Privacy in the Workplace?

Audrey Williams
Audrey Williams

Personal relationships at work are often a source of concern and some confusion for employers. Should it be accepted as part of the reality of modern workplaces? Or should employers recognise that such relationships have an impact on the working environment and thus adopt the position that it is legitimate to intervene when it comes to light? This is not so much on the basis of moral indignation but to protect work colleagues, where resentment or worse feelings may arise and the potential risk of a relationship breaking down.

When a relationship is suspected how far can an employer investigate, accessing personal emails for example? Or is there an obligation to respect employees’ privacy?

When things go sour

A recent Appeal Tribunal case shows just how difficult such situations can become and illustrates the balance expected between the right to privacy and legitimate intervention. In Garamukanwa v Solent NHS Trust problems arose after G’s relationship with a staff nurse ended and he began to suspect her of starting a relationship with another member of staff. He sent both of them emails, threatening to inform their manager if they did not and a letter was also sent anonymously to the manager alleging an inappropriate sexual relationship, which was denied.

An unpleasant campaign then began using fake accounts, Facebook and more anonymous emails. The staff nurse complained to the police who investigated the matter but brought no charges.

This then left matters to the Trust to deal with and conduct their own investigation. The police provided the investigating officer in the Trust with photos from G’s mobile, others found at his home, and information including a notebook. G was dismissed for gross misconduct for sending malicious emails, relying on the evidence supplied by the police.

Unfair and invasion of privacy?

In the subsequent claim for unfair dismissal G accused the Trust of breaching his Article 8 right to privacy by relying on issues to do with his private life. The Tribunal was very clear that the circumstances here were impacting on the employment relationship and work matters; that being the case, the Trust was entitled to rely upon the evidence, investigate and address concerns especially given the fact:

• emails were being circulated using work addresses;
• the issues and allegations raised concerned the work environment and relationships; and
• was impacting on other employees.

The EAT agreed rejecting G’s argument that there was a distinction between the police using private emails and the Trust – or that the Trust should have distinguished between the public emails sent to Trust employees and his private information ( the notebook and photographic evidence).

Limits to privacy in work

The EAT reiterated that whilst the material might have been private, it was G who by his actions had brought personal matters and the personal relationship into the workplace. Even though some of the earlier emails to the staff nurse had been sent to her personal email address, because she had raised a complaint about them and G, he could not expect the employer not to address the concerns raised.

The passing of evidence seized from G to the employer is surprising here and an employer would be well advised to treat such information with caution. However, what is clear from this case is that where personal issues and private relationships begin to impact the work environment, privacy rights are likely to come second especially where other individuals are facing consequences.

The writer has experience of many cases where evidence from personal devices and work equipment has been accessed and produced as part of an investigation, and in a range of content (videos, security footage, text messages). This case emphasises the need to weigh carefully the relevance and ability to make use of such evidence, and the personal rights of individuals in the workplace.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP

Amwilliams@foxwilliams.com

Advertisements

Monitoring Employees – A New Outlook

Audrey Williams
Audrey Williams

There has been a lot of commentary on the recent European Court of Human Rights (ECHR) case of Barbulescu. The issue in the case was whether the Employer’s investigation of Mr Barbulescu’s Yahoo Messenger account (which he had opened in order to respond to client enquiries) was in breach of his right to Privacy (Article 8 of the European Convention on Human Rights). See previous article on idatalaw (https://idatalaw.com/2016/01/14/european-court-of-human-rights-echr-finds-that-monitoring-an-employees-internet-use-was-justified/)

Key to the Court’s decision was the company’s internal regulations in that case which stated: “It is strictly forbidden ….to use computers, photocopiers, telephones, telex and fax machines for personal purposes”. Whether this was clearly communicated to Mr Barbulescu appears to have been disputed.

It would be wrong to read this case as giving employer’s carte blanche to monitor employees’ usage of equipment and technology and of much more interest are the observations made by the Court, particularly Judge Pinto de Albuquerque, who disagreed on some aspects with the majority of his fellow judges.

Judge Pinto made this interesting comment about the increasingly blurred division between work and home life…”Strict limits apply to an employer’s surveillance of Internet usage by employees during their worktime and, even more strictly, outside their working hours, be that communication conducted through their own computer facilities or those provided by the employer.” When organisations are encouraging employees to bring their own devices and expect greater accessibility, this becomes even more important. One of the key issues is the need to protect freedom of expression and not just privacy. An employer drafting (or updating) their Email/ Electronic Communication, Internet and Social Media Policy or undertaking related investigations, must bear this in mind. The acid question is why interfering with these rights is necessary for the business?

