With CCTV cameras everywhere you go these days, how likely is it that your employer or client is keeping an eye on you? Basically, quite likely. Employers can monitor staff through a variety of methods – but it must do so in a way that’s consistent with several legal requirements.
Many employers will choose to monitor phone and IT systems usage by their staff, and in some sectors employers will also use CCTV and other methods to monitor their products/goods.
Employers may choose to monitor their staff for any of the following reasons:
- To safeguard their employees or members of the public (for e.g. health and safety reasons, prevent violence)
- To protect business interests (prevent crime, theft or misconduct, or misappropriation of intellectual property and business secrets, by employees or members of the public) and ensure that Company policies are not broken
- To ensure quality of customer services (which can also show training needs for their employees) and assess and improve productivity
- To comply with legal and regulatory obligations.
Most large employers now will have a Social Media Policy which may include monitoring of employees usage of networking websites (and so on). Many employers will also have an IT and Communications Policy also setting out how employees can use their systems.
The laws that cover the area of monitoring include:
- The Regulation of Investigatory Powers Act 2000 (RIPA)
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP)
- The Data Protection Act 1988 (including the 2003 Code, Monitoring at Work) – Employers must act in accordance with the DPA and its 8 key principles. From 25th May 2018 the General Data Protection Regulations will come into force in the UK, replacing the DPA.
The implied legal obligation of trust and confidence that exists between an employer and employee is also relevant – Employers shouldn’t act without reasonable and proper cause, in a way which is likely to destroy or damage the relationship of mutual trust and confidence between themselves and their employees.
However, The Human Rights Act 1998 also plays an important role here as it gives individuals a right to privacy and the UK’s laws try to recognise that employees may feel that monitoring by their employer at work is intrusive.
Therefore, employers need to find a balance between an employee’s legitimate expectation to privacy and the Employers interests when they monitor their staff, in any way; there also must be a legitimate purpose for the monitoring.
Because of the need for this balance, the current UK laws distinguish between:
- Targeted monitoring (of one individual) and systematic monitoring (where all employees or groups of employees are regularly monitored in the same way)
- Open and covert monitoring
- The monitoring of already-accessed communications and the monitoring or intercepting of un-accessed electronic communications (e.g. telephone calls, faxes, emails and internet access). An ‘interception’ happens when the contents of the communication are made available to someone other than the sender or intended recipient. The sender and recipient of the communication must consent to the interception for this to be lawful. ‘Interceptions’ are highly regulated under the RIPA and LBP laws (above).
All these monitoring types can be lawful.
Therefore when Employers set up monitoring systems they must (to ensure the monitoring is legal):
- Carry out an ‘impact assessment’ to justify the use of CCTV/monitoring – which identifies the purpose behind the monitoring and likely benefits and adverse impacts; look at alternative ways in which the purpose might be achieved; the obligations that will arise from monitoring e.g. notifying employees, managing data, subject access requests (SAR) by staff; whether the decision is justifiable (compared to the adverse effects the employees may experience)
- Tell staff the nature, extent and reason for the monitoring that may take place. Staff don’t lose their right to personal privacy when they walk through their Employer’s doors and this must be balanced with the Employers right to ensure their employees aren’t engaging in misconduct
- Ensure the monitoring is related to the business and the equipment being monitored is partly or wholly provided for work
- Be clear what levels of privacy an employee can or cannot expect when using their employer’s systems to make personal communications and when using restrooms or break areas
- Provide an unrecorded telephone line for employees to use in emergencies if all other telephones are routinely recorded/monitored
- Be clear what levels of email/internet/phone usage by the employee for personal reasons is permitted and what is not
- Provide written policy statements about the monitoring
- Explain how the employer will use the information obtained via monitoring. An employee may be aware that CCTV cameras exist, for example, but this won’t justify an Employer using CCTV footage in a disciplinary process if the employee was never told the footage could be used for that purpose. For example – an employee is entitled to assume the CCTV will be used for security purposes only unless they’re told otherwise
- Ensure those involved in the monitoring are aware of their confidentiality obligations
- Explain how the information will be stored and processed in accordance with the Data Protection Act, and who has access to this information
- Allow employees to voice any concerns they have, in confidence, and ensure they are given the chance to explain or challenge any footage used as part of a disciplinary process.
Generally, monitoring should be carried out by an employer in an open and systematic way only, unless targeted and/or covert monitoring is justified.
