With CCTV cameras everywhere you go these days, how likely is it that your employer or client will be keeping an eye on you? Basically, quite likely. Employers can monitor staff through a variety of methods  – but it must do so in a way that is consistent with several legal requirements.

Many employers will choose to monitor phone and IT systems usage by their staff, and in some sectors employers will also use CCTV and other methods to monitor their products/goods.

Employers may choose to monitor their staff for any of the following reasons:

  • To safeguard their employees or members of the public (for e.g. health and safety reasons, prevent violence)
  • To protect business interests (prevent crime, theft or misconduct, or misappropriation of intellectual property and business secrets, by employees or members of the public) and ensure that Company policies are not broken
  • To ensure quality of customer services (which can also show training needs for their employees) and assess and improve productivity
  • To comply with legal and regulatory obligations

Most large employers now will have a Social Media Policy which may include monitoring of employees usage of networking websites (and so on). Many employers will also have an IT and Communications Policy also setting out how employees can use their systems.

The laws that cover the area of monitoring include:

  • The Regulation of Investigatory Powers Act 2000 (RIPA)
  • The Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (LBP)
  • The Data Protection Act 1988 (including the 2003 Code, Monitoring at Work) – Employers must act in accordance with the DPA and its 8 key principles.

The implied legal obligation of trust and confidence that exists between an employer and employee is also relevant – Employers should not act without reasonable and proper cause, in a way which is likely to destroy or damage the relationship of mutual trust and confidence between themselves and their employees.

However, The Human Rights Act 1998 also plays an important role here as it gives individuals’ a right to privacy and the UK’s laws try to recognise that employees may feel that monitoring by their employer at work is intrusive.

Therefore, employers need to find a balance between an employee’s legitimate expectation to privacy and the Employers interests when they monitor their staff, in any way; and there must be a legitimate purpose for the monitoring.

Because of the need for this balance, the current UK laws distinguish between:

  • Targeted monitoring (of one individual) and systematic monitoring (where all employees or groups of employees are regularly monitored in the same way)
  • Open and covert monitoring
  • The monitoring of already-accessed communications and the monitoring or intercepting of un-accessed electronic communications (e.g. telephone calls, faxes, emails and internet access).  An ‘interception’ happens when the contents of the communication are made available to someone other than the sender or intended recipient. The sender and recipient of the communication must consent to the interception for this to be lawful. ‘Interceptions’ are highly regulated under the RIPA and LBP laws (above).
All these monitoring types can be lawful.

Therefore when Employers set up monitoring systems they must (to ensure the monitoring is legal):

  • Carry out an ‘impact assessment’ to justify the use of CCTV/monitoring – which identifies the purpose behind the monitoring and likely benefits and adverse impacts; alternative ways in which the purpose might be achieved; the obligations that will arise from monitoring e.g. notifying employees, managing data, subject access requests (SAR) by staff; whether the decision is justifiable (compared to the adverse effects the employees may experience).
  • Tell staff the nature, extent and reason for the monitoring that may take place. Staff do not lose their right to personal privacy when they walk through their Employer’s doors and this must be balanced with the Employers right to ensure their employees are not engaging in misconduct.
  • Ensure the monitoring is related to the business and the equipment being monitored is partly or wholly provided for work.
  • Be clear what levels of privacy an employee can or cannot expect when using their employer’s systems to make personal communications and when using restrooms or break areas.
  • Provide an unrecorded telephone line for employees to use in emergencies if all other telephones are routinely recorded/monitored.
  • Be clear what levels of email/internet/phone usage by the employee for personal reasons is permitted and what is not
  • Provide written policy statements about the monitoring
  • Explain how the employer will use the information obtained via monitoring.  An employee may be aware that CCTV cameras exist, for example, but thie will not justify an Employer using CCTV footage in a disciplinary procss if the employee was never told the footage could be used for that purpose.  For example – an employee is entitled to assume the CCTV will be used for security purposes only unless they are told otherwise.
  • Ensure those involved in the monitoring are aware of their confidentiality obligations.
  • Explain how the information will be stored and processed in accordance with the Data Protection Act, and who has access to this information.
  • Allow employees to voice any concerns they have, in confidence, and ensure they are given the chance to explain or challenge any footage used as part of a disciplinary process.  Employers, however, are not required to get consent from the employees to monitor them if the above steps have been carried out.
Get expert business advice delivered straight to your inbox.

Targeted monitoring

Generally, monitoring should normally be carried out by an employer in an open and systematic way only, unless targeted and/or covert monitoring is justified.

Targeted/covert monitoring will usually only be justified where there are grounds to suspect criminal activity or serious malpractice by the employee in question and the monitoring is necessary to prevent or detect this crime or malpractice. Such monitoring should be only carried out to a set timeframe and as part of a specific investigation and that the risk of intrusion on ‘innocent’ workers is considered.  This monitoring would usually then lead to a disciplinary hearing where the employer believes the employee has breached company policies.

If this targeted monitoring provides information inadvertently of other malpractice by other workers, this evidence should not be used against those workers unless it is a case of serious gross misconduct.  Where the misconduct is minor in nature, use of the ‘secret’ footage to discipline workers will generally not be allowed.

Personal data collected through monitoring must be for legitimate purposes and cannot be used for any other purpose than originally intended.

Surveillance of staff outside of the workplace may also be acceptable if the employer can demonstrate it was ‘justifiable’ (they have credible reasons to suggest an employee is involved in wrongdoing or breaching company policies) and ‘proportionate’ (the employer did not go any further than was necessary in its use of surveillance).

Basically, any monitoring that is done by the employer must be proportionate to the issue the employer seeks to address.

In a 2014 case, Atkinson v Community Gateway Association, the Employment Appeal Tribunal held that the Employer accessing an employee’s emails, in the course of a disciplinary investigation into the employee’s conduct, did not amount to an unjustified interference with the employees’ private life – the employee did not have a reasonable expectation of privacy in circumstances where he had sent emails from his work account in breach of the e-mail policy (which he himself had drafted and was responsible for enforcing!) and the e-mails were not marked ‘personal/private’.  The fact that Mr Atkinson had used the email system in breach of the Association’s email policy was discovered as a result of its legitimate investigation into his conduct.  Employers should bear in made that staff may have a reasonable expectation of privacy at work if the Employer does not have an ‘Email and Internet Use Policy (or similar) which is made known to all staff.

 

If you need help you can contact the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

If you are an Employer and need ongoing professional help with any staff/freelance issues then talk to Lesley at The HR Kiosk  – a Human Resources Consultancy for small businesses – our fees are low to reflect the pressures on small businesses and you can hire us for as much time as you need.

Please note that the advice given on this website and by our Advisors is guidance only and cannot be taken as an authoritative interpretation of the law. It can also not be seen as specific advice for individual cases. Please also note that there are differences in legislation in Northern Ireland.