The blanket ban relied upon in the Barbaluscu case is increasingly impractical – even more so where that policy operates across borders and where, in many European jurisdictions, there are stronger privacy rights than the UK. A more expansive and comprehensive policy is recommended, dealing not just with usage but also rules around monitoring and investigations. These need to address emails, instant messaging, social networking, blogging and web surfing – or in the Court’s words “cyberslacking”.

  • When and why would checks i.e. monitoring and investigations be required in your business?
  • Who is authorised to conduct these?
  • The way in which any investigations are conducted must also be managed carefully. It is essential to balance each individual’s right to privacy against concerns which the business is looking to address:
  • If the concern is the amount of time spent cyberslacking, not much more is needed than to assess the time spent – without needing to access the content of messages;
  • By contrast, if the concern is abusive or offensive emails which are being sent to colleagues, there is no need to access what are clearly personal emails.In the UK the Information Commissioner has issued detailed guidance on such matters (see https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf) and recommends that before conducting any monitoring or investigation, an impact assessment is conducted; the Code also sets out some core principles:
  • In Barbalescu there was some criticism about the investigation into emails sent to the employee’s fiancé and brother but the employer was given credit for basing the decision on the evidence of use of the system for personal purposes during working hours, rather than on the content of the communications and had analysed usage over a short period, limiting the intrusion.
  • Workers have legitimate expectations that they can keep their personal lives private and are entitled to a degree of privacy in the work environment
  • It will usually be intrusive to monitor your workers
  • Employers who wish to monitor should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
  • Workers should be made aware of the nature, extent and reasons for any monitoring,
  • Covert monitoring is justified only in exceptional cases.
  • Workers’ awareness and giving warnings about monitoring will influence their expectations.

Those undertaking the monitoring/investigation must be aware of the employer’s responsibilities under the Data Protection Act 1998 and rights to privacy attached to these provisions, particularly around personal and sensitive personal data.
Audrey Williams is a partner in the HR team at City law firm Fox Williams LLP and can be contacted at Amwilliams@foxwilliams.com

EU and US agree in principle on Safe Harbor 2.0: “EU-US Privacy Shield”

Nigel Miller
Nigel Miller

A couple of days after expiry of the 31 January deadline, political agreement has been reached for a new arrangement for data transfers from the EU to the US, to be known as the “EU-US Privacy Shield” (aka Safe Harbor 2.0).

This follows the European Court of Justice decision in October 2015 in the Schrems case that the (old) Safe Harbour arrangement was invalid.

The new arrangement will provide stronger obligations on US companies to protect the personal data of Europeans and stronger monitoring and enforcement by the US FTC.

To facilitate the data flows, the US has been forced for the first time to give a commitment that access by US public authorities to the personal data of EU citizens will be subject to clear conditions, limitations and oversight.  The US has also given an assurance that it will not conduct mass or indiscriminate surveillance of Europeans.

US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the FTC.

It is very common for EU based subsidiaries of US groups to transfer HR data to the US parent.  Under the EU-US Privacy Shield any US company handling HR data from Europe will have to commit to comply with decisions by European DPAs.

In addition, Europeans who consider that their data has been misused will be able to raise any enquiry or complaint with a dedicated new Ombudsperson.

Comment

While it is remarkable to reach agreement on such matters within such a short space of time, underlining the political urgency, it’s not all done yet. The EU have to prepare a draft “adequacy decision” in the coming weeks. And the US have to put in place the new monitoring mechanisms and new Ombudsman. We continue to watch the space!

Meanwhile, bear in mind that Safe Harbor / the EU-US Privacy Shield is not the only solution to data transfers from the EU to the US and we continue to work with many companies to put in place other solutions, such as contracts based on model clauses or binding corporate rules.

 

European Court of Human Rights (ECHR) finds that monitoring an employee’s Internet use was justified

Nigel Miller
Nigel Miller

Can an employer, who is considering disciplinary action against an employee, monitor the employee’s email and internet activity (e.g. to find evidence or check if the disciplinary action is needed)?  Or would that monitoring be unlawful under Article 8 of the European Convention on Human Rights (right to respect for private and family life, the home and correspondence)?

