Watch out for new rules on surveillance at work

Employers need to protect e-mail systems from abuse, but they also have to ensure they stay strictly within the law when it comes to checking up on their staff

The new Data Protection Act 1998 and Code of Practice for users of CCTV further protect employees’ rights regarding surveillance in the workplace.

Employers may be held liable for illegal acts authored or processed through their e-mail system. This could include acts of defamation, downloading of pornography, copyright infringement and so on. It will not always be a defence for the company to claim that it did not know the material was being processed.

Employers may also be liable for business e-mails sent out by employees in the company’s name. Employers therefore need a clear e-mail policy outlining to employees their obligations to the company when using e-mail, both for company business and their own private purposes.

E-mails which identify living individuals are subject to the Act. The policy should clarify the need to ensure that e-mails are accurate, secure, relevant and not stored for longer than necessary.

Monitoring employees’ use of e-mail is likely to involve processing of their personal data. Employers must inform staff that their e-mail use may be monitored, the purpose for which the data is being collected and who will have access to it. This should be set out in employment contracts as well as the e-mail policy.

Employees have the right to object to such monitoring if it is causing, or is likely to cause, substantial and unwarranted distress to them or another person. The employer must then justify the monitoring.

Covert monitoring or interception of e-mail, unless for the prevention or detection of crime, will breach the Act. Employees may make “subject access requests” in respect of e-mails containing their personal data, and employers must have procedures to comply with such requests.

Images and sounds captured on CCTV can amount to “personal data” under the Act if an individual can be identified. Employers should also be aware of a new code of practice for users of CCTV in public access areas.

The code states that cameras should be sited where their presence is clearly visible, with signs setting out the purpose of the scheme and details of the operator. The employer must be able to justify the public surveillance.

Although the code does not apply to surveillance of private access areas (and is subject to a further code to be issued shortly on monitoring employment contracts), nonetheless the Act’s fundamental principles need to be considered and the processing must be “fair and lawful”. Staff should be told they will be monitored, and employers will need to consider if they can justify the processing for their legitimate interests.

Covert monitoring will only be allowed for the prevention or detection of crime. This will not include routine security. Camera locations must not invade privacy. For example, cameras sited in staff toilet facilities or locker rooms would be invasive.

Cameras must be routinely maintained and images captured by CCTV must be accurate, of good quality, safely stored and subject to restricted access.

Images should not be kept for longer than needed and employees can make “subject access requests” to see footage of their images.

Linda Farrell is a partner of Bristows in London, e-mail: linda.farrell@bristows.com