Mark Mansell and Lucy Baldwinson from law firm Allen & Overy outline
what you need to do to comply with the monitoring code
The monitoring section of the Data Protection Code was released by
Information Commissioner Richard Thomas last week. What do you need to do to
Employers must take steps to comply with this Code if they carry out any
workplace monitoring that goes beyond one individual simply watching another.
If monitoring involves manual recording or automated processing of personal
information it must be carried out fairly and lawfully. There is no single
definition of monitoring, but it can include activities such as taping phone
calls for training purposes, or checking workers’ e-mails and internet use for
access to pornography.
As an immediate response to the Code, employers should do a quick audit of
their monitoring activities. They should then conduct an impact assessment to
establish whether their monitoring is lawful in terms of data protection
compliance. This assessment involves the following steps:
– Identify the purpose(s) of monitoring and the benefits it is likely to
– Identify any likely adverse impact
– Consider alternatives to monitoring or less intrusive ways it could be
– Take into account obligations arising from monitoring, such as notifying
staff about monitoring arrangements, keeping the gathered information secure,
and the implications of individuals’ rights to accessing collected information
– Judge whether monitoring is justified
Employers should also double-check that staff are aware of the nature,
extent and reasons for monitoring, unless covert monitoring can be justified.
The general approach under the Code is that employers can carry out
workplace monitoring provided the right balance is struck between the legitimate
expectations of staff and the interests of employers.
How do you go about managing compliance on a long-term basis?
The nature and size of the organisation will influence what is reasonable to
expect of the systems employers put in place to manage data protection
compliance. The new Data Protection Code’s recommendations include the
– Designate one person to take responsibility for ensuring employment
policies and procedures comply with data protection legislation
– Carry out a personal data audit to highlight any gaps in data protection
compliance that need to be remedied
– Ensure line managers and staff are made aware of their data protection
responsibilities and potential liabilities through guidance notes and training
– Check the firm has a valid and up-to-date notification in the Information
Commissioner’s register of data controllers
– Consult workers and/or staff representatives, where appropriate, over the
development of employment practices and policies that involve processing
personal information about workers
– Conduct an impact assessment to ensure all monitoring activities are fair
We often record our workers’ phone calls for training purposes. Can we
continue to do this under the Code?
Yes, but certain conditions must be satisfied. Recording staff telephone
calls (as well as intercepting e-mails, in the course of transmission) is
subject to the Regulatory of Investigatory Powers Act 2000 (RIP) and the Lawful
Business Practice Regulations (LBP Regulations), as well as data protection
legislation. Provided the call is being monitored for training purposes and
workers have been notified in advance, recording will be allowed under RIP and
the LBP Regulations.
For the purposes of data protection, the Code recommends carrying out an
impact assessment to determine whether the benefits justify the adverse impact.
If so, inform workers about the nature and extent of monitoring. In addition,
the Code requires those making calls to/receiving calls from workers to be informed
of any monitoring and its purpose, unless this is obvious. This could be done
by a recorded message, or by staff telling callers that their conversations may
Can we read workers’ e-mails when they are away to make sure that
business-related issues are not left to languish unattended?
Yes, but the Code advises that if it is necessary to check e-mail accounts
in a worker’s absence, make sure they know this will happen. Where practicable,
the Code recommends that those sending e-mails to staff are also made aware of
any monitoring and the purpose behind it.
The employer is advised to encourage the use of a marking system to help
protect private or personal communications. Where possible, monitoring should
be confined to the address or ‘subject’ of an e-mail. The Code requires
employers to avoid opening e-mails, particularly those that are clearly private
or personal, unless there is a valid and defined reason to examine the content.
We would like to monitor internet use as there have been several
instances of staff downloading pornography. Can we do this?
Yes, the Code does permit the monitoring of internet access. However, it
recommends carrying out an impact assessment to ensure the benefits are not
outweighed by any adverse impact. It also requires staff to be informed of the
nature and extent of all internet monitoring, as well as the extent to which
information about internet use is retained and for how long.
Generally, it is advisable to set out explicitly in a policy document what
is permitted use and abuse of an employer’s internet and communications
facilities. The Code gives guidance on the basic contents that should be
included in a communications policy.
There is a suspicion that some staff are buying and selling drugs in the
toilets. Can we install a secret camera to catch them? What happens if we
notice some other misconduct in the course of filming?
According to the Code, covert monitoring should only be used in exceptional
circumstances, such as where there are grounds for suspecting criminal or
equivalent malpractice. It must be strictly targeted at obtaining evidence
within a set timeframe, and should normally be authorised by senior management.
Covert monitoring in private places, such as toilets or a private office, is
even more restrictive under the Code, as it requires this should be confined to
cases of suspicion of serious crime, where there is also an intention to
involve the police. A suspicion of drug dealing is likely to equate to
suspicion of a serious crime.
Any other information collected in the course of covert monitoring should be
disregarded according to the Code, unless it reveals information that no
reasonable employer could be expected to ignore – for example where it concerns
other criminal activity or equivalent malpractice.
Can we obtain workers’ consent to all forms of monitoring with or without
their prior knowledge?
The Code is moving away from using consent as a means of justifying
monitoring. This reflects the European approach which stipulates that consent
must be ‘freely given’. The Code recognises this may not always be the case in
the employment context, and consent can be withdrawn at any time.
Accordingly, it may be safer for employers to ensure that their monitoring
activities can be justified on the basis of an impact assessment – in which
case consent is generally not needed to monitor staff.
What happens if an employer’s activities don’t comply with the Code?
The Code sets out the Information Commissioner’s recommendations as to how the
legal requirements of the DPA 1998 can be satisfied. However, there may be
alternative ways of meeting these obligations that are not contained in the
Code. Non-compliance does not mean automatic non-compliance with the DPA 1998.
Only breaches of the DPA 1998 will trigger enforcement action.
However, if the employer does not take any steps towards data protection
compliance, there is a strong likelihood that it will be breaking the law.