Employee monitoring: the law
Section two of the Personnel Today Management Resources one stop guide on employee monitoring, covering: checking compliance with legal requirements; and keeping line management and senior management informed. Other sections .
|
Use this section to Check your organisation´s compliance with legal requirements Inform line managers and respond to queries on monitoring staff Make presentations to senior management on compliance
|
Legislation governing employee monitoring includes:
The European Convention on Human Rights/The Human Rights Act 1988
The Regulation of Investigatory Powers Act 2000 (RIPA)
Data Protection Act 1998
Lawful Business Practice (Interception of Communications) Regulations 2000
The Obscene Publications Act 1959
The Protection of Children Act 1988
The Criminal Justice Act 1988
The Copyright, Designs and Patents Act 1988
Q. Are we legally allowed to monitor our employees?
A. Yes, the Data Protection Act 1988 (DPA) does permit monitoring. It may even be necessary to satisfy the Act's requirements in some cases. But monitoring must be carried out according to the DPA's common-sense principles of reasonableness, transparency and respect. Employees should be consulted where possible and should be made aware of the nature and extent of monitoring and the reasons for carrying it out.
Q. What is the Employment Practices Data Protection Code and how does it relate to monitoring employees?
A. Part three of the Employment Practices Data Protection Code on Monitoring at Work sets out recommendations for best practice and compliance with the DPA with regard to monitoring employees, aiming to strike a balance between the needs of employers and the rights of employees.
Q. What changes have recently been made to the code?
A. The code on monitoring was revised last year to make it clearer, more workable and less prescriptive. Changes included a move away from ordering employers to carry out an impact assessment to see if monitoring is justified. The new code simply says this is good practice. Changes were also made to the section on covert monitoring. Previously, the code granted this only on suspicion of criminal activity; it has now been extended to include other 'equivalent malpractices' such as racial or sexual harassment.
Q. Is the code legally binding?
A. No, it is not: any enforcement action against an employer will rest on their failure to meet the requirements of the Act itself. But relevant parts of the code are likely to be cited by the Information Commissioner in any action taken against an employer, particularly as the law on privacy remains largely untested.
Q. What monitoring activities are covered by the code?
A. The following activities are covered:
Gathering information through point-of-sale terminals to check efficiency of individual supermarket check-out operators
Recording the activities of workers by means of CCTV cameras, either so the recordings can be viewed routinely to make sure health and safety rules are being complied with or to check workers in the event of a health and safety breach coming to light
Randomly opening up individual workers' e-mails or listening to their voicemails to look for evidence of malpractice
Using automated software to collect information about workers, for example to find out whether particular workers are sending or receiving inappropriate e-mails
Examining logs of websites visited to check that individual workers are not downloading pornography
Keeping recordings of telephone calls made to or from a call centre, either to listen to as part of workers' training or to for records in case of customer complaints
Systematically checking logs of telephone numbers called to detect use of premium rate lines
Videoing workers outside the workplace, to collect evidence that they are not, in fact, sick
Obtaining information through credit reference agencies to check workers are not in financial difficulties.
Q. Is there a separate code on CCTV?
A. Yes. The Information Commissioner has issued a code of practice setting out good practice and legal compliance requirements in use of CCTV.
Q. Does the code affect all employers?
A. It affects all employers who carry out workplace monitoring which goes beyond one individual simply watching another. Although there is no single definition of monitoring, it can include taping phone calls for training purposes or checking e-mails and internet use for access to pornography.
Q. Is there an exemption from the provisions of the code for small employers?
A. No. The Data Protection Act and the code apply to all organisations regardless of their size. But the Information Commission has published guidance on monitoring at work specifically aimed at small employers.
Q. How does the Act affect virus checking?
A. The Act does not prevent you from monitoring your systems to check for viruses or other forms of malicious code. It actually requires anyone handling personal information to use technical means to safeguard systems. But virus checking should be carried out in the least intrusive way possible. In terms of privacy, for example, the code recommends that it is best to handle suspect messages by rejecting them or quarantining them for collection by the intended recipient rather than letting a systems administrator open and read them.
Q. Do we need workers' consent to monitor them?
A. Employers who can justify monitoring on the basis of an impact assessment will not generally need the consent of individual workers under the Data Protection Act.
Q. Are we allowed to monitor employees without them knowing?
A. It is a fundamental requirement of data protection law that workers be aware of monitoring.
The Data Protection Code states that covert monitoring should not normally be considered and that it will be rare for it to be justified legally.
