Earlier this month, intimate photos of a number of high profile celebrities found their way onto the internet, apparently due to their iCloud accounts being hacked. The hack made headlines across the world, and prompted concerns about the protection of privacy. In the age of cloud storage and electronic communication, the right to privacy can become blurred and can be very easy to breach. This can be particularly true in the case of employers monitoring email and internet usage by employees.
It is generally accepted that workers’ private lives will on occasion extend into the workplace, and employees are entitled to have a reasonable expectation of privacy at work. Article 8 of the European Convention of Human Rights provides that every individual has the right to respect for their private and family life, their home and their correspondence. In the case of monitoring an employee’s telephone, email or internet usage, the European Court of Human Rights has held that Article 8 is infringed if the employer undertakes such monitoring where there is no IT usage policy in place and/or the employee has not been advised that their usage may be monitored.
In addition, employers must be careful that they do not breach the Data Protection Act 1998 when processing their employees’ personal data. This includes ensuring that any processing of data (which may include internet and email usage) is adequate, relevant and not excessive, and that measures are in place to respond to requests by employees to access the records and results of such monitoring.
The Information Commissioner has published a Data Protection Employment Practices Code, which recommends that, where monitoring is necessary, employers should carry out an impact assessment. Employees should be given information about the monitoring if it is to take place, and the number of staff to have access to the information obtained through that monitoring (which should be kept secure) should be limited insofar as is possible.
Employers should also consider whether the reason for the monitoring is sufficient to justify an intrusion into an employee’s private life, and whether the means of monitoring employees are proportionate to meet that need. In particular, employers should consider if there are less intrusive methods to monitor internet and email usage. For example, random and occasional spot-checks may be more appropriate than monitoring usage on a continual basis. Automated monitoring (for example filters that automatically block emails containing obscene language) may be even less intrusive, if somewhat imperfect.
Employers wishing to monitor their employees’ electronic communications may also need to be careful of breaching the Regulation of Investigatory Powers Act 2000 (“RIPA”) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (“Telecommunications Regulations”). RIPA regulates certain types of monitoring and may render such monitoring unlawful in certain circumstances. Obtaining consent is the main way in which communications can be lawfully intercepted under RIPA, although the Telecommunications Regulations provide for circumstances where it may be lawful to intercept communications without an employee’s consent in a business context. This does not avoid the need to communicate to the employee that the interception may take place.
Accordingly, the simplest way for an employer to ensure that they may monitor email and internet usage is to have an IT policy in place which states that monitoring may take place. This may be available electronically or in a hard copy staff handbook, but the employee must have been advised about the policy. Ideally, the employee’s contract of employment should make reference to the policy (including a provision that the employee will abide by the policy) and the employer should obtain an acknowledgment from the employee that they have seen the policy. Some employers go as far as having pop-up messages on starting up email inboxes or internet browser pages that link to the policy and require the employee to confirm their acceptance of the policy in order to continue. This will then provide the evidence that the employee knew that monitoring may take place, although it is still recommended that employees are advised of any focused monitoring that may take place.
Electronic communication policies can also be a useful tool to remind staff of the behaviour expected of them online (such as not looking at inappropriate websites or sending abusive messages), and can include advice in respect of using their own social media accounts. It can also advise staff on the risks that email use and internet access can pose to the business, including the risk of viruses, intellectual property and confidentiality breaches, and loss of productivity.
Do you need an IT policy put in place for your employees, or would you like to ensure that your existing policies are appropriate? Please feel free to contact us.
This article was first published as part of our Employment Law Update - September 2014. Register above to receive our updates as soon as they are published, directly to your inbox!
This article is offered for general informational purposes only, and does not constitute legal advice. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the views or opinions of Solomon Taylor & Shaw.