Tag Archive: employee monitoring

Monitoring employees: Guidance on privacy in the workplace

The recent decision of the European Court of Human Rights in Barbulescu v Romania (see our Be Aware blog post of 7 September) has placed the spotlight once more on the extent to which employers are permitted to monitor their employees’ communications and activities.

The adoption of new information technologies in the workplace allows for systematic and potentially invasive monitoring, enabling employers to track employees not just in the workplace but potentially in their homes through many different devices including smartphones, tablets and wearables. The boundaries between work and home have  become more blurred as more employees work remotely using their employer’s equipment, or bring their own devices to work. Monitoring of individuals at work can increasingly shade into monitoring in a private context. A further risk comes from the over-collection of data such as WiFi location data; analysis of meta-data may allow for invasive detailed monitoring of an individual’s life and behaviour. Such new technologies create significant privacy challenges. Whilst data privacy and human rights legislation do not prevent employers from monitoring workers, employers should remember that workers are entitled to some privacy at work.

The General Data Protection Regulation (GDPR), which comes into force in May 2018, will significantly raise the stakes for employers to ensure that their monitoring systems stay on the right side of the privacy line. With this in mind, on 8 June 2017 the EU Article 29 Working Party on data protection adopted a new Opinion on data processing at work. Whilst primarily concerned with employers’ current obligations regarding monitoring the Opinion looks forward to the additional obligations which will be placed on employers by the GDPR.

In order to process personal data in the employment context, the employer must have a legal basis for doing so. Processing of special categories of data (usually referred to as sensitive personal data) is prohibited unless an exception applies; if such an exception applies, the employer must still have a legal basis for processing the data.  The Opinion emphasises that for the majority of processing at work, including monitoring, the legal basis cannot and should not be consent. Consent is generally not valid in the employment context as it cannot be freely given due to the real or potential prejudice which will usually arise from the employee not consenting.

Employers will more commonly be seeking to rely on the processing being necessary for a legitimate interest as the legal basis. Where the employer relies on legitimate interest, the processing must also be proportionate and should be carried out in the least intrusive manner possible. Specific mitigating measures should also be put in place to ensure a proper balance between the legitimate interest of the employer and the rights of employees; such measures might include only monitoring in certain areas, or avoiding monitoring sensitive areas such as changing rooms, avoiding monitoring of personal communications and undertaking spot check rather than continuous monitoring.

Employees must be informed of the existence of any monitoring, the purposes for which personal data are processed and any other information necessary to ensure fair processing. The information requirements under the GDPR will be more detailed and specific.

In order to comply with GDPR, employers as data controllers are required to implement data protection by design and default. An example of the impact which this has on workforce data is that where an employer issues devices to employees, the most privacy-friendly solutions should be selected if tracking technologies are involved.

The Opinion addresses a number of data processing at work scenarios in which new technologies have the potential to result in high risk to the privacy of employees:

  • Processing during recruitment

Employers should not routinely  inspect the social media profiles of prospective candidates during recruitment processes. Such information should only be reviewed if it is necessary for the job, for example in order to be able to assess specific risks regarding candidates for a specific function. Candidates must be informed if social media information will be reviewed during recruitment.

Data collected during the recruitment process should generally be deleted as soon as it is clear that an offer of employment will not be made or not be accepted.

  • Processing during in-employment screening

Similarly, in-employment screening of employees’ social media profiles should not take place on a generalised basis. Employees also should not be required to use a social media profile provided by their employer; the option of a ‘non-work’ profile must be available.