Covert monitoring tends to be justified in circumstances such as where there are genuine suspicions of criminal activity or equivalent malpractice. Employers must be genuinely concerned that notifying individuals about the monitoring would prejudice its prevention or detection. The monitoring must be strictly targeted at obtaining evidence within a set timeframe, and within the boundaries of the suspected malpractice. Monitoring must, therefore, not be carried on after the investigation is complete.
The Act restricts employers from using covert audio or video monitoring in areas which workers would genuinely expect to be private such as toilets or changing rooms, unless there are valid suspicions of serious crime, about which the employer intends to involve the police.
To stay on the right side of the law, the code recommends that employers:
only use covert monitoring in exceptional circumstances
ensure any covert monitoring is strictly targeted at obtaining evidence within a set timeframe
do not continue covert monitoring after the investigation is complete
do not use covert audio or video monitoring in areas which workers would genuinely and reasonably expect to be private.
Q. When is it lawful to intercept communications?
A.The general rule is that interception without consent is against the law. According to the code's supplementary guidance, interception:
includes access to e-mails before they have been opened by the intended recipient
does not include access to stored records of e-mails that have been received/opened.
But there are exceptions.
The Regulation of Investigatory Powers Act 2000 (RIPA) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, which came into force in October 2000, set out when interception can take place.
The RIPA authorises interception when the employer (interceptor) has reasonable grounds to believe both the sender and the intended recipient have consented.
The Telecommunications Lawful Business Practice Regulations (LBP) were issued in response to pressure from business, setting out circumstances in which businesses can lawfully intercept without consent. These include monitoring...
for the purpose of investigating or detecting the unauthorised use of telecommunications systems, such as to ensure employees do not breach company rules or policies on e-mail or internet use
to ensure the effective operation of the telecommunications system - this may include monitoring for viruses or other threats
to ascertain whether standards are being met - this may include monitoring for staff training or quality control
to detect crime or unauthorised use.
Although consent is not required in these circumstances, employers are required to inform staff that such interceptions may take place. They must also show that interception and monitoring is for a reason that is relevant to the business. This relevance can include all communications relating to the business or that arise in the course of carrying out that business. Transmitting trade secrets or pornography in breach of company policy on the use of internet and e-mail is relevant to the business and falls under the LBP regulations on monitoring.
Any interception which involves obtaining, recording or otherwise processing personal data by means of automated equipment (for example, recording calls or filtering e-mails) also falls within the scope of the Data Protection Act. So does the holding or processing of personal data after the interception has taken place.
Q. Does the Act apply to occasional monitoring?
A. Yes. The Act applies to occasional monitoring where the employer introduces monitoring as a short-term measure in response to a particular need or problem - for example, keeping a watch on the e-mails sent by a worker suspected of racial harassment or by installing a hidden camera when workers are suspected of drug dealing on the employer's premises.
Q. Are we legally permitted to access employees' e-mails or listen to their voicemails while they are away?
A. Yes. The Data Protection Act allows organisations to check e-mail accounts and voicemail in employees' absence as long as they have been informed this will happen. You should take all steps to avoid accessing communications which are obviously not business-related such as those marked 'personal' in the header.
Q. Does the code really require us to provide our workers with separate e-mail accounts for private messages?
A. No, this is a misunderstanding. What the code actually says is that if an employer chooses to provide a separate facility for private messages, this will be an important factor in deciding what monitoring of the business-related account is justified and that providing a separate account will help limit any intrusion resulting from monitoring the business account.
Q. Are we justified in checking e-mail and internet access in our bid to prevent sexual and racial harassment?
A. The code says that while employers do have legal obligations to take active steps to prevent such harassment, it is hard to see a justification for randomly or routinely accessing the content of e-mail messages, particularly private ones or checking which websites employees have visited on the off-chance of unearthing evidence of harassment. If there are grounds to suspect a particular worker of harassment, targeting monitoring at this individual may be justified.
Q. Are we legally required to take steps to assess whether monitoring is justifiable?
A. The code recommends that employers carry out a risk assessment, identifying the purpose of the monitoring, its benefits and any adverse impact. It recommends examining alternatives to monitoring before going ahead.
Q. Are we free to choose whichever surveillance method we wish?
A. The law does allow employers flexibility in choosing monitoring systems, but overly intrusive systems will not be viewed kindly: the code recommends employers choose the method that will cause the least intrusion into private lives.
Q. How does the law regard video surveillance such as closed circuit television (CCTV)?
A. The Information Commissioner sets out standards and recommendations for best practice in using CCTV. Although CCTV use is permitted, employers need to use it in limited circumstances and very carefully (see Section 4 - Developing the right policies and procedures).
Q. Can we monitor employee vehicles?
A. The Data Protection Act does allow monitoring of vehicle movements where the vehicle is allocated to a specific driver and information about the performance of the vehicle can be linked to them. But this monitoring is regulated.
