Last year, in Barbulescu v Romania, the European Court of Human Rights decided that employers were able to monitor their workers’ emails where there was a good reason for doing so. Now, in a surprising turn of events, that decision has been reversed on appeal.
While employers have a legitimate interest in protecting their businesses and ensuring that their workers are using company time and equipment properly, the Court also recognised that worker’s private lives extend into the workplace. The Court did not rule out the possibility of employers monitoring their workers, but pointed out a few key factors that employers need to consider before they can do so:
- Workers need to be given clear notice in advance of the monitoring of their emails and other communications
- While employers may be able to monitor who a worker is contacting and when (i.e. the 'traffic'), they will need much stronger justification if they look at the actual content of the communication itself
- The employers needs to consider the consequences on the worker of monitoring their communications - will it intrude into their personal lives? Is the monitoring overbearing?
- Employers should have safeguards in place when monitoring communications, and workers should be made aware of these safeguards. This is particularly important where the actual content of communications is being monitored.
In the UK, much of this ground is already covered by the Data Protection Act and existing good practice, but it does underline the importance to employers of making sure that their monitoring of workers is proportionate and justified, and that workers are aware that their communications may be monitored. It is not enough for employers to simply tell their workers that their emails may be monitored - they need to clearly set out:
- When communications may be monitored
- Why communications are being monitored
- How any information taken will be used
- Who the information will be disclosed to
For most companies, this means making sure that this information is included in their IT & Digital Communications Policy, and, in a perfect world, ensuring that their workers have actually read the policy and agreed to it.
This is an actively changing area, particularly with the deadline for compliance with the EU General Data Protection Regulation on 25 May 2018 fast approaching. If you would like to know more, our consultant Stuart Smith, a specialist in data protection and privacy, will be speaking at our HR Club on 12 October 2017. Ask any of our team for details.