Bogdan Mihai Bărbulescu is a Romanian living in Bucharest. He was employed as an engineer in charge of sales. At his employer’s request, he created a Yahoo Messenger account to respond to clients’ enquiries. On 13 July 2007 he was informed by his employer that his Yahoo Messenger account had been monitored and that the records showed he had used the account for personal purposes.

Mr Bărbulescu replied that he had only used the service for professional purposes. He was then presented with a transcript of messages he had exchanged with his brother and his fiancée relating to personal matters such as his health and sex life.

On 1 August 2007 the employer terminated Mr Bărbulescu’s employment contract for breach of the company’s internal regulations that prohibited the use of company resources for personal purposes.

Mr Bărbulescu challenged his employer’s decision before the courts complaining that the decision to terminate his contract was invalid as his employer had violated his right to correspondence in accessing his communications.

His complaint was dismissed on the grounds that the employer had complied with the dismissal proceedings provided for by the local Labour Code and that Mr Bărbulescu had been duly informed of the company’s regulations.

Mr Bărbulescu appealed to the ECHR claiming that e-mails were protected by Article 8 (right to respect for private and family life, the home and correspondence).

The ECHR did not find it unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours.  The monitoring of Mr Bărbulescu’s communications had been the only method of establishing whether there had been a disciplinary breach.

The ECHR decision confirms that employers do have the right to monitor employee internet use and communications. However, an important element of the case was that the employer had an internal regulation that prohibited the use of company resources for personal purposes, which the employee had breached leaving himself open to disciplinary action.

The key point for employers is that, if they wish to be able to monitor employee internet use and communications, it is important that employees are made aware that this may happen so as to ensure that employees do not have any expectation that their internet use and communications are private.  This is usually communicated in a Policy on internet use, which sets out guidelines on what employees can and cannot do on-line and gives the right to the employer to monitor this for compliance and take disciplinary action as needed.

It is also important that employers use this right proportionately and only so far as necessary to verify compliance with the policy, and not for indiscriminate monitoring of private communications.

CASE OF BĂRBULESCU v. ROMANIA (Application no. 61496/08) 12 January 2016

Beware the perils of allowing employees to “bring your own device” (“BYOD”)

Helen Farr
Helen Farr

It is no surprise that many employees now want to use their own personal mobile devices at work rather than their employers’ equipment.  There are clear benefits to employees and the business in which they work if a decision is taken to allow employees to do so.

It is an easy way to improve employee morale and job satisfaction by allowing increased flexibility and efficiency in working practices.  It also reduces business costs because employees invest in IT!

But allowing BYOD is not risk free.  Businesses need advice on how to implement the right policies and procedures which, if not correctly dealt with, are capable of having a serious impact on the business.

A key characteristic of BYOD is that personal and business data are stored on the same device. This raises potential risks under the Data Protection Act for the business as the controller of the personal data.  The employer cannot avoid its legal obligations under the Act because the personal data is not being stored on its systems.

What steps can business take to mitigate against these risks?

First, businesses should implement security measures to prevent unauthorized or unlawful access to the data.  As a minimum, users must use a strong password to protect business data.  Ideally, access to devices should be locked and data automatically deleted if an incorrect password is used too many times.  The business should ensure that its employees understand what business data can and cannot be stored on a personal device.

Second, the business must be mindful of the personal usage of the device. Therefore, employees’ own personal data, including details of their personal lives, could inadvertently end up on company systems, the result of backup policies or misfiling.

Third, protecting data in the event of loss or theft is a key consideration.  Data is only as secure as the security measures in place on that device.  Most personal devices are not encrypted and so easy for any person with physical access to the device to access the information stored on it. Many personal devices store copies of data in consumer cloud services such as Apple’s iCloud or Microsoft’s OneDrive (formerly SkyDrive) automatically.  Such data is then only as secure as the employee’s password for those services.

Fourth, require employees to submit their devices to security configuration by the IT team, or to use a product to enforce separation of business and personal data on the device. However, it is important to obtain employees’ consent before deploying these measures.

Fifth, ensure that if employees’ leave, the business is able to maintain confidentiality by ensuring that business information can be wiped from the employees’ systems quickly and effectively.  Registering with a locate and wipe facility is one way to do this.

How best to protect your business?

The most effective way to address these issues is to introduce a well drafted, clear and up to date BYOD policy that is effectively communicated to employees. Involve IT, HR and legal professionals when drafting any policy to ensure all relevant issues are covered. Employment contracts should also be reviewed.

If your business does not already have a policy dealing with these issues, a good New Year’s resolution is to take steps to put a policy in place.