In order to maintain health and safety, keep premises secure and account for employee conduct, an employer may wish to monitor their employees’ activities. This may include communication monitoring (such as emails and websites), searches of personal property and monitoring work premises with CCTV. Such practices inevitably entail privacy issues for employees. It is therefore important that, in the first instance, employees are fully informed of all monitoring practices they are agreeing to be subject to when working. Secondly, employers must endeavour to keep all collected data secure and confidential.
The Law on employee data and monitoring
Employee monitoring and surveillance in the UK is governed in three ways:
- by primary legislation;
- by the Information Commissioner’s Office (ICO); and
- by codes and regulations produced by the ICO.
The Regulation of Investigatory Powers Act 2000 makes it unlawful for an employer to intercept employee communications, including email, unless express or implied consent is given. The Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 provides for where monitoring is permissible despite a lack of employee consent. This includes regulatory compliance and prevention of crime. Employers are permitted to monitor, but without recording, employee communications to determine whether they are within the business’ remit. Generally speaking, monitoring without consent can only be done pursuant to an investigation and can only last for the duration of that investigation.
Where an employer is monitoring use of personal items, such as mobile phones or internet use, employees must be informed that they are being monitored and what constitutes reasonable use in the workplace. If an employer installs CCTV, there must be clear and visible signage that indicates the purpose for which the apparatus is installed. Footage obtained through operation of a CCTV network cannot be used for a purpose different to that stated by the employer.
Where employees’ personal data is concerned, the Data Protection Act 1998 provides governing principles for the handling of data, including that the personal data should be:
- processed in a fair and lawful manner;
- obtained for a lawful purpose; and
- accurate, relevant and not excessive.
Data should only be kept so long as is necessary, and employers should routinely identify when data should be disposed of. The UK’s Information Commissioner has created an Employment Practices Code, which is intended to supplement the Data Protection Act.
Employees’ right to information and Subject Access Requests
The Data Protection Act 1998 gives employees the right to obtain details regarding information on them held by their employer, the reasons for the information being held and to whom the employer might share the information. An employee can exercise this right through a Subject Access Request, consisting of a written request accompanied by a fee. The employer has 40 calendar days to respond to the request.
The Human Rights Act 1998 and Article 8 of the European Convention on Human Rights
Article 8 of the European Convention on Human Rights provides that “everyone has the right to respect for his private and family life, his home and his correspondence”. This provision is incorporated into UK domestic law by the Human Rights Act 1998, meaning employees can claim a violation of their Convention rights before the employment tribunal.
The European Court of Human Rights has interpreted Article 8 of the Convention to require employers to disclose information technology policies. The Court also extended protection to personal emails and messages sent from the workplace to external recipients, and held that employers had to give explicit warnings to staff if internet use was to be monitored. The rulings can be used as a basis to challenge employers’ conduct in courts in the UK.
Who is protected?
It is not just employees who are protected by the UK’s legislative framework. An individual who applies for a position but is ultimately unsuccessful, self-employed individuals, interns and volunteers fall within the remit of the Data Protection Act 1998.
Transfer of businesses and employers
Where employees are transferred with the ownership of a business under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”), the selling company must provide to the buyer Employee Liability Information (“ELI”) before the transfer is complete. ELI encompasses employees’ personal details, their contracts and details of any workplace disputes within the previous two years. The exchange of such information is permitted by statute, but must fall strictly within these categories.
The provisions of the Data Protection Act 1998 are enforced by the ICO. An employee can lodge a complaint and prompt an investigation into their employer’s conduct. ICO has extensive powers to search employer’s premises, and can impose fines of up to £500,000.
Where a company uses personal information for anything other than “core business purposes”, they must notify this to the ICO. Failure to notify when required may result in criminal prosecution. As the notification criteria are complex, it is highly advisable to seek advice at the outset of a business undertaking.
Claims under the Human Rights Act 1998
An individual who claims they are victim of a violation of their Convention rights can go to court and obtain monetary damages as “just satisfaction”.
It is advisable for employers to appoint a Data Officer/Manager to ensure business operations are compliant with the legislative framework and Convention rights.
Employment Law - Information on Fees
For information on fees and funding relating to Employment Law cases, please see our information page.
Contact our Employee Data and Monitoring Solicitors London, Mayfair
If an employer is found to have unlawfully monitored their employees or retained data in breach of the Data Protection Act, they may be subject to fines and caught up in expensive and time-consuming litigation. In some cases, improper use of information and failure to notify ICO can result in criminal prosecution.
At Lewis Nedas, our Employment Law Solicitors have over 25 years’ experience assisting national and international companies. Our Employment Lawyers have joined the Office Essential Network, which is a specialist organisation aimed at assisting young start-up businesses requiring advice on employment issues and contracts.