You searched for:
The Cookie Jar

Snooping on employees: the dos and don’ts

Lidia Poczok

The case of Bărbulescu v Romania - 61496/08 [2016] ECHR has caused a stir in the press, but does it change the law in the UK?

In this case Mr Bărbulescu’s employer asked him to open a Yahoo Messenger account for business purposes.  He was subject to a Company policy which forbade any use of computers for personal purposes.  His attention was drawn to this policy and the fact that employee activity was under surveillance after another colleague had been dismissed for personal use of Company resources.  The local Romanian Labour Code which governed employment relationships at the time (2007) provided that an employer has the right to monitor the manner in which their employees completed their professional tasks, but at the same time the employer had a duty to guarantee the confidentiality of an employee’s personal data. The Romanian Criminal Code provided that any unlawful interception or opening of someone else’s communications shall render the perpetrator liable to imprisonment.

Mr Bărbulescu’s Yahoo Messenger account was monitored for a week and he was subsequently informed that records showed he had made personal use of the internet, contrary to his employer’s policy.  He denied this in writing.  When presented with a print-out of his personal messages, he alleged that the employer had breached the Criminal Code in obtaining them. The employer dismissed him for breach of Company policy. He challenged his dismissal as void on the basis that the company’s decision was based on information obtained unlawfully.

The local courts dismissed his complaint.  At first instance the County Court stated that whether or not monitoring his communications during working hours was illegal, it would not affect the validity of the disciplinary proceedings.  Further, monitoring was the only way to check his defence that he hadn’t used the computer for personal purposes at all.  The County Court also added that checking use of the Company’s computers was in the broad scope of the employer’s right to monitor the manner in which an employee completes their professional tasks and the Company’s actions in monitoring him were transparent.

In his appeal Mr Bărbulescu he claimed that monitoring his emails was a breach of Article 8 (right to the protection of intimate, private and family life) of the Convention on Human Rights.  The Bucharest Court of Appeal held that the employer’s conduct was reasonable and the monitoring of his emails was the only way to ascertain whether or not he had complied with the Company policy of no personal use of the internet or computer.

Mr Bărbulescu appealled to the European Court of Human Rights.  The issue before the Court was whether Article 8 protection extended to a prohibition on an employer monitoring an email account for private use when private use was expressly forbidden to ascertain the existence or not of a disciplinary breach.   In this case, the employee was aware of the “no personal use” policy and chose to ignore it.  He then denied he had breached it, resulting in the employer having to delve further into his Yahoo Messenger account to refute his defence.  The employer was not relying on the content of the communication to allege breach, it collated the correspondence only to show there was in fact private communication taking place during working hours and on work machines.  It did not search his computer and access other private documentation stored on it. Accordingly, the ECHR found that the employer had acted proportionately in protecting its business interests and the appropriate balance had been struck between the employee’s right to a private life and the employer’s right to manage its business effectively.

So what’s the position in the UK?

This case does not change the position in the UK. 

In some industries monitoring is common, if not in fact expected, for example in financial services firms.  In most cases, monitoring is either random and to spot check quality and employee compliance, or for a specific purpose, such as detection of employee misconduct or crime. 

Although Article 8 is of course applicable, so too is the Data Protection Act 1998 and associated codes and guidance (DPA), the Regulation of Investigatory Powers Act 2000 (RIPA) and Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000.

At law, the position is that monitoring is not permitted unless there is an objective justification for doing so and any monitoring carried out must be proportionate and legitimate.  Excessive surveillance is likely to be a breach of at least one of these Acts or Regulations and can be a breach of the duty of trust and confidence (amongst other potential employment claims) between employer and employee.  Furthermore, excessive surveillance in an inappropriate context could result in poor employee engagement and affect employee relations.  In any case, most employers have neither the inclination, nor resources to monitor all employees in the manner of “big brother”. 

There is no blanket right to complete privacy in the workplace.  If an employer puts their employees on notice that privacy may be restricted (with reference to specific policies or employer actions), this is generally enough to restrict an employee’s Article 8 rights.  Interestingly, in the dissenting judgment, Judge Pinto de Albuquerque, lamented the ECHR’s missed opportunity to develop case law on the privacy of employees’ internet communications and it seems he views restrictions on access to internet communications (even during working time on an employer’s computer) as akin to fetters on the right to freedom of expression.

Monitoring internet, email and social media use will involve the processing of personal data, and the eight data protection principles dealing with the processing of personal data are engaged.  Specifically, this requires the employer to provide information about the method, type of information and manner of processing of data.  The processing of personal data should be proportionate to the aims for which it was processed and should be subject to appropriate technical and organisational measures which prevent unauthorised or unlawful processing, accidental loss, destruction or damage.  The Employment Practices Code states that simply informing employees that monitoring will take place is not sufficient: employees should be aware of the reason for monitoring; the circumstances in which it takes place; how the information will be used; who it will be disclosed to; and how data will be protected.  It also recommends that an impact assessment is undertaken prior to any monitoring to ensure that any monitoring strikes the right balance between employees’ and the employer’s rights.

This case serves as a useful reminder that monitoring is permissible if carried out for a legitimate reason, proportionately and with employees’ knowledge.  This case concerned instant messaging, because nearly 10 years ago, social media as we know it now was in its infancy (in fact one of the reasons Mr Bărbulescu gave for using the work system was that mobile phones and phone tariff charges were very expensive).  In 2016 employers may have legitimate concerns about cyberslacking by employees’ misuse of social media and reputational damage by inappropriate posts by employees about themselves, others or their employers.  Now is as good a time as any to refresh those social media and email/ computer use policies or to draft them, to make sure that employers stay within the law and that employees are on notice of what is and what is not acceptable behaviour in the workplace.