Employee monitoring is often used in order to gather evidence of misconduct prior to a disciplinary meeting. Such evidence can increase the likelihood of dismissal (or demotion/suspension) being held to be fair if litigated.
Monitoring can also provide an employer with reassurance that email and internet policies are being complied with. There is a long list of applicable legislation and there are risks and potential pitfalls of monitoring employees if this is done in the wrong way. By way of example, a Court/Tribunal is unlikely to look favourably on highly intrusive monitoring or monitoring after an employer has reassured employees there will be none.
Putting in place a properly thought-out IT and Communications Systems policy that makes clear what is/is not permitted and publicising and properly implementing the same are key to staying within the law.
Generally speaking, work emails are not considered private and can be monitored for good business reasons but you will need to carry out a data protection impact assessment and decide whether such an approach is proportionate in the circumstances i.e. what is the business reason for needing such monitoring and is there another less invasive way of achieving the same result?
Barbulescu v Romania – all change?
Back in 2016, the European Court of Human Rights (“ECHR”) case of Barbulescu v Romania led various UK newspapers to conclude that Orwellian-style workplace surveillance had been given the green light.
Headlines such as “WARNING – your boss can now legally read every WhatsApp message you send at work” and “OUTRAGE – EU court rules it’s OK for bosses to snoop on their employees’ messages” made for entertaining reading but did not (as you no doubt suspected) show the whole picture.
In Barbulescu, the ECHR considered whether the right to respect for private life and correspondence (Article 8) is breached when an employer monitors employees’ personal communications at work. The ECHR said that there was no breach – on the facts, the employer’s monitoring had been reasonable and proportionate.
In brief, Mr Barbulescu was using his business Yahoo Messenger account to send/receive personal messages at work in clear breach of his employer’s policy on personal use of its IT systems. His employer accidentally discovered his private messages and dismissed him. Mr Barbulescu subsequently argued that all evidence of his personal communications should have been excluded on the basis it breached his ECHR rights to privacy.
After all the press attention of the first case, at the appeal in 2017, the Grand Chamber of the ECtHR reversed the finding. Mr Barbulescu’s rights had been infringed by the employer’s draconian policies and the Chamber noted that “an employer’s instructions cannot reduce private social life in the workplace to zero.” The employee had not been informed of the nature and extent of the monitoring, nor of the possibility that the employer might access the actual content of the messages.
Unsurprisingly, the appeal did not receive quite as much attention from the UK press. Nevertheless, the resolution of the case demonstrated that properly thought-out (proportionate and reasonable) policies and procedures are always the best lines of defence/attack.
What about GDPR?
Pre-GDPR, employers often included a clause in an employment contract where the employee would give their generic consent to monitoring. Under GDPR, an employer can no longer rely on this clause as consent could not be freely given in this context, and it can be withdrawn at any time. As an alternative, it is helpful for an employment contract to refer to the Employee privacy notice (which should cover off the basis of such monitoring), sign-post any internet-use or monitoring policies, and reassure the employee that monitoring will only be carried out to an extent which is necessary, justifiable and proportionate.
What evidence can you get at Court?
Where you take action against one of your employees/former employees in Court – for example, to enforce a period of notice or post-termination restriction your chances of success will be greatly enhanced where you can show that your employee has been misbehaving e.g. contacting your clients with a view to poaching them.
In the case of a former employee, monitoring will no longer be possible (assuming any ongoing use of employer IT systems) and in the case of an existing employee, monitoring may be insufficient to get the evidence/information you need.
One approach is to apply to the Court for an order for delivery up of mobile phones, laptops, electronic devices and/or documents etc. that you believe may contain the relevant evidence.
Of course, the Court will not simply comply with an employer’s “wish list” of what it wants. In particular, it will generally be much harder to obtain an order for delivery up of personal devices as such orders are (rightly) considered by the Court to be particularly intrusive.
So one possibility, where you know your employee/former employee has used their personal mobile to communicate with clients (with a view to poaching them), would be to apply for an order for productions of that device and for the data on it to be harvested.
The Court will not let you have the personal mobile phone but can often be persuaded for this to be sent to a forensic analyst to carry out an agreed search of the device for items like contacts list, SMS text messaging, instant messaging (including WhatsApp) and call logs showing telephone use and any deletions of the same over a specific key period (sometimes deletions can be harvested). The use of agreed keywords relevant to the business – like clients’ names- can be used to fend off any argument that the individual’s rights around their personal data is being breached.
Of course, an employer should never rely on being able to obtain a Court order for delivery up of personal electronic devices etc. that an employee/former employee has control over, so it is key that the employer put in place properly drafted employment contracts and policies (and enforce the same) from the very start of the employment relationship including issuing the employee with a work mobile which is the company of the business and which be returned upon termination or even upon notice having been given.
The ever increasing popularity of BYOD (whereby employees bring/use their own devices for work purposes) will continue to blur the lines and will no doubt result in thorny issues for the Court in respect of future applications for delivery up of personally owned devices purportedly containing employer confidential/commercial information. Again, properly designed and implemented policies are a powerful tool in risk control and employer protection.
David Greenhalgh regularly deals with litigation and post-termination restrictive covenant injunctions involving obtaining and using data against departing employees. We can review your existing approach to monitoring to check you are compliant including reviewing your existing policies. Please contact David Greenhalgh for an initial discussion on 020 3603 2177.
This article/blog is for reference purposes only. It does not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking or deciding not to take any action.