ensure fairness in any disciplinary proceedings arising from any breach of the policy. A failure to do so may result in allegations of unfair dismissal, discrimination and, of course, a breach of Article 8.
This article was first published on 1 February 2016 as part of our Employment Law Update series. Register above to receive our updates as soon as they are published, directly to your inbox!
This article is offered for general informational purposes only, and does not constitute legal advice. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the views or opinions of Solomon Taylor & Shaw