There has been a lot of commentary on the recent European Court of Human Rights (ECHR) case of Barbulescu. The issue in the case was whether the Employer’s investigation of Mr Barbulescu’s Yahoo Messenger account (which he had opened in order to respond to client enquiries) was in breach of his right to Privacy (Article 8 of the European Convention on Human Rights). See previous article on idatalaw (https://idatalaw.com/2016/01/14/european-court-of-human-rights-echr-finds-that-monitoring-an-employees-internet-use-was-justified/)
Key to the Court’s decision was the company’s internal regulations in that case which stated: “It is strictly forbidden ….to use computers, photocopiers, telephones, telex and fax machines for personal purposes”. Whether this was clearly communicated to Mr Barbulescu appears to have been disputed.
It would be wrong to read this case as giving employer’s carte blanche to monitor employees’ usage of equipment and technology and of much more interest are the observations made by the Court, particularly Judge Pinto de Albuquerque, who disagreed on some aspects with the majority of his fellow judges.
Judge Pinto made this interesting comment about the increasingly blurred division between work and home life…”Strict limits apply to an employer’s surveillance of Internet usage by employees during their worktime and, even more strictly, outside their working hours, be that communication conducted through their own computer facilities or those provided by the employer.” When organisations are encouraging employees to bring their own devices and expect greater accessibility, this becomes even more important. One of the key issues is the need to protect freedom of expression and not just privacy. An employer drafting (or updating) their Email/ Electronic Communication, Internet and Social Media Policy or undertaking related investigations, must bear this in mind. The acid question is why interfering with these rights is necessary for the business?
The blanket ban relied upon in the Barbaluscu case is increasingly impractical – even more so where that policy operates across borders and where, in many European jurisdictions, there are stronger privacy rights than the UK. A more expansive and comprehensive policy is recommended, dealing not just with usage but also rules around monitoring and investigations. These need to address emails, instant messaging, social networking, blogging and web surfing – or in the Court’s words “cyberslacking”.
- When and why would checks i.e. monitoring and investigations be required in your business?
- Who is authorised to conduct these?
- The way in which any investigations are conducted must also be managed carefully. It is essential to balance each individual’s right to privacy against concerns which the business is looking to address:
- If the concern is the amount of time spent cyberslacking, not much more is needed than to assess the time spent – without needing to access the content of messages;
- By contrast, if the concern is abusive or offensive emails which are being sent to colleagues, there is no need to access what are clearly personal emails.In the UK the Information Commissioner has issued detailed guidance on such matters (see https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf) and recommends that before conducting any monitoring or investigation, an impact assessment is conducted; the Code also sets out some core principles:
- In Barbalescu there was some criticism about the investigation into emails sent to the employee’s fiancé and brother but the employer was given credit for basing the decision on the evidence of use of the system for personal purposes during working hours, rather than on the content of the communications and had analysed usage over a short period, limiting the intrusion.
- Workers have legitimate expectations that they can keep their personal lives private and are entitled to a degree of privacy in the work environment
- It will usually be intrusive to monitor your workers
- Employers who wish to monitor should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
- Workers should be made aware of the nature, extent and reasons for any monitoring,
- Covert monitoring is justified only in exceptional cases.
- Workers’ awareness and giving warnings about monitoring will influence their expectations.
Those undertaking the monitoring/investigation must be aware of the employer’s responsibilities under the Data Protection Act 1998 and rights to privacy attached to these provisions, particularly around personal and sensitive personal data.
Audrey Williams is a partner in the HR team at City law firm Fox Williams LLP and can be contacted at Amwilliams@foxwilliams.com