Targeted/covert monitoring will usually only be justified in exceptional circumstances, where there are grounds to suspect criminal activity or serious malpractice by the employee in question and the monitoring is necessary to prevent or detect this crime or malpractice, where no other method is feasible.
If this targeted monitoring provides information inadvertently of other malpractice by other workers, this evidence should not be used against those workers unless it is a case of serious gross misconduct. Where the misconduct is minor in nature, use of the ‘secret’ footage to discipline workers will generally not be allowed.
Personal data collected through monitoring must be for legitimate purposes and cannot be used for any other purpose than originally intended.
Surveillance of staff outside of the workplace may also be acceptable if the employer can demonstrate it was ‘justifiable’ (they have credible reasons to suggest an employee is involved in wrongdoing or breaching company policies) and ‘proportionate’ (the employer did not go any further than was necessary in its use of surveillance).
Basically, any monitoring that’s done by the employer must be proportionate to the issue the employer seeks to address.
In advance of the GDPR becoming law on 25th May 2018, the Information Commissioner’s Office have confirmed that cover monitoring of employees can only be justified in exceptional circumstances where informing the employee involved would prejudice the prevention or detection of a crime.
In a 2014 case, Atkinson v Community Gateway Association, the Employment Appeal Tribunal held that the Employer accessing an employee’s emails, in the course of a disciplinary investigation into the employee’s conduct, didn’t amount to an unjustified interference with the employees’ private life – the employee didn’t have a reasonable expectation of privacy in circumstances where he had sent emails from his work account in breach of the e-mail policy (which he himself had drafted and was responsible for enforcing!) and the emails were not marked ‘personal/private’.
The fact that Mr Atkinson had used the email system in breach of the Association’s email policy was discovered as a result of its legitimate investigation into his conduct. Employers should bear in made that staff may have a reasonable expectation of privacy at work if the Employer doesn’t have an ‘Email and Internet Use Policy (or similar) which is made known to all staff.
In early 2018, two important decisions have been given by the European Court of Human Rights (ECHR):
- In Antovic and Mirkovic v Montenegro, the ECHR ruled that it was a breach of two professor’s privacy rights under Human Rights regulations, to install surveillance cameras in student auditoriums (for the said purpose of protecting property and people and also monitor teaching). The ECHR said that ‘private life’ may include professional activities taking place in a public context (the auditorium), and the employer lacked sufficient justification for the monitoring as there was no evidence that property or people were at risk
- In the Spanish case of Lopez Ribalda and Others v Spain, the ECHR found that the use of hidden video cameras in a supermarket to monitor suspected thefts by employees, violated their privacy rights under Article 8 of the European Convention of Human Rights. In 2009, after seeing irregularities between levels of stocks and sales that amounted to 20,000€ over several months, the supermarket installed both visible CCTV cameras throughout the store and also concealed cameras behind their cashiers desks. Five employees were subsequently dismissed, after the surveillance cameras detected them stealing (or by them helping other employees or customers to steal). The employees said their data protection rights and rights to privacy had been breached by the use of covert recordings. The Spanish courts disagreed and said the dismissals were fair as the covert surveillance was justified. The ECHR disagreed and said the Spanish Courts had failed to strike a fair balance between the employees’ right to privacy and the employer’s right to safeguard its business – they hadn’t told staff about the installation of the covert CCTV cameras, and all staff were monitored without time limit. The ECHR felt that the covert surveillance was an intrusion into their private life, as the cashiers couldn’t avoid being filmed as they were required to report to work. The ECHR said that to comply with the data protection legislation the employees must ‘explicitly, precisely and unambiguously’ be informed of the monitoring and the purpose of the monitoring.
If you need help you can contact the Information Commissioner’s Office, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. With the introduction of the GDPR in 25th May 2018, employees will have more rights to transparency in relation to how they are monitored and we will provide more detail nearer the time.
If you are an Employer and need ongoing professional help with any staff/freelance issues then talk to Lesley at The HR Kiosk – a Human Resources Consultancy for small businesses – our fees are low to reflect the pressures on small businesses and you can hire us for as much time as you need.
Please note that the advice given on this website and by our Advisors is guidance only and cannot be taken as an authoritative interpretation of the law. It can also not be seen as specific advice for individual cases. Please also note that there are differences in legislation in Northern Ireland.