If the employee is allowed to use the vehicle for private business, monitoring their movements during this private use without their freely-given consent is rarely justifiable under the Act. You will be expected to evaluate whether the benefits justify the adverse impact and adapt the monitoring accordingly. If the vehicle is used for both private and business purposes, one way might be to install a privacy button to disable monitoring in times of private use, suggests the code.
In some cases, such as when a tacograph has been fitted to a lorry, employers are legally obliged to monitor vehicles, even if used privately.
Q. Are we allowed to monitor employees' financial circumstances?
A. You should only monitor a worker's financial circumstances if there are firm grounds to conclude that financial difficulties would pose a significant risk to the business.
If you are using a credit reference agency to monitor staff, make sure the agency is aware of how the information will be used and that it complies with the Data Protection Act in terms of processing personal information.
Q. Where do we stand legally in terms of processing and handling personal information?
A. The Act governs the processing and recording of personal information (personal data) including that which is processed and handled by automated systems.
This covers all types of computers, including laptops and any other type of equipment which can process information automatically such as audio and video systems, telephone logging and surveillance systems, microfiche and microfilm.
You need to make sure you record information in a way that does not violate the Act's principles. These require organisations to:
advise individuals beforehand of how information about them will be used and to whom it will be disclosed
where agreement or consent has not been obtained, to show that the collection and use of such information is necessary for performance in the contract of employment or is in the employee's vital interests or that one of the statutory exemptions apply such as being necessary to detect or prevent crime.
Personal e-mail addresses which identify a particular individual also constitute personal data - any data that identifies the individual (data subject) - under the Act.
Q. We are confused about information and types of filing systems that fall within the Data Protection Act. What do the Act's definitions cover?
A. In the recent case of Durant v Financial Services Authority, 2003, the Court of Appeal decided that for information to relate to an individual:
the person has to be the focus of the information
the information has to tell you something about them.
If a general scene has been recorded with no incident and no focus on a particular individual's activities, these images are no longer covered by the Act.
This case involved Mr Durant applying to the Financial Services Authority (FSA) to release data relating to him, following an investigation by the FSA into a dispute between him and his bank. The FSA only disclosed documents held on computer, but no hard copy documents. After the County Court refused to order disclosure of these documents, Mr Durant appealed to the Court of Appeal, which concluded that not all information dug up during a search with an individual's name can be defined as personal data.
To be personal data, the information must:
affect an individual's privacy in his personal or family life, business or professional capacity
be 'biographical in a significant sense', with the data subject as its focus.
The DPA only applies to manual systems if they provide the same level of access to files and information as that of a computer system. The Court of Appeal concluded that situations where employees are having to trawl through manual files fall outside the scope of the Data Protection Act.
The Information Commissioner is conducting an extensive review of the CCTV code of practice to take into account these changes to the interpretation of the Act. This review is due to be published later this year.
Q. Are employers using basic CCTV systems still covered by the Data Protection Act in the light of the Durant case?
A. Only if they are trying to learn about individuals' activities for their own business purposes. The CCTV code states that if you can answer yes to any of the following, you must still adhere to the provisions of the Data Protection Act:
Do you ever operate cameras remotely to zoom in or out or point in different directions to pick up what particular people are doing?
Do you ever use images to try to observe someone's behaviour for your own business purposes such as monitoring staff members?
Do you ever give the recorded images to anyone other than a law enforcement body such as the police?
Q. What are the implications of the Human Rights Act?
A. The Human Rights Act 1988, which came into force in October 2000, brought the Council of Europe's Convention for the Protection of Human Rights and Fundamental Freedoms into UK law.
Article 8 of the Human Rights Act states that:
Everyone has the right to respect for their private and family life, their home and their correspondence
Case law in the European Court of Human Rights has established that this right extends to 'professional or business activities' and that, as well as correspondence, it applies to telephone conversations.
Q. Are there any exceptions?
A. The only exception where interference from public authorities is permitted is in situations such as the interests of national security, public safety or the prevention of disorder or crime. The Act does not grant a worker in the private sector the right to sue their employer, although any public authority must be very aware of the fundamental right to privacy.
Q. How does the law affect transmission of obscene material in the workplace?
A. The Telecommunications Act 1984 makes it an offence to send "by means of a public telecommunications system, a message or other matter that is grossly offensive or of an indecent, obscene or menacing character".
The Obscene Publications Act 1959, the Protection of Children Act 1988 and the Criminal Justice Act 1988 are all concerned with material that might be criminal, cause harm to young persons or otherwise be unlawful. In the workplace, downloading certain images from the internet might subject a worker to charges of criminal behaviour.
