Keeping a watchful eye on monitoring

No comments

Monitoring employees is commonplace but it involves obtaining information that could breach various laws, including employees' human rights.

Anthony Thompson looks at how employers can be legally compliant

The Data Protection Act 1998 (DPA) regulates the manner in which businesses can obtain, hold and use personal information about workers.

The DPA is supported by the Employment Practices Data Protection Code, issued by the Information Commissioner.

The code sets out recommendations for good practice to assist employers in meeting their obligations under the DPA.

On 11 June 2003, the Information Commissioner published part 3 of the code relating to monitoring at work.

Monitoring is covered by a number of different pieces of legislation.

The Regulation of Investigatory Powers Act 2000 (RIPA) prohibits employers from intercepting employees' communications including the monitoring of telephone calls, e-mails and the use of Internet facilities at work, unless the employee consents to the interception being made.

RIPA also allows monitoring in the form of surveillance, such as CCTV if it is necessary for the business, for example, for security purposes.

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 allow employers to intercept and monitor employees' communications with their consent.

The employee's specific consent is not required where, for example, the interception is for the purpose of ascertaining whether or not the communication system is being used for its intended purpose - in other words, customer service or excessive private use.

In the context of monitoring, the most relevant article of the European Convention on Human Rights is article 8, which sets out the right to respect for private and family life for home and correspondence.

The right is not absolute in that there will be no interference by the state if it is considered to be proportionate, for example, in accordance with the law.

Cases decided under the convention state that, within the workplace, employees have a reasonable expectation of privacy.

However, there will be no such expectation in relation to, for example, communications, if the employer has a policy stating that communications will be intercepted and may be subject to monitoring.

The DPA regulates the processing of personal information of workers.

It seeks to ensure that information is obtained, held and disseminated in a fair and proper way in accordance with the data protection principles.

It applies to paper as well as computerised filing systems.

The code

The code is intended to assist employers in meeting their obligations under the DPA through adopting good practice where the employer wishes to monitor its workers.

If the provisions of the code are followed, it is highly unlikely that there will be breach of the DPA.

The code has no legal effect but can be taken into account by a court or tribunal where they consider that its provisions are relevant.

The code's core principles are that:

- It will usually be intrusive to monitor workers;

- Workers have a legitimate expectation that they can keep their personal lives private and are entitled to a degree of privacy in the work environment;

- If employers wish to monitor their workers, they should be clear about its purpose, and be satisfied that the particular monitoring arrangement is justified by the real benefits that will be delivered;

- Workers should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified; and,

- Workers' awareness will influence their expectations - if fully informed of policy, objection is less likely.

Although it is the subject matter of the code, 'monitoring' is not defined.

For the purposes of the code monitoring means: '...

activities that set out to collect information about workers by keeping them under some form of observation, normally with a view to checking their performance or conduct.'

Examples of monitoring include: opening an individual worker's e-mails, listening to voicemails for evidence of malpractice, checking an employee's line to determine the extent of outgoing private calls, and recording telephone calls for the purpose of staff training or to ensure that customer service principles are being adhered to.

Impact assessments

The code recommends that employers carry out impact assessments before implementing any monitoring arrangement.

The purpose of the assessment is to determine whether monitoring is necessary for the business.

The impact assessment should assist in ensuring that employers judge whether a 'monitoring arrangement is a proportionate response to the problem it seeks to address'.

The impact assessment will involve:

- Identifying the purpose for monitoring and its benefits in the particular context;

- Determining whether other methods can be used rather than monitoring, that is, clarification of the rules or standards applicable through supervision and training;

- Identifying the adverse impact of monitoring on employees;

- Considering other legal obligations; and,

- Assessing how the monitoring exercise is going to be communicated to the workers unless covert monitoring is required.

Good practice

The code recommends that employers set up internal procedures that will create a culture for respect of private life, data protection, security and confidentiality of personal information.

It advocates:

- One person within the organisation responsible for ensuring that policies and procedures comply with the DPA and that they are continually reviewed;

- Ensuring that the workforce is fully conversant with data protection compliance and that work practices address this issue;

- That those who monitor workers are aware of the DPA and its code; and,

- That workers are consulted about the development and implementation of employment practices and procedures.

Any type of monitoring will be intrusive.

Therefore, adhering to the core principles is paramount.

To ensure that employers comply with the DPA and the message of the code, they should ensure that they have a clear monitoring policy covering communications by e-mail, telephone and the other circumstances in which it may arise such as sickness or security issues.

Any policy should state:

- The circumstances in which the telephone, e-mail or Internet may be used for private use;

- The extent and type of private use allowable - for example, prohibiting overseas calls;

- In the case of Internet access, any restrictions on materials that can be viewed or copied;

- What alternatives are available to employees, for example, private matters can be sent by internal post;

- The rules for private use of the communication systems while at home or away from the workplace;

- The type and purpose of monitoring that will be carried out;

- How and when monitoring will be carried out;

- How information collected by monitoring will be used;

- Who will have access to information collected by monitoring;

- The way the policy will be enforced and the penalties for breach of the policy; and,

- What employees should do if they have a query or concern in relation to monitoring.

Anthony Thompson is head of the employment department at City-based law firm Webster Dixon

No comments

Keeping a watchful eye on monitoring

No comments yet

Only registered users can comment on this article.

More from News

Former Stobart boss disqualified over unpaid legal aid fees

Hermer: Don’t fear discussing ECHR reform

Clarke Willmott well set for growth after solid year’s results

Recommended services

Law Society Learning

Bookshop

Events

Online library