are concerned that new rules governing the monitoring of employees’ e-mail and
internet usage will prove bureaucratic and protect staff at the company’s
expense, writes Paul Nelson
Employers will find it much harder to monitor staff for abuse of internal
e-mail systems and suspected criminal activity if proposed guidelines from the
Information Commission are introduced.
That is the view of employers’ bodies and employment law experts who are
concerned that the final draft of the Data Protection Code on monitoring places
too much emphasis on protecting staff data at the expense of employers’ right
In its present form the code will mean that employers can only monitor staff
covertly if they suspect criminal activity, and they must then inform the
They will also have to complete a document explaining why they suspect
criminal activity and why covert monitoring is necessary to detect it.
The Information Commission held a meeting last week with employers to
discuss the final content of the code, which will outline employers’
responsibilities relating to all aspects of employee monitoring under the Data
Diane Sinclair, lead adviser on public policy at the CIPD, who attended the
meeting, has urged the commission to make changes to the draft.
She said: "The code does not allow employers to look after their own
interests. Its length and complexity means there is a risk of
She thinks it is overkill that it should be necessary for employers to
inform the police every time they want to monitor staff covertly.
"Harassment is not a criminal offence, so if an employer receives a
harassment complaint they are unable to covertly monitor for it," said
Frances Wright, HR director at SHL, is also unhappy that as the code stands
covert monitoring of staff will be a heavily bureaucratic process.
"It should not be compulsory to get the police involved in all
cases," she said.
Under the draft code employers will have to inform their staff
‘periodically’ when they are monitoring them.
Employees will also have to indicate that they understand the company’s
internet and e-mail policies each time they go online.
The CBI believes significant changes need to be made to the draft if the
code is to be relevant and useful for employers.
Susannah Haan, legal adviser at the CBI, who attended last week’s meeting on
the monitoring code, said it would unfairly penalise the employer.
"In its current form it is very bureaucratic and lacks balance. It
would affect companies’ ability to run their business," she said.
"It (the Information Commission) regards monitoring as negative and
does not look at the positive aspects such as protecting employees, customers
and the business."
Haan believes the requirement for staff to have to sign up to a company’s
internet policy every time they log on is unnecessary. "I am sure staff
will get annoyed having to sign up every time they have to log on. It is not
practical and will end up being ignored."
Martin Rooney, HR policy manager at CIS, agreed. He said: "This seems
like routine for routine sake.
"Instead it would probably be better to e-mail staff every six months
reminding them that they have an obligation to familiarise themselves with the
conditions of use.
"This way staff are more likely to take notice than if it is part of
the booting-up procedure."
When will the code be released?
The code on monitoring is due to be published over the next few
Its first chapter on recruitment and selection was published
last month and the section dealing with records could be out as early as next
Once all copies are released a hard copy version will be
Can organisations be prosecuted if
they breach the code and Data Protection Act?
The commission will investigate a company for non-compliance if
a staff member complains. If the company is in breach of the Act, the
commission will ask it to review its policies. If no action is taken the
commissioner has the power to issue an enforcement act and as a last resort the
firm can be taken to a criminal court.
The details to remember:
– Employers will have to complete a
form to justify covert monitoring of staff outlining why they suspect criminal
– Police need to be informed before covert monitoring of staff
– Staff will have to sign up to an access code and agree to a
firm’s online policies before logging on
– Employers must inform staff ‘periodically’ that they are
The legal perspective
"Employers cannot monitor
e-mails in a continuous fashion unless the law is being broken and the police
are informed. Instead, employers are only allowed to spot check and cannot
touch personal e-mails. This means employees are able to pass company secrets
via e-mail by signposting them as personal.
"An employer would want to monitor staff continuously if
they are off sick and claiming sick pay and they suspect there is nothing wrong
with them. But under the draft code they will not have the right to do this, as
being off work claiming sick pay while healthy is not against the law.
"I believe that employers will think that the code is
unworkable as they are not allowed to look after their own interests. After
all, employees attend work to work.
"Having to contact the police and write a report to prove
that the monitoring of an employee is not unlawful will be an administrative
burden. It could also mean that employers miss a key opportunity to catch the
Nick Chronias, employment associate at law firm Beachcroft
"One criticism is that employers
will be obliged to inform employees whenever they are considering monitoring,
negating the purpose. The notes to the draft, however, say employers could
inform employees ‘through staff handbooks’ or ‘signage’.
"Covert monitoring can only be considered if specific
criminal activity has been identified because it is non-consensual and
potentially intrusive. The notes again state that it is appropriate to inform
the police, ‘although they do not have to sanction or take part in the
monitoring’. Workers are entitled to general information, but nothing that
might compromise the operation.
"Of particular concern is the requirement that both
parties to communication must give their consent before interception. Policing
external e-mails would be especially difficult. The code also fails to explain
properly its relationship with the Regulation of Investigatory Powers Act 2000
and other legislation. The regulations make monitoring lawful where the
activity is justified for business reasons, but the code implies that
monitoring is only justifiable where there is significant risk to the employer."
Warren Wayne, partner of Boodle Hatfield