Employee monitoring: policy clinic

Most people would agree that phone tapping is unacceptable, so few commentators were surprised when a News of the World journalist, Clive Goodman, and a private investigator, Glenn Mulcaire, were jailed in January for unlawfully hacking into the mobile voicemail messages of staff members working in the Prince of Wales’ household.

Both were convicted under the Regulation of Investigatory Powers Act 2000 (RIPA), which makes it illegal for people to intercept communications in the course of transmission without the consent of the sender and recipient.

By tapping into these voicemail messages, Goodman was able to write stories detailing Prince William’s knee injury and other matters which could not have come into the public arena without a gross breach of privacy. The pair also broke data protection laws, which make it an offence for anyone to obtain personal information without the owner’s consent or that of the data controller.

So what should employers be aware of when monitoring employees and doing this lawfully without falling foul of RIPA, the Data Protection Act 1998 (DPA) or human rights laws, which govern employees’ right to privacy in the workplace?

Act impact

Employee privacy is affected by the Human Rights Act 1998 (HRA) which gives employees the right to a certain degree of privacy in the workplace.

RIPA also affects what employers can and cannot do in relation to employee monitoring as this Act makes it a crime to intercept communications in the course of their transmission without the consent of the sender and the recipient.

However, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 provide some exceptions where employers can intercept communications in a business context.

The Telecoms Regulations set out a number of reasons where employers can do this lawfully, such as to ensure compliance with regulatory practices and business procedures and to investigate crime. Employers also have to use reasonable efforts to tell potential users that their communications will be monitored under the rules. Since the Telecoms Regulations apply to business communications only, they cannot be applied to monitoring employees’ personal and private communications.

Employers still need to comply with the DPA in the context of employee data, including data collected through monitoring. Data protection issues have been in the news lately as a result of a crackdown by the Information Commissioner against people not properly complying with the DPA.

In May 2006, the Information Commissioner presented a report to Parliament entitled What Price Privacy? which revealed the wide extent of the ­illegal trade in personal information carried out by many businesses, such as debt collection agencies, newspapers, journalists and private investigators, who obtain and transfer personal information without the consent of the data controllers or individuals concerned.

The Information Commissioner has powers to enforce compliance with the DPA and has recently prosecuted several businesses such as solicitors, accountancy firms and private detectives who do not comply. Liverpool City Council was one such body that was prosecuted and fined.

As a result of the report’s findings, the Information Commissioner wants to make illegal trading in personal information an offence that is punishable by a two-year prison sentence, since the DPA does not send people to jail as yet.

Data protection developments

Now, more than ever, employers need to comply with the DPA to avoid an Information Commissioner who is ‘on the warpath’ and more likely to bring prosecutions.

Employers need to follow the Employment Codes of Practice issued by the Information Commissioner to stay within the DPA when dealing with employee data, especially where employers carry out employee monitoring.

The codes state that, when monitoring employees, employers have to take measures proportionate to the intrusion into the employees’ private lives, which can be done by using ‘impact assessments’.

Minimum best practice

• Ensure you are properly registered on the Register of Data Controllers
• Have in place comprehensive data protection, e-mail and internet policies
• Do not give out employee data to any third party without finding out who the third party is, why they want the data and under what authority they can ask for it
• Before doing any monitoring, identify the purpose of it, the benefits it will bring, do an ‘impact assessment’, inform employees and anyone else who uses your systems of the monitoring, its extent and how it will be done
• Ask employees to explicitly agree to the monitoring – this can be done by asking employees to sign up to your data protection, e-mail and internet policy (which should include details of the monitoring) at the same time as signing employment contracts
• Where people are given access to personal information, they should be subject to confidentiality and security obligations and given training on how to handle the information so that it is not misused or improperly disclosed
• Be very careful in handling sensitive information (about a person’s health, sexual orientation, racial origin or trade union activities) as the DPA sets out more onerous rules about it

What should a good data protection policy cover?

• Set out what data you want to collect and how you are going to achieve this, how long you will store it and what it will be used for
• Describe how employees can access their own data
• Set out to which third parties employee data may be disclosed

What should a good e-mail, phone and internet policy cover?

• Set out clearly the rules and standards for using your facilities and what will happen if these are breached, including any applicable disciplinary action
• Set out the nature of all monitoring, its extent, the reasons behind it and how it will be done

Mahbuba Chowdhury is assistant solicitor at Matthew Arnold & Baldwin

More information