  • Monitoring ICT usage in the workplace

Technological developments have enabled newer, potentially more intrusive and pervasive ways of monitoring employees’ ICT usage. The Opinion suggests that as good practice employers should offer alternative unmonitored access to communication technologies where employees can exercise their legitimate right to use work facilities for some private usage. Employers can implement an “all-in-one” monitoring solution for all ICT usage in the workplace, for example applications to decrypt and inspect secure traffic to detect anything malicious that can also record an employee’s online activity on the network. The employer can rely on legitimate interests to protect the network, however monitoring every online activity of employees is an interference with the right to secrecy of communications. A policy should be developed and made easily accessible concerning the purposes for which, when and by whom suspicious log data can be accessed and to guide employees about acceptable and unacceptable use.  If it is possible to block websites rather than continuously monitoring communications, blocking should be chosen. Prevention should be given more weight that detection – it is in the employer’s interest to prevent internet misuse rather than detecting it.

  • Monitoring ICT usage outside the workplace

ICT usage outside the workplace has become more common with the growth of home and remote working and ‘bring your own device’ (BYOD) policies. These technologies can pose a risk to employees’ private lives as workplace monitoring extends into the domestic sphere.

In respect of remote and home working, the use of, for example, software which logs keystrokes and mouse movements or captures screenshots, logging of applications used and remotely enabling webcams will be disproportionate.

In respect of BYOD policies, appropriate measures must be in place to distinguish between private and business use to prevent monitoring of private information.

Where employees are provided with wearable devices which track health information, processing of the data by the employer is prohibited as it falls within a special category of data. The health data should only be accessible by the employee.

  • Time and attendance data

Systems that allow employers to control who can enter their premises or restricted areas can also allow the tracking of employees’ activities. New technologies may also process biometric data. Employees must be informed about any such processing and continuous monitoring of entrance and exit times cannot be justified for purposes such as performance evaluation.

  • Vehicle tracking

Any employer using vehicle telematics will collect data about the employee using the vehicle. Employers may be legally obliged to install some tracking eg for driver hours records and may have a legitimate interest in knowing where company vehicles are. However, use of such data should be proportionate. If private use of a vehicle is permitted, employees should have the opportunity to turn off location tracking where appropriate. The employer must also clearly inform employees that company vehicles are installed with trackers.

  • Disclosure of employee data to third parties

It has become increasingly common for companies to transmit employees’ data to customers for the purpose of ensuring reliable service provision. However, such data should only be provided if it is proportionate. For example, in the case of a delivery driver, the company might have a legitimate interest in transmitting information regarding the driver’s location to a customer, but not their name or a photograph.

Employers need to re-examine their employee monitoring systems and policies as part of their preparation for being GDPR-compliant.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/monitoring-employees-guidance-on-privacy-in-the-workplace/

ECHR confirms that employers do not have green light to monitor employee emails

Further to our Be Aware post of 1 February 2016 on 5 September 2017  the Grand Chamber of the European Court of Human Rights overturned the Lower Chamber’s judgment in Barbulescu v Romania and held the dismissal of an employee after his employer monitored his Yahoo Messenger communications and discovered that he had used the internet for personal purposes had breached his Article 8 of the Convention on Human Rights right to respect for his private life and correspondence. This decision makes it clear that employers need well-drafted, well-communicated policies which  clearly explain what internet and social media usage is prohibited in the workplace and what measures the employer will take to monitor and control such usage.

The employer’s internal regulations prohibited personal use of computers  but did not contain any reference to the possibility that employees’ communications would be monitored. The employer undertook monitoring of Mr Barbulescu’s Yahoo Messenger account, including both the frequency and content of personal communications. Mr Barbulescu unsuccessfully challenged his dismissal in the Romanian courts, arguing that the employer had breached his Article 8 right to respect for his private life and correspondence. He then brought a claim in the ECHR, arguing that the domestic courts had failed to protect his Article 8 right. In 2016 the Lower Chamber dismissed his claim, holding that Mr Barbulescu had no reasonable expectation of privacy in his communications at work. The national authorities had struck a fair balance between his right to respect for his private life and the employer’s interests. Mr Barbulescu then took his case to the Grand Chamber, who disagreed with the Lower Chamber.  The Court considered that it was clear that Mr Barbulescu had been informed of the ban on personal internet use, but not so clear that he had been informed about the monitoring before it took place, particularly about the possibility that the employer might have access to the content of communications. The Court considered that when domestic courts are considering the proportionality of employer monitoring of communications, the following factors should be taken into account:

