A case that was widely hailed as an employer's charter to snoop on employees' personal e-mails (as we reported here) was recently overturned by the Grand Chamber of the European Court of Human Rights (ECHR). Unlike the lower section of the ECHR, a majority of the 17 Grand Chamber judges hearing the case decided that the employer had gone too far when it had monitored the private messages of its employee, and dismissed him for breaching its policy prohibiting personal use of its systems.
The UK - unlike Romania, where this case originated, and most other signatories to the European Convention on Human Rights - already regulates for the safeguarding of employees' privacy and so neither of the two differing decisions break any new ground for employers operating here. However, in an era where the boundaries of work and private life become ever more blurred, particularly with the rise of the gig economy and increasingly more sophisticated technology, this case reminds employers of the importance of balancing the interests of the business with the right to privacy in the workplace.
We have set out brief guidelines for any employer considering monitoring its employees' e-mail and internet communications at work below. Please note that there are additional considerations for employers planning to intercept communications, i.e. essentially monitoring a communication in the course of its transmission, rather than, for example, checking historic email and internet traffic or viewing messages that have already been received by the recipient.
First, monitoring employee use of email and the internet involves the processing of personal data and so the Data Protection Act will be engaged. Guidance to ensure compliance with data protection obligations - and it is worth noting the more stringent obligations under the EU General Data Protection Regulation (GDPR) coming into force on 25 May 2018 - recommends that employers first undertake an impact assessment. The purpose of such assessment is to demonstrate the correct balance between workers' privacy on the one hand and the interests of the business on the other. The assessment should cover:
- What monitoring will be carried out
- The purpose of the monitoring
- Whether that purpose can be achieved without monitoring or by using a less intrusive method of monitoring
- The impact of the monitoring on the individuals being monitored
- Whether, having considered the above, the monitoring is justified
The above on its own is not enough, though it is interesting to note that the factors the ECHR considered relevant in the context of protecting an employee's Article 8 rights to privacy mirror this guidance. In addition, to defeat an argument that there is an expectation of privacy and to safeguard employees, the employer must also communicate the monitoring to its employees. The following should be clearly set out in writing:
- The employer's policy on employee use of company resources, systems and devices for personal use
- The nature, scope and effect of any monitoring, the reasons for such monitoring and when it will take place
This is best achieved through a clear written policy that is communicated to all employees, ensuring that it has been received and accepted. Providing a copy and referring to the policy in the contract of employment or requiring a separate signature will demonstrate that the employee has received and acknowledged the policy. There should also be regular reminders.
Importantly, the employer's downfall in the case above was that, although they had communicated the fact that they would monitor adherence to the non-personal use rule, they failed to inform the employee of the nature and extent of the monitoring, or of the possibility that the employer may access the actual content of messages. And in a comment dispelling any notion that an employer can invade privacy freely by simply putting in place draconian policies, the ECHR said "an employer's instructions cannot reduce private social life in the workplace to zero". The key, it seems, is in striking the right balance.