Webtrends Tracking Code
 
UK Home >  Legal Info About... >  Employment >  Data protection and monitoring at work

Data protection and monitoring at work

This guide is based on UK law. It was last updated in December 2004.

Introduction

The Information Commissioner has published guidance contained in the Employment Practices Data Protection Code. This comprises four different parts – Recruitment and Selection, Employment Records, Monitoring at Work and Medical Records. The Code uses a broad definition of monitoring:

"Where monitoring goes beyond one individual simply watching another and involves the manual recording or any automated processing of personal information, it must be done in a way that is both lawful and fair to workers."

Examples of monitoring can include:

  • entries in a supervisors notebook;
  • keeping a record of phone calls;
  • a point of sales terminal which records operator's mistakes or speed;
  • checking an employee's emails.

Core principles for monitoring

  • Workers have a legitimate expectation that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment.
  • Workers should be aware of the nature, extent and reasons for any monitoring.
  • Monitoring is often intrusive (and therefore must be justified by an Impact Assessment).
  • Covert monitoring can only exceptionally be justified.
  • Information derived from monitoring for one purpose should not be used for a different purpose.
  • Where monitoring is justified, the information derived should be kept secure with limited access.

When monitoring is permitted

Save for a few exceptions, the Code leaves it to management to decide when to monitor: "In broad terms, what the Act requires is that any adverse impact on workers is justified by the benefits to the employers and others." In order to decide whether the adverse impact is justified, the Code recommends that managers use Impact Assessments which involve:

  • identifying the purpose behind monitoring;
  • identifying any likely adverse impact and the degree of intrusiveness involved;
  • considering alternatives to monitoring;
  • taking into account the obligations that arise from monitoring;
  • deciding whether monitoring is justified.

Consent to monitoring is obviously relevant to the Impact Assessment, but is not necessarily either decisive or sufficient. The Code says that "Employers who can justify monitoring on the basis of an Impact Assessment will not generally need the consent of individual workers". It is clearly advisable for employers to keep a record of any such assessment.

Where electronic communications are concerned, it may be easier to justify monitoring traffic data (the use of telephones, email or the Internet) rather than content. Monitoring content is likely to be much more intrusive and therefore require clearer justification. For example, recording the content of phone calls may be justified for regulatory purposes; opening private emails is unlikely ever to be justified and will require exceptional circumstances to do so. Workers should be aware of the nature and extent of monitoring. The senders of communications should be made aware, where possible, as well as recipients.

Managing data protection and monitoring

The Code recommends that a Data Protection Officer be appointed, especially as data protection is multidisciplinary. They should check what personal information about workers is currently collected, cut out irrelevant or excessive information and ensure the conditions for sensitive data collection are satisfied. A specific Policy on the use of electronic communications should be established, to include the use and extent of monitoring.

Covert monitoring

The Code suggests that "covert monitoring should not normally be considered". Covert monitoring includes any situation where it is likely that workers will not be aware that they are being monitored. Simply informing employees, perhaps at the beginning of their employment, that their activities may be monitored or recorded on CCTV will not be sufficient to prevent subsequent monitoring being covert. Specific information about the current use and extent of monitoring should be publicised and drawn to their attention. For example, it would be a breach of the Code to monitor access times to an office generated by electronic swipe cards on entry, unless workers are made specifically aware that this use is being monitored.

Covert monitoring should only be undertaken in exceptional circumstances, such as suspicion of criminal activity. Even then it should:

  • be authorised by senior management;
  • be used to collect specific information;
  • be carried out within a set timescale;
  • be carried out with restrictions on access and use.

It follows that covert monitoring should not be used on a random or deterrent basis. Moreover, covert monitoring should not be used "in areas where workers would generally and reasonably expect to be private". It should not therefore be used in places such as toilets or private offices, save where there is a suspicion of serious crime, where there should be an intention to involve the police.

Legal implications

The Data Protection Code sets out good practice, but has no particular legal status (unlike, for example, the ACAS Code on Disciplinary Procedures). The Code does not address the question of what happens if it is breached. On the face of it, the sanctions for a breach of the Data Protection Act ( DPA ) are wide ranging. Individuals affected can complain to the Information Commissioner who has a range of powers, including issuing Enforcement Notices. Alternatively, they could sue in the courts for breach of a new statutory tort, providing they can show damage. So far, enforcement action has been rare, although complaints to the Commissioner are now rising. Faced with a complaint on monitoring an employer who can show they take data protection seriously, by introducing a Data Protection Policy complying with the Code and by carrying out Impact Assessments where necessary, will be on much stronger ground.

There has been little litigation on the DPA or Code in an employment context. Where similar issues have arisen in cases involving the right to respect for privacy and family life, under the European Convention on Human Rights, the judges have taken a robust view of arguments that employers have infringed privacy. So for example it has been held that random drug testing did not interfere with private life (the case of O'Flynn against Airlinks); and that it was wrong to exclude information obtained by covert interception of a phone call, in clear breach of statute (judgment in Avocet Hardware against Morrison). This suggests that employers who collect information in breach of the Code may be exposed to claims under the DPA , but may still be able to act on the information, for disciplinary and dismissal purposes. However, a major breach of privacy might lead to other serious legal consequences; for example, to a constructive unfair dismissal claim, and in all such cases legal advice should be obtained.

Practical implications

The Code provides good practice guidance and so reduces and minimises the risk of data protection claims. The Code does not forbid, or even restrict, monitoring unduly. It does require a Policy to be in place, and that decisions to use monitoring are formalised and recorded, as Impact Assessments. A management which has considered the issues, systematically and within the framework of the Code, will still be able to monitor, and satisfy the Information Commissioner if necessary.

For further information contact: ian.anderson@pinsentmasons.com

Advanced Search
UK Home
OUT-LAW News
Legal Info About...
Accessibility and Usability
Branding and Intellectual Property
Companies
Competition
Confidentiality
Consultancy
Contracts
Copyright
Crime and Security
Data Protection
Designs
Development
Dispute Resolution and Litigation
Domain Names
E-commerce
Email
Employment
Checklist for Teleworkers for Employers
Data protection and monitoring at work
Basic Guide to TUPE
The laws relating to monitoring your employees
Cyberslackers - all in a day's work?
Equal Opportunities Policies
Offshore outsourcing - what happens to the employees
Contracts of employment - the rules
Issues for Employers
Internet and Email policies
An introduction to pension schemes
Monitoring your employees' emails - legally
When is a contractor not a contractor?
Key employment issues around home working
Email and Internet policies (Hong Kong)
Issues for Employers (Hong Kong)
Free communications policy
Disciplining an employee
An introduction to monitoring employees
References: How to write them
Mediation: how it can help to resolve employment disputes
Restrictive covenants in employment contracts
Staff and their personal blogs
Directors' pensions (menu of articles)
Directors' remuneration issues
Financial Services
Freedom of Information
Funding
Games
Hosting and Maintenance
Jurisdiction
Licensing
Marketing and Advertising
Media and Creative Industries
Outsourcing
Patents
Procurement
Software
Tax
Trade Marks
User-generated Content
Forthcoming legislation
Case reports
Legal Info For...
Our Services
Case Studies
Events and Training
Fun
About Us
Contacts
Legal Notices

OUT-LAW Magazine

OUT-LAW Magazine: delivered FREE to registered users
OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.