Are your company’s monitoring methods lawful?

If employers have valid reasons for surveillance, there are important legal precedents to consider. Deb Tweedy reports

To lawfully monitor employees within the workplace, there are a number of important aspects employers must consider, particularly in relation to article 8 of the Human Rights Act 1988 and the Data Protection Act 2018. 

Employers should also ensure they implement and communicate their internal policies and procedures as to what will be monitored and why, with such policies able to stand up to scrutiny should a matter come before the courts. 

In the first instance, you should always consider why there is a need to implement monitoring. There are many reasons it might take place; for example, vehicle tracking, security, telephone call recording for training purposes or monitoring access to ICT systems. 

Once you have identified the reason for monitoring – and there must always be a legitimate and justifiable business reason – you should identify who within the business is permitted access to the information and with whom information can reasonably be shared. This is extremely important from a data protection perspective. 

The Information Commissioner’s Office (ICO) sets out detailed guidance on monitoring at work, in accordance with the GDPR and the Employment Practices Code, part 3: monitoring at work. A privacy impact statement will help guide employers through the process, with such statements available from the ICO. 

Internal policies and procedures should clearly define the reasons and/or benefits of monitoring and detail any sanctions for non-compliance. It is important that policies are provided to employees from as early as the offer of employment so they are fully appraised of your and their personal or contractual obligations. Where obligations are contractual, carefully drafted clauses should be inserted into the employment contract to avoid any later disputes. During the induction process, training should be provided to reinforce company policies.

When monitoring staff, employers should be mindful of an employee’s right to a private life. In the 2017 case of Bãrbulescu v Romania, Bărbulescu, an engineer for a private company, set up a Yahoo account in his workplace to deal with customer enquiries. In July 2017, during a routine investigation, the company found Bărbulescu had been emailing his brother and fiancé on personal matters. When this was initially denied, Bărbulescu was provided with copies of the email discussions. Following an investigation, he was dismissed for breaching company policies, a matter of gross misconduct. 

Bărbulescu’s claim for unfair dismissal was initially dismissed by local courts and again on appeal in a chamber vote in January 2016. However, the European Court of Human Rights’ grand chamber subsequently ruled there had been a violation of article 8. It determined that the national courts had failed to give sufficient consideration as to whether Bărbulescu had been adequately warned that his messages would be monitored and to what extent. The judgment also noted the failure to give proper consideration as to whether such intrusive monitoring was necessary at all. 

While this case has not overruled the use of monitoring within the workplace, it reinforces the need for monitoring to be proportionate with a legitimate aim – a blanket policy will not be sufficient. 

Transparency is therefore key. Policies should set out what will be monitored and why, together with the mutual benefit, as well as any sanction for non-compliance. Where personal use is allowed, clear guidance should be communicated as to what is acceptable. In addition, there must be a genuine belief that the misconduct under investigation could have an adverse effect on the organisation and could not reasonably be ignored. 

Deb Tweedy is an associate and head of employment and HR at Gordon Brown Law Firm