Snooping on your staff? Make sure you know the rules

By James Willis, Head of Employment at stevensdrake

The extent to which you can (or should) be monitoring your staff when they are at work is a matter of ongoing debate.  More specifically, can you look at your employees’ internet history, emails and other electronic communications without getting yourself into trouble?  A recent Romanian case that found its way to the Grand Chamber of the European Court of Human Rights (ECHR) provides us with a good excuse to have a fresh look at this issue.

 

Bogdan Barbulescu’s ‘Beef’

In the course of his employment, Mr Barbulescu (Mr B) was required to set up a Yahoo Messenger account in order to communicate with his employer’s customers.  The account was meant to be used for business purposes only.  Indeed, the company had a strict rule that required employees to refrain from any personal use of its IT systems.

Problems arose when Mr B’s employer monitored his usage of the Yahoo Messenger account and found that he had been sending personal as well as business messages, some of which were to his fiancée.  His employer confronted Mr B with the allegations and ultimately dismissed him for breaking its internal disciplinary rules.  Mr B’s claims before a Romanian court were unsuccessful, so he ended up in front of the ECHR, arguing that his human rights had been breached; more specifically, he relied on his right to respect for his private life and his correspondence.

 

What did the Court say?

By a majority, the 17 (yes 17!) judges who heard this case concluded that Mr B’s human rights had been breached.  The court took particular note of the fact that Mr B had not been properly notified of the likely monitoring of his messenger usage.  He was not made aware of either the nature or the extent of any such monitoring.  The ECHR also noted a lack of justification for the level of monitoring used by the employer.  No apparent assessment was made of whether there was a less intrusive form of monitoring that might have achieved the same objective.  

 

What does this mean for employers here in the UK?

In some respects, this decision doesn’t change very much.  Few cases of this nature are likely to be argued on the basis of an alleged breach of human rights.  However, the case is a timely reminder of the general obligation imposed on employers under other laws, such as the Data Protection Act 1998.  In this regard, it is well worth looking at The Employment Practices Code, which is published by the Information Commissioner.  Here’s a link that will take you to it:  https://ico.org.uk/media/for-organisations/documents/1064/the_employment_practices_code.pdf 

Part 3 of the Code deals with monitoring staff in the workplace.  It is fairly easy to read and provides some very helpful guidance.  In summary, the Code says that you should only monitor your employees’ use of IT systems if they know what you are up to.  You should keep monitoring to a minimum and be clear as to the reasons why you are doing it.

Bearing the above in mind, before you start interrogating your employees’ email archives, it is essential to check that your policies give you the right to monitor them in this way.  Without clear policies, your capacity safely to monitor your employees may be significantly curtailed.

 

What else should you be doing to protect yourself?

Once you know what (if anything) your policies say on this subject, you should:-

  • update your policies (if necessary) in order to make staff aware of your right to monitor them;
  • make sure your policies are also clear on the extent to which employees can use your systems for personal purposes (if at all);
  • consider using a ‘pop-up’ message, to remind staff of your right to monitor their usage of your systems each time they log in;
  • consider requiring your staff to ‘consent’ to you monitoring their activities in your employment contracts; and
  • if you find yourself wanting (or needing) to ‘snoop’ on your employees, consider taking legal advice first.