This article can also be found in the Premium Editorial Download "Computer Weekly: The problems of legacy IT in banking."
Download it now to read this article plus other related content.
As the gap between the law and how technology and social media is used in the work place continues to widen, how is it possible for employees and employers to clearly understand what is and what is not acceptable in terms of monitoring?
The quickening pace of technological advancements means that employees now have access to more tools than ever before, such as mobile devices and social media. While the use of these can be beneficial, employers want to ensure that this way of working will not leave them open to unexpected risks. These could include the leaking of confidential information, security issues, privacy concerns and liability for comments or actions of employees.
Employers therefore have entirely legitimate reasons for setting boundaries and acceptable standards of use. It may also be prudent for them to monitor IT systems to find out what their employees are actually doing and how they are performing. While the technology is undoubtedly there to do this (most people would be shocked what IT teams can see), employers should be aware of the legal implications.
Where to start
As a minimum, employers should initially consider what constitutes appropriate usage of IT systems (for example, who should or should not use social media and for what purpose), whether they a have a real need to monitor employees’ use and how they will actually do this (ie should all emails and websites be monitored or just certain categories checks).
More on employee monitoring
Employers should then consider whether there are less intrusive methods of achieving the same objectives (such as only using random spot checks or automated monitoring systems, as opposed to monitoring all IT usage) and the impact this will have on employees. When weighing this up, employers should contemplate whether their proposed approach is a proportionate way of achieving what they want. They must also record the issues they discuss in writing to evidence this thought process.
Communication is key
The next (and arguably most important) step is to share this information with employees. Practically, employees are much more likely to understand and agree to something if they have been informed about it and the reasons why. It is also much harder to for people to legitimately complain later if they knew what they were supposed to do.
More seriously, failure to notify employees that they will be monitored can result in a breach of privacy, mutual trust, confidence and data protection. Employers should prepare a detailed policy confirming why, what and how employees will be monitored. It is also advisable to give employees a copy of the policy and/or provide training to ensure they understand the implications.
Processing the information
The monitoring process is likely to collect information that may identify individuals, which constitutes personal data. Therefore employers must manage and store this information correctly and in accordance with guidance and rules on processing personal data. It would be sensible and arguably more proportionate for employers to minimise the number of people who have access to such information, as well as restrict the duty of monitoring to certain people (for instance HR or management). This will help to avoid a situation where a colleague in the team is viewing personal information about another colleague.
Rights to privacy
With the rise of employees bringing their own devices to work (BYOD), the lines between personal and work life are becoming blurred. Employers need to consider how any proposed monitoring could impact on employees’ privacy. Individuals have a right to respect for their private and family life, home and correspondence (under the Human Rights Act). This means tribunals and courts are increasingly taking this into account when deciding on cases.
Employers must have the consent of both the sender and recipient to intercept their communications
While there is no absolute right to privacy, it is a balancing act between the needs of the employees and the employer. A proposal to monitor all emails is therefore likely to raise significant risks in this regard and a less intrusive policy, such as automated monitoring which flags inappropriate emails, is likely to be more effective and fair. While even covert monitoring may be justified in limited circumstances, such as if a criminal offence is suspected, it should not be the default starting point.
Other considerations in relation to monitoring
Employers also need to avoid falling foul of other rules, which regulate the monitoring and interception of specific types of communication. These include the Regulation of Investigatory Powers Act (RIPA) and Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations (Telco Regulations).
In order to lawfully monitor email communications in accordance with these regulations, employers must have the consent of both the sender and recipient to intercept their communications. However, this is likely to be impractical with external communications. The alternative is for employers to ensure that the reasons for monitoring emails fall within one of the specified purposes in the Teleco Regulations.
Policy, policy, policy
Strictly speaking monitoring should be a last resort and only used for good reason. If it is considered necessary, it is essential to clearly inform employees about acceptable use of IT systems and about any monitoring activities.
The most effective way to do this is to put in place a carefully considered policy, which sets standards and cross-refers to other relevant policies, for example disciplinary and anti-harassment policies. In addition, a clause in relation to monitoring of communications and IT use should be included in employees’ contracts of employment.
Leon Deakin is a senior associate at law firm Thomas Eggar
This was first published in March 2014