Categories deemed obscene under the Obscene Publications Act include sexual assaults upon children, incest, torture with instruments and graphic mutilation.
Employers are legally duty-bound to protect employees from harassment and can be held vicariously liable for such discrimination. A defence will include showing that you have taken all reasonably practicable steps to prevent staff from committing discriminatory acts. You are more likely to be liable if you fail to supervise e-mail use and only tackle problems once they are drawn to management's attention.
Employers can be held vicariously liable for discrimination if inappropriate material such as pornography is sent with an e-mail directly to another employee. They even risk discrimination complaints if they allow employees to create a hostile environment by downloading and circulating inappropriate material.
In the case of Morse v Future Reality, a female employee grew tired of being surrounded by male colleagues poring over sexually explicit or obscene images downloaded from the internet. One or two pictures were shown directly to her. She eventually resigned, complaining of sex discrimination on grounds of harassment. The company was held liable for not having taken action to prevent the discrimination. The tribunal awarded the ex-employee £750 for injury to feelings plus three months' loss of earnings.
Q. Are we liable under copyright law for material downloaded by staff?
A. Yes. The Copyright, Designs and Patents Act 1988 states that only the owner of the copyright is allowed to copy information. This law applies to publications in electronic and digital form as well as other forms. Employers must ensure that employees observe copyright notices when downloading material from the internet and avoid downloading and copying unlicensed software, as they can be held vicariously liable for any breaches.
Q. Can we held liable for libellous messages sent by e-mail or posted on the internet by employees?
A. Yes. Liability can be extended to employers under the normal principles of vicarious liability or they can be held directly liable as publishers or disseminators by providing internet access. This was illustrated in the case of Western Provident v Norwich Union (see Section 1) where the latter was liable for slander and libel contained within an employee e-mail, forced to apologise publicly and pay out £450,000 in damages and costs.
Employers should take steps to avoid being directly liable for publishing defamatory material on their websites, as well as being liable for disseminating libellous statements by employees in e-mail correspondence.
Under the Defamation Act 1996, a person who is the author, editor or publisher of a defamatory statement is strictly liable for it. Defence, according to section 1 of the Act will rest on showing that the employer:
was not the author, editor or publisher of the statement
took reasonable care in connection with its publication
had no reason to believe, and did not, that what they did contributed or caused a defamatory statement to be published.
Q. Is surveillance of personal telephone calls made by staff at work covered by the Human Rights Act?
A. Yes. In the case of Halford v United Kingdom, which involved surveillance of an employee's office telephone, the European Court of Human Rights concluded that Article 8 of the Human Rights Act, which concerns an individual's right to privacy and respect, did apply.
The court said that since Alison Halford had not been warned that her telephone calls were liable to interception by her employer, she had a reasonable expectation to privacy for such calls and that the employer was in breach of Article 8. The same argument would apply to the interception of any other forms of electronic communications such as e-mail.
The Halford decision appears to say that an employer may be free to intercept communications if an employee does not have a reasonable expectation of privacy. It underlines the importance of employers laying down clear and unambiguous terms in their computer-use and surveillance policies.
Income Data Services (IDS) points out in its guide that it is arguable that an employee should not expect privacy in the content of e-mail boxes, deleted e-mails or cache records showing internet use, providing the employer makes it clear that IT resources are company-owned and will be monitored where necessary. But, IDS points out, it is possible that the use of passwords or certain security levels on e-mail may give an employee a legitimate belief that certain communications will be strictly private. Similarly, the capacity to delete files or messages may encourage a reasonable expectation of privacy on the part of employees if they do not realise that deleted and purged files may actually remain backed up on computer systems.
It is crucial to get the wording of policies right if parameters for privacy expectations are to be set correctly.
Q. What is the Freedom of Information Act?
A. The Freedom of Information Act 2000 (FIA) only applies to public authorities, including the NHS, schools, the Police and the Post Office. Under the FIA, which will come fully into force by 30 November 2005, public authorities have to:
Produce a publication scheme
Deal with individual requests for information
Under the FIA, any person making a request to a public authority for information is entitled to be informed whether that information is held and to be shown the information. The deadline for being able to address individual requests is 1 January 2005.
References
IDS Guide, March 2004
Morse v Future Reality, North London employment tribunal (22.10.96, case no 54571/95)
Michael John Durant v Financial Services Authority (2003).
Halford v UK 1997 IRLR 471
|
One stop guide on employee monitoring: other sections Section one: The issue of monitoring employees Section two: The law Section three: Deciding whether to monitor and how Section four: Developing the right policies and practices Section five: Monitoring methods
|
