The use of email and the internet by employees (including their activities on social network sites and blogs) can lead to performance issues, damage to the employer’s reputation, loss of business and various legal liabilities, such as harassment and discrimination, defamation, and transmission of confidential information and trade secrets.
However, employers can only monitor employees actions to prevent liability arising in certain circumstances and by means of specific policies and methods.
There is no data privacy law in the UK which specifically governs monitoring of employees. Employers are neither expressly permitted to monitor, nor are they prohibited from doing so. That said, electronic forms of workplace surveillance involve the processing of personal data which is regulated by the GDPR and DPA 2018. The GDPR sets out several principles with which data controllers must comply when processing personal data and which are relevant to any monitoring undertaken by an employer. This includes the principle that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. This effectively requires provision of detailed information to employees about the employer’s monitoring activities.
The Employment Practices Code issued by the Information Commissioner contains guidance on monitoring at work and contains specific good practice recommendations for the monitoring of electronic communications. The Code recommends that employers set out the circumstances in which monitoring may take place, the nature of the monitoring, how information obtained through monitoring will be used, the safeguards in place for the workers subject to the monitoring. Employees should be left with a clear understanding of when information about them is likely to be obtained, why the information is being obtained, how the information will be used, who, if anyone, the information will be disclosed to.
The Code requires employers to carry out an impact assessment. This requires an assessment to balance the needs of the business against the adverse impact of monitoring on workers.
It is generally going to be difficult for employers to justify the more intrusive forms of monitoring (for example, reviewing email content or checking actual websites visited by workers), unless they can show there is a real risk of serious damage to the employer’s business.
The second key theme, in terms of data protection compliance in this area, is the provision of full information to workers about any monitoring or testing. This is required to comply with the data protection principles under GDPR, that personal data be processed in a fair, lawful and transparent manner. Employers must meet a high standard in terms of the level of information provided. It is not enough, for example, to simply tell employees their email is being monitored.
Why have an email or electronic communications policy?
The importance of providing information to employees about any monitoring means that employers should have an electronic communications policy. However, the policy should also extend beyond monitoring; it should set standards, cross-refer to other relevant policies and address the many risks and hazards arising from inappropriate email use and internet access, including:
- Constructive dismissal
- Discrimination, harassment and defamation claims
- Intellectual property issues
- Contractual liability
- The loss of productivity
What should it contain?
The Information Commissioner offers assistance with the contents of an electronic communications policy at paragraph 3.2.1 of the Employment Practice Code. In addition, following the Information Commissioner’s guidance on data security breach management, the policy should also deal with specific security issues or cross-refer to a more detailed policy setting out practical guidance for employees on safeguarding the security of personal data.
An electronic communications policy should:
- Set clear standards of conduct and performance
- Give examples of what constitutes appropriate and inappropriate use of the technology, including clear examples of inappropriate use, such as pornographic or discriminatory material
- Provide a reminder that a cookie might be left on a site visited by an employee, so the visit is traceable to the employer
- State that inappropriate use will be dealt with under the employer’s disciplinary procedure and could result in dismissal
- Provide a warning that emails can be used as evidence in court proceedings
- Provide a warning that emails can be forwarded easily and should not be treated as confidential (any confidential information should be encrypted)
- State that the employer’s standard disclaimer must always be used
- State the rules for private use of office equipment when used away from the workplace or the employee’s home
- Provide a warning that attachments to email should be sent to the IT department for opening if from an unknown source
- Provide guidance on passwords, any specific security guidelines and advice on excessive processing (for example, the downloading of excessive amounts of employee data onto memory sticks or laptops
- State whether personal use is permitted and if so, what level and at what times personal use is acceptable (for example, restrictions on calling overseas or limits on size of email attachments that can be sent or received)
- Contain a full statement of the purposes for which monitoring may be undertaken, the extent of the monitoring and the means used
- Indicate who is responsible for the policy (drafting it, implementing it and reviewing it)
- Indicate who will make decisions to monitor
- Indicate who will have access to the results of monitoring
- Detail subject access rights
- State the employer’s retention and deletion policy (and deal with any overlap with the retention of hard copy materials)
- Cover the use of office telephones, mobile telephones, laptops, smart phones, BlackBerrys, PDAs and similar devices
- Include guidance on blogging and social networking sites
How should it be communicated?
The policy should be well-publicised:
- It should be given to employees at the start of employment
- Employees should be asked to indicate that they have read the policy and accepted its terms
- Reminders about the policy and information on any changes to the policy should be publicised
In addition, it is important that the policy is followed up with action to ensure employees comply with it. Managers should be trained about data protection and its relevance to their responsibilities, including the security of personal data in the workplace.
How should it be implemented?
The policy (and the sanctions applied to employees for breaches of it) must always be applied consistently and fairly to avoid claims for unfair dismissal and discrimination.
In Simpkin v Berkeley Group Holdings Plc  EWHC 1472 (QB), a document prepared on and sent by an employee from his work computer to his personal email account, for the purposes of forwarding onto his divorce lawyer in his personal capacity, was held not to be confidential or privileged. The employee could have had no reasonable expectation of privacy. The document was saved on a central server, his assistant had access to his emails, he had signed the employer’s IT policy acknowledging that all emails sent on the employer’s IT system were the property of the employer, and the employee’s contract of employment made clear that the employer could monitor emails without consent.
Where an employer suspects an employee of misconduct involving electronic communications, as with any other type of misconduct it should substantiate its suspicion by carrying out a full investigation and gathering evidence before confronting the employee. Its actions must comply with the principles of fairness set out in the Employment Rights Act 1996 and case law relating to unfair dismissal and the code of practice.
Employees are entitled to have a reasonable expectation of privacy in relation to emails clearly marked `’private and confidential” and there should not be routine monitoring of such emails. However, where there is suspicion of specific unlawful or criminal activity, it may be reasonable to monitor even private emails for a limited period.