  • Whether the employee has been notified of the possibility that the employer might take measures to monitor correspondence;
  • The extent of the monitoring and the degree of intrusion into the employee’s privacy. A distinction should be made between the flow of communications and their content;
  • Whether the employer has provided legitimate reasons to justify monitoring the communications and accessing content
  • Whether it would have been possible to establish monitoring based on less intrusive methods;
  • The consequences of the monitoring; and
  • Whether the employee has been provided with adequate safeguards.

In this case, the Grand Chamber found that the court’s conclusion that a fair balance had been struck between the employee’s rights and the employer’s interests questionable. The Grand Chamber considered that the Romanian courts did not protect Mr Barbulescu’s Article 8 rights.

This decision makes it clear that if employers want to monitor and restrict personal use of the internet and other communications at work, the policy must make it clear what is or is not permitted and must inform employees of any monitoring which will take place. Restrictions and monitoring should be proportionate; the Grand Chamber noted that an employer’s instructions cannot reduce private social life in the workplace to nothing.

 

 

Permanent link to this article: http://www.dlapiperbeaware.co.uk/echr-confirms-that-employers-do-not-have-green-light-to-monitor-employee-emails/

Employers do not have green light to monitor employee emails, despite ECHR judgment

A recent case before the European Court of Human Rights has set the cat amongst the pigeons on the perennial hot topic of employees’ entitlement to privacy and data protection in the workplace.

Widespread media reports would give employers to believe that unfettered monitoring of employee emails and internet use is now acceptable and that engaging in personal correspondence during working hours is legitimate grounds for dismissal. However, this is simply not the case, and employers must beware. An employer who engages in this type of monitoring, and imposes disciplinary sanctions as a consequence, can, in fact, expect to find themselves in hot water.  Employers must, as a minimum, have comprehensive, and bespoke, internet policies in place, clearly setting out the rights and obligations of employees, how monitoring is conducted and how data is processed and used.  The policies must also be effectively communicated to employees, accompanied by appropriate training and consistently enforced.

The case

Barbulescu v Romania

The claimant, Mr Barbulescu, was an engineer in charge of sales who was employed from August 2004 – August 2007. In July 2007, Mr Barbulescu was asked by his employer to set up a Yahoo Messenger account for the purpose of responding to clients’ enquiries. The employer gave notice to its employees at the beginning of July that internet use would be monitored (although this was disputed by Mr Barbulescu). In the period 5-13 July, the employer monitored Mr Barbulesco’s Yahoo communications.  This identified that Mr Barbulescu had been using the internet for personal purposes, contrary to the company’s rules which prevented personal internet use.  The rules stated, “It is strictly forbidden to disturb order and discipline within the company’s premises and especially…to use computers, photocopiers, telephones, telex and fax machines for personal purposes“.

Mr Barbulescu initially denied any personal use, but the employer’s findings were backed up by a transcript of his communications. Mr Barbulescu sought to argue that his employer had violated the Criminal Code and the Romanian Constitution by violating his correspondence and brought a claim in the Bucharest County Court. The court dismissed his claim, finding that the employer had complied with the relevant disciplinary proceedings and that Mr Barbulescu had been informed about the employer’s rules on personal internet use.  The court said that as Mr Barbulescu had denied using the internet for personal use, the employer had no option but to check the content of his Yahoo communications, and that monitoring employees’ use of company computers was within the broad scope of the employer’s right to check the manner in which professional tasks were being completed.

Mr Barbulescu appealed the court’s decision, claiming that emails are protected by Article 8 of the Convention relating to respect for private life and correspondence. The Court of Appeal dismissed Mr Barbulescu’s appeal, ruling that the employer’s conduct had been reasonable and that monitoring his communications was the only method of establishing the disciplinary breach.

