Keeping tabs on staff can be necessary, but checks must be done in
accordance with legislation, writes Christina Morton
To monitor: ‘to observe, supervise, keep under review, measure or test at
intervals, especially for the purpose of regulation or control’ – Oxford
What is monitoring?
Monitoring is not a legally defined term, but it is used in several pieces
of legislation that govern the type of monitoring activity that employers can
carry out. The term covers any activity that involves watching or checking.
This article will focus on the monitoring of e-mails and telephone calls.
Why might employers monitor employees’ e-mails or telephone calls?
All employers need to feel they can check up on what their workers are doing
from time to time. They may want to:
– Monitor standards of work or performance
– Check that time is being used for work and not personal activities
– Check for compliance with rules, on health and safety, confidentiality or
harassment of co-workers, for example
– Check that employees are not working in competition with the employer or
against the employer’s interests
– Ensure that work can be carried on effectively during the absence of an
employee on holiday or sick leave
To do this effectively, employers may need to:
– Read internal and external e-mails addressed to or sent by employees for
evidence of misconduct or poor performance
– Listen to or record telephone calls made to or from employees for similar
– Listen to an employee’s voicemail messages
– Check telephone numbers used by employees, to identify excessive personal
use or use of premium rate lines.
What restrictions does the law impose on these activities?
The Regulation of Investigatory Powers Act 2000 (Ripa) makes the
interception of telecommunications – including telephone and e-mail – an
offence, unless certain conditions are met – in particular, that the consent of
the monitored individual is obtained first. However, the conditions under which
employers can intercept communications without consent and without breaking the
law, are set out in regulations on lawful business practice, in force since
What do the regulations permit employers to do?
These regulations permit employers to intercept and record communications
without consent for certain purposes. Namely:
– To establish the existence of facts relevant to the business
– To check the business is complying with self-regulatory practices or
– To ensure appropriate quality standards are maintained
– In the interests of national security
– To prevent or detect crime
– To investigate or detect unauthorised use of the telecoms system
– To ensure the effective operation of the telecoms system
These regulations therefore give employers considerable scope to monitor
employees without having to ask for their permission first. Establishing ‘facts
relevant to the business’ is a term broad enough to justify most of the
investigations an employer might need to perform.
Do employers need to do anything else under these regulations?
If employers are going to intercept communications without consent, they
need to make all reasonable efforts to inform their employees that they are
going to do so – although this does not mean that employees have the right to
They should, however, ensure that the contract of employment, staff handbook
or relevant policy or policies contain a clear statement that the employer may
carry out monitoring which involves intercepting phone calls and e-mails,
including those which are ostensibly personal.
Data Protection Act
The Data Protection Act is a far more complex piece of legislation. It
governs the processing of personal data electronically or manually, and
requires ‘processing’ – which is very widely defined – to be carried out in accordance
with eight data protection principles.
These include the requirement that at least one of the ‘conditions for
processing’ must be in place. If any ‘sensitive personal data’ is involved,
which covers matters such as health, sexual life, religious belief or racial or
ethnic origin, there is a further set of conditions to satisfy, and one of
these must also be in place before the processing can be lawfully carried out.
Why is the DPA relevant to monitoring?
Monitoring a telephone communication or e-mail from which an individual can
be identified will count as ‘processing’ personal data, therefore, the DPA
What can employers do to ensure that they comply with the DPA?
The Information Commissioner, who is responsible for enforcing compliance
with the DPA, is in the process of issuing a code of practice, which sets out a
series of benchmarks.
Employers who comply with the benchmarks will supposedly be complying with
the DPA. However, somewhat controversially, some of the guidance has gone beyond
what is needed for compliance, and sets out best practice guidelines instead.
The code is in four parts, but presently, only one on recruitment and
selection has been finalised and published.
The code section which deals with monitoring was published for consultation
until 8 August this year on the Information Commission’s website, which can be
found at www.dataprotection.gov.uk. It contains a section on monitoring
communications, which sets out benchmarks, notes and examples.
Should employers follow the draft code?
The draft code is not in its final form, and employers may be hesitant about
adopting the standards it recommends as they may be revised. However, employers
– Read the current draft of the code
– Follow the recommendation that they have a written policy on the
monitoring of communications
– Use the guide on page 32 in the current draft of the code in deciding what
this policy should cover
Take into account when drafting the policy that the code will generally
expect employers to have a threshold for monitoring communications that are
clearly private, that is much higher than the threshold for monitoring business
Is there any other relevant legislation?
The Human Rights Act directly affects public authority employers and their
employees might argue that monitoring personal communications is a breach of
their right to a private life.
Compliance with Ripa should – and this was certainly the purpose of the Act
– protect employers from successful claims under the HRA.
Private sector employers are not directly affected, but should also be
protected by compliance with Ripa from any indirect effect arising from
tribunals and courts interpreting the general law in accordance with the Human
Christina Morton is a solicitor at Beachcroft Wansbroughs – www.bwlaw.co.uk