Businesses that routinely scrutinise staff behaviour by monitoring e-mails,
recording telephone conversations or planting secret cameras in the workplace
should be aware of a raft of legislation introduced since March 2000 that could
render some of these practices unlawful, and in the worst cases, attract
criminal liability.
The Regulation of Investigatory Powers Act 2000 (discussed in Letter of the
Law 14 November 2000) outlaws an employer’s interception of telephone calls and
e-mails unless the employer is authorised under the Act (or the accompanying
regulations) or where the sender and recipient consent to the interception.
Civil and criminal liabilities can result from a breach of this Act, which
covers all private and public telecommunication systems (and therefore not
surveillance by camera).
Human Rights
The Human Rights Act 1998, which incorporates the European Convention on
Human Rights, gives a "right to respect for private and family life, home
and correspondence". This provision is directly enforceable against public
employers, and will be considered in cases involving private businesses for
unfair dismissal or breach of the implied terms of trust and confidence. Case
law (most notably Halford v UK, 1997, IRLR 471, involving telephone tapping of
a senior female police officer) suggests employees have a reasonable
expectation of privacy in the workplace. Employers should make sure employees
know of, and ideally give their consent to, the monitoring or recording of
correspondence. A sound e-mail, Internet, surveillance and telephone policy
should be established.
Data Protection Act
Evidence collected from the interception of e-mails, telephone calls and
hidden cameras is likely to be "personal data" under the Data
Protection Act. The DPA also gives employees a right to see their personnel
files and any personal data held in a "relevant filing system", which
can include e-mail systems.
"Sensitive personal data" (such as film revealing an individual’s
ethnic origin or medical condition) generally requires the employee’s consent
before being used for any purposes (such as a disciplinary hearing). Film that
identifies individuals but does not contain sensitive personal data should be
used only in accordance with principles laid down in the DPA. Where an
employee’s consent cannot be obtained, the employer can use non-sensitive data
where this is necessary for its legitimate business interests. For example, an
employer may require cameras to enforce health and safety, prevent misconduct
or crime, or protect clients or the public. There is detailed guidance on the
Data Protection Commission’s website on use of CCTV (to which employers should
refer before installing cameras) and on using data and records in employment
relationships generally.