Mr Barbulescu therefore took his case to the European Court of Human Rights (ECHR). The ECHR identified that, on the face of it, telephone calls from business premises are covered by the notions of ‘private life’ and  ‘correspondence’ for the purposes of Article 8, and that emails, and information derived from monitoring employee usage, would be similarly protected. The ECHR also found that in the absence of notice about monitoring, employees would have a reasonable expectation as to privacy of their calls and emails.

The ECHR said that it therefore needed to examine whether a fair balance had been struck between Mr Barbulescu’s right to respect for his private life and correspondence, and his employer’s interests. It found that there had, and that therefore Mr Barbulescu’s claim should fail (although one judge dissented in strong terms).  It relied on the following findings:

  • Mr Barbulescu had been able to raise his arguments before the domestic courts and they had found that the employer had acted within its disciplinary powers;
  • The domestic courts had also found that Mr Barbulescu had used the company’s computer for personal use during working hours, and that there had therefore been a disciplinary breach of the employer’s rules;
  • The employer had only accessed Mr Barbulescu’s account on the basis that the information in question was assumed to relate to Mr Barbulescu’s professional activities; it had not accessed any other documents or data on Mr Barbulescu’s computer and its monitoring was therefore limited in scope and proportionate;
  • The domestic courts had not placed any weight on the contents of the Yahoo account; they had only considered activity on that account to the extent it proved the breach of company rules;
  • It was not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours; and
  • Mr Barbulescu had failed to convincingly explain why he had used the Yahoo account for personal purposes

Implications

On the face of it, this case does appear to give employers some confidence about their ability to monitor employee emails and internet use. The ECHR was willing to find that a blanket ban on personal internet use was sufficient in this case to weigh the employer’s interests evenly against the claimant’s right to private life and protection of correspondence. This was so, even though it was in dispute whether the employee had been properly notified that monitoring would take place.

However, employers must still exercise significant caution. The UK has a raft of legislation and guidance governing employee monitoring and data protection, and in many workplaces, the lines are unlikely to be as clearly drawn as in this case. Further, in many cases, a blanket ban on personal internet and email use may be impractical. As identified by the dissenting judge, some employers will allow employees to use the company’s internet and email/messaging systems for personal use; others will allow employees to use their own equipment for work-related matters, and some employers will permit both. The dissenting judge was at pains to make clear that an employer’s right to monitor an employee’s communications is not unrestricted or at its discretion. The key issues to consider are:

  • Employees have a reasonable expectation of privacy;
  • Expectations of privacy may, in certain circumstances, be displaced by a bespoke internet policy with specific rules on email, instant messaging, social networks, internet surfing etc and a comprehensive policy on employee monitoring. Automatic or continuous monitoring of internet use is unlikely to be permissible;
  • Employees must be aware of the employer’s policies, both in terms of the rules which apply during working hours, and outside working hours, and in terms of any restrictions on the use of company equipment. Employees should give their explicit consent to the policies;
  • The enforcement of an employer’s internet policies should be guided by the principles of necessity and proportionality. For example, before carrying out any monitoring, employers should consider whether the benefits of that measure outweigh the adverse impact on the employees’ right to privacy;
  • Sanctions for a breach of the employer’s internet rules should normally start with a verbal warning, before moving to a written warning, and ultimately dismissal. Relevant considerations for the appropriate sanction are likely to include whether damage has been caused to the employer and/or whether there has been a pattern of behaviour over a sustained period of time;
  • Any processing of personal data for the purposes of the employment relationship, including staff management, and termination of employment, must be regulated by contract or collective agreement in line with data protection laws and principles. Specific forms of data processing like internet and email use are likely to warrant detailed rules and procedures.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/employers-do-not-have-green-light-to-monitor-employees-emails-despite-echr-judgment/