The European Court of Human Rights recently ruled that an employer had not breached human rights law when monitoring employee communications. However, UK employers would be wrong to see this as a green light to spy on staff. Emma Vennesson and Huw Beverley-Smith advise employers on policy and practice in a sensitive area of employment law.
Many of the media reports covering the recent decision of the European Court of Human Rights (ECHR) in Barbulescu v Romania have overstated employers’ rights to monitor their employees’ private communications. This article examines the actual scope of the decision, the legal position on monitoring in the UK and the chief challenges that new technology is creating for employers.
The decision in Barbulescu v Romania
Mr Barbulescu, a Romanian national, was employed as an engineer in charge of sales. At his employer’s request, he set up a workplace Yahoo Messenger account to communicate with customers. His employer started disciplinary proceedings against him when it discovered that he had been exchanging personal messages from the Yahoo Messenger account in breach of the employer’s internal policy which strictly prohibited the use of company resources (including computers) for personal use.
Resources on employee email use
When he denied that he had used the Messenger account for personal purposes, his employer provided him with a transcript of his personal communications. He was dismissed for breach of his employer’s policy, which the Romanian national courts found to be lawful.
Mr Barbulescu claimed before the ECHR that the monitoring of his personal communications was a breach of his “right to respect for his private life and family life, his home and correspondence” under the European Convention on Human Rights.
The ECHR considered this right had not been breached. A fair balance had been struck between Mr Barbulescu’s right to private life and correspondence, and his employer’s need to protect its business interests.
The ECHR found that it had not been unreasonable for the employer to monitor Mr Barbulescu’s Messenger activities to ensure that he was carrying out his work during working hours, particularly since the Messenger account had been accessed in the belief that it contained client-related communications. Furthermore, his subsequent denial of any breach of the ban on personal use of company resources had made it necessary for the employer to review the transcripts and to provide them to him as evidence of his breach.
Monitoring employee communications under UK law
The Barbulescu decision does not give employers complete freedom to monitor their employees’ private communications. It simply held that the Romanian court had struck an appropriate balance between two competing interests.
For UK employers, it confirms the current legal position, namely that an employer may monitor its employees’ communications but only where this is done for a legitimate business reason and by means that go no further than necessary.
The decision has no impact on existing UK legislation, including in particular the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000, which provide the framework for monitoring employees’ private communications in the workplace.
Employers should continue to look to the detailed guidance provided by the Information Commissioner’s Office on employee monitoring. They should ensure that their employees are aware that their communications may be monitored and of the circumstances in which this could occur.
Where appropriate, they should also conduct an impact assessment which balances the interests of the employer and the employee’s right to privacy, and ensures that practical safeguards are implemented to limit the extent to which private information (such as personal emails) is monitored and accessed.
One of the key factors that influenced the ECHR’s decision in Barbulescu was that the employer had in place a clear policy prohibiting personal use of all of its resources. However, such general restrictions are not common in the UK, with many employers’ policies allowing employees to use work resources for at least some degree of personal use.
In addition, the concept of “Bring Your Own Device” (BYOD), in which employees can use their own smartphones and tablets for work purposes, is becoming increasingly popular. This is leading to a blurring of the lines between what is work-related and what is personal.
The overriding guidance to deal with such cases is that employers should have in place clear and detailed policies. These will be scrutinised by courts and tribunals, and will often be one of the determining factors in employment proceedings.
In the recent case of Williams v Leeds United FC (2015), the High Court found that a football club’s summary dismissal of its technical director on discovering that he had emailed pornographic images to a female colleague had not been unlawful. It was material that the club had in place an email policy prohibiting such behaviour, even though it had never been provided to the technical director.
Similarly, in Crisp v Apple Retail (UK) Ltd (2011), in which an employee was dismissed for having posted derogatory remarks about technology company Apple on Facebook, it was critical to the employment tribunal’s finding that the dismissal had not been unfair that Apple had a social media policy prohibiting such behaviour.
The policies should set out what is permitted and prohibited in relation to the use of company resources (including desktop computers, telephones, internet, Wi-Fi and mobile devices), as well as personal devices used for work purposes under BYOD policies (typically smartphones and tablets).
Critically, the policies should set out the reasons for, and parameters of, the employer’s monitoring of IT systems and devices used in the workplace. This will help to establish that such monitoring is proportionate.
The employer should also ensure that its employees are fully aware of the policies and provide training. This is in the best interests of both the employer and employee given the risks in loss of the employer’s confidential and proprietary information, in addition to loss of personal data.
This will also give the employer some protection if it needs to discipline or dismiss an employee in connection with the misuse of resources or take steps to safeguard business data, for example by remotely wiping a lost or stolen device, which usually also involves the deletion of an employee’s personal data.
Equally importantly, such policies and accompanying training will educate users on the risks of loss of data and help avoid or mitigate the effect of such data losses. The employer should also ensure that any monitoring, or review of the results of automated monitoring, is carried out by authorised and appropriately trained personnel and that the results are kept secure.
Finally, if personal data collected as part of any monitoring is to be shared with parents or affiliates outside the EU, appropriate safeguards will need to be put in place for the export of such data.