What monitoring is permitted in the workplace?

Keeping tabs on employees at work is becoming more common, but there are boundaries to take into account. Matt Gingell reports

What monitoring is permitted in the workplace?

According to research carried out by the Trade Unions Congress (TUC), 56 per cent of workers believe that they are being monitored at work. But only 38 per cent felt that they were able to challenge forms of monitoring that they felt uncomfortable with. So what rights do they have?

Everyone has the right to respect for private and family life, home and correspondence. This right is set out in the European Convention on Human Rights, which is incorporated into UK law. The right is not absolute and there are instances when interference with the right can be justified. In the employment relationship, it is necessary to strike a fair balance between the employee’s right to privacy and the employer’s interests.

While only public bodies expressly have to comply with the right, it is relevant to private and public employers as courts and tribunals must interpret the law consistently with the right.

The right to privacy could, for instance, be engaged when employers monitor internet usage, emails or messages. The right could also be engaged when employers carry out CCTV monitoring or monitor employees’ locations on wearable or handheld devices.

Useful guidance

The Grand Chamber of the European Court of Human Rights (ECHR) set out some useful guidance about an employer’s scope to monitor in Bărbulescu v Romania.

The court had to consider whether an employer acted lawfully when it accessed an employee’s private messages on a business Yahoo Messenger account and the employer’s rules prohibited use of the company’s IT systems for private communications. The ECHR held that the right to privacy was breached because the Romanian courts had failed to consider whether the employee had received prior notice of the monitoring. 

The court mentioned various factors to consider in monitoring cases including:

  • whether the employee had been notified of the possibility of the monitoring and been provided with adequate safeguards;
  • the extent of the monitoring and the degree of intrusion into the employee’s privacy; 
  • whether the employer has provided legitimate reasons to justify monitoring the communications and content; 
  • whether it would be possible to carry out monitoring by using a less intrusive form of monitoring than accessing actual content;
  • the consequences of the monitoring for the employee.

Each case will therefore depend on its circumstances. Although usually, it would be very difficult for employers to justify monitoring emails and messages sent through private accounts.

The General Data Protection Regulations (GDPR)

The first GDPR data protection principle states that personal data must be processed lawfully, fairly and in a transparent manner. Processing includes monitoring personal data.

One of a list of conditions needs to be satisfied for the processing to be lawful. The most likely condition that employers will rely upon is that the processing is necessary for the purposes of the legitimate interests of the data controller (the employer), except where such interests are overridden by the interests and fundamental rights and freedoms of the data subject (the employee). 

To satisfy the first principle it is also necessary to provide the employee with detailed information about the processing including the purpose of the monitoring, how long the monitoring data will be kept for, who the monitoring data will be shared with and the legal rights of the data subject request.

The third GDPR principle states that personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed. This again requires employers to justify their monitoring activities.

Employers need to be aware of the other GDPR principles too, including being able to show compliance. 

Where the type of processing involves a high risk to the rights and freedoms of individuals undertaking a data protection impact assessment is compulsory for compliance. Monitoring is likely to involve a high risk. 

An impact assessment would involve identifying the purpose of the monitoring and the benefits, looking at its adverse effects, considering whether less intrusive monitoring is possible and assessing whether the monitoring is justified.

Matt Gingell is a specialist employment lawyer based in London

Has employee monitoring gone too far? Read the People Management feature on the lengths some employers are going to to keep tabs on their workforce.