Are employers free to spy on employees' private e-mails?
If the hype in the media is anything to go by, employers can be forgiven for thinking that, following a recent decision by the European Court of Human Rights (ECHR), they are now free to snoop on employees' private communications without limitation. However, this is not so. While it makes interesting reading, the decision does not give the green light to employers to monitor employees' private communications at work and it does not change the current position in the UK. Employers may well be able to monitor employees' communications, but such monitoring remains subject to certain safeguards and conditions.
What is the case about?
The case was brought by an employee in Romania, Mr Barbulescu, who was dismissed by his employer for using his Yahoo messaging account (which was set up on his employer's system for work purposes) to send private messages during work time. The employer had in place a policy prohibiting personal use of the employer's systems and said it had reserved a right to monitor usage, though Mr Barbulescu disputed that he had been made aware of his employer's right to monitor. The ECHR did not, rather surprisingly, explore the issue. As part of the disciplinary process, the employer accessed Mr Barbulescu's Yahoo messages and produced a lengthy transcript showing both the traffic and content of his private communications, some of which were of a sensitive nature. Before being shown the transcript, Mr Barbulescu had insisted that he had not used the Yahoo account for private messages and so the employer argued that the only way to prove the breach was to access his account.
The Romanian courts agreed with the employer that its accessing of the Yahoo account and monitoring of what were clearly communications of a private nature were lawful, and consequently so was the dismissal for breach of the employer's policy. Mr Barbulescu took his case to the ECHR arguing that the monitoring was a violation of his human rights, specifically his right to privacy. The ECHR agreed that the right to privacy was engaged, but it is not an unqualified right and in the circumstances a fair balance had been struck between Mr Barbulescu's right to respect for his private life and correspondence, and his employer's interest in ensuring employees are "completing their professional tasks during working hours".
What steps should employers take before they can monitor?
A key factor in the case was the employer's prohibition on personal use of its systems (and the fact that the dismissal was for a breach of this prohibition, not because of the content of the messages). Whereas a blanket ban on personal use is certainly not the approach taken by every employer, it is important to have a policy in place setting out what the employer considers to be acceptable usage of its systems and resources. It should also clearly state that the employer is permitted to monitor employees' usage, and how and why monitoring might take place. Finally, the policy must be communicated to employees.
Before any monitoring takes place, the employer should identify a legitimate business need for such targeted surveillance (this could include ensuring compliance with particular rules and regulations, or where there are well-founded suspicions of a breach of policy or other misconduct).
Finally, the employer should consider whether the particular monitoring is proportionate in order to achieve that business need, and whether there is a less intrusive way of achieving it. For example, if the reason for the monitoring is to establish the fact or extent of unauthorised personal use of the employer's systems (as it was in the current case) and private messages can be identified by their subject line or by recipient, then viewing the content of the messages is unlikely to be proportionate (arguably an aspect that was not adequately explored by the ECHR). Limiting the monitoring to the volume of such communications should be sufficient to achieve the desired result without unduly interfering with the employee's privacy.
Although this case does not change the law, it serves as a useful reminder of the relevant factors that employers should consider when monitoring employees' private emails. Individuals have a reasonable expectation of privacy, even at work, and employers need to comply with certain safeguards before they can legitimately intrude on that privacy. Employers should make sure that policies on e-mail, internet and social media use are comprehensive, up to date and properly communicated to employees, and should give consideration to the reasons for and method and extent of their monitoring to avoid falling foul of the law. Regardless of what may have been reported in the media, there is still a fine line between acceptable and unacceptable monitoring of employees in the workplace.