Reports from the US that a Californian court has dismissed criminal charges against former Hewlett-Packard chairwoman, Patricia Dunn – concerning allegations of unlawful surveillance, including of employees, to discover the source of high-level leaks – will surely revive the debate about the challenge of balancing corporate responsibilities and individual privacy rights.
But why should workers have a right to privacy in the workplace at all? Or why should a business not have a right to intercept all e-mails received and sent from its computers and listen to all telephone calls made from its telephones? The only privacy enjoyed in the workplace should be that which businesses agree to give.
UK legislation including the Data Protection Act 1998, the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 – all consistent with the Human Rights Act 1998 – allow monitoring and screening of workers only for limited purposes, where business need outweighs workers’ legitimate expectations of privacy in the workplace. For example, Part 4 of the Information Commissioner’s Employment Practices Code states that drug and alcohol screening in the workplace “is unlikely to be justified unless it is for health and safety reasons” (see also Whitefield v General Medical Council  IRLR 39, PC).
Generally, workers must consent to monitoring, but even where monitoring or screening is permitted without workers’ consent, businesses must have policies in place, make reasonable efforts to inform workers, conduct impact assessments and only take action proportionate with business needs.
The right to privacy is prejudiced against businesses. But this is a complex area of law and criminal sanctions may await those who get this difficult area of law wrong.
There are obvious weaknesses to a system that allows workers to decide when and for what they may be monitored or screened, and that requires businesses to tell them exactly how, when and where their wrongdoing will be detected.
Businesses are being prevented from collecting valuable information for legitimate business purposes, such as:
- Tracking workers’ use of business information and dealings with clients.
- Assessing performance and conduct for determining benefits (eg, bonuses) or disciplinary action.
- Maintaining an appropriate culture in the workplace (eg, politeness, sobriety, non-smoking).
- Identifying acts for which businesses may be vicariously liable.
- Testing and monitoring behaviour involving potential costs to the business (eg, alcohol/drug use or smoking, causing sickness absence and increased insurance costs).
- Protecting the reputation of the business.
Without a right to privacy, however, workers’ legitimate interests would still be adequately protected if the level of privacy in the workplace were purely a matter for agreement.
Workers unhappy with the level of privacy offered in a contract could reject the terms offered. And protection would still be provided by the express terms of the contract regarding privacy, and by the requirements of fair and accurate recording, processing and disclosing of personal and sensitive personal data under the Data Protection Act.
In the case of employees, protection would also be provided by the implied duty of mutual trust and confidence and by statutory employment rights (eg, unfair dismissal or discrimination regulations).
The privacy myth
Part 3 of the Information Commissioner’s Employment Practices Code states that “it is not always easy to draw a distinction between workplace and private information”. In fact, it could be very easy if we accepted that workers should have no inherent right to privacy in the workplace; if all information dealt with at work, during working hours, using work equipment or affecting the business would be workplace information. And it would be just as easy to identify work-related conduct.
By Dan Peyton, employment partner, Grundberg Mocatta Rakison