IT chiefs need to keep firms on the right side of e-mail monitoring laws
In June, the Office of the Information Commissioner published Monitoring at Work, the third part of the Employment Practices Data Protection Code. The document provides practical guidance for employers on how to monitor employees in the workplace.
The data protection code recognises that employees have legitimate expectations about how their personal information is handled and that employers need to run their businesses effectively. The aim is to strike a balance between these interests.
The Data Protection Act 1998 places a responsibility on organisations to process any personal information they hold on employees in a fair and proper way. Failure to do so can be a criminal offence.
The code should enable organisations to comply with the Data Protection Act through good practice. Although the code does not have a legal effect, failure to follow it may be used as evidence of a breach of the Data Protection Act.
What is monitoring?
Monitoring means any activity that sets out to collect information about workers, including former and prospective employees, by keeping them under some form of observation, normally to check on performance or conduct.
Examples include routinely or randomly examining website use or e-mails, CCTV monitoring or videoing workers outside work.
Is monitoring lawful?
The code does not prevent monitoring. One of the most important principles is proportionality. Any adverse impact from monitoring must be justified by the benefits to the employer and others.
The employer should conduct an impact assessment to judge whether monitoring is a proportionate response to the problem. The assessment should involve:
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
- Clearly identifying the purpose of monitoring and any likely benefit or adverse impact
- Considering alternatives to monitoring and taking into account any obligations that arise, including the need to notify staff.
What about consent?
The information commissioner said he doubts whether employee consent to the processing of personal data can be "freely given" in an employment context.
However, the code states that employers who can justify monitoring on the basis of an impact assessment will not generally need the consent of individual employees. It also makes clear that employees should be notified as fully as possible about monitoring activities.
The code applies mainly to routine monitoring (such as an electronic system to flag up any sex-related words in e-mails) but also to occasional monitoring.
Employers often use short-term monitoring to respond to a particular problem. For example, a company might hire a private investigator to snoop on employees or install hidden cameras to detect suspected drug dealing in the office.
Under the code, this is called covert monitoring, and it may only take place in exceptional circumstances, such as for the prevention or detection of criminal activity or "equivalent malpractice".
It is even more important to conduct an impact assessment for covert monitoring than for other types of monitoring, and the code also recommends that senior management should be the only people able to authorise it.
What should employers be doing?
- Review the data protection code at www.dataprotection.gov.uk
- Review existing monitoring practices. Issue or amend existing policies or procedures following consultation with employees, if appropriate. Ensure the policies are clearly communicated. The reason for the monitoring needs to be made clear. An IT policy cannot simply state that "inappropriate" e-mails are prohibited; employees need to be told that "inappropriate" includes discriminatory or pornographic content and be made aware of the possible consequences of breaching the policy
- Ensure that those handling the monitoring are aware of the need to conduct impact assessments, especially for covert monitoring
- Consider any other applicable law, for example, the Regulation of Investigatory Powers Act and the Telecommunications (Interception of Communications) (Lawful Business Practices) Regulations.
Victoria Hattam and Charlie Pring are solicitors at City law firm Taylor Wessing