Just over a decade ago amid increasing threats from terrorism and organised crime, the UK’s interception of communications regime was updated to include the lawful interception of email, the Internet and other online technologies.
Unauthorised interception of electronic communications was banned outright. Yet organisations would still need to have control over their own business systems for lawful business practices. These include monitoring for training, quality control and security purposes.
E RADAR sets out what organisations can and cannot do when it comes to staff monitoring. This includes surveillance of the email and Internet browsing activities of individual members of staff.
Lawful Business Practice Regulations
The ‘Lawful Business Practice’ Regulations give organisations the right to control their own systems and networks in order to ensure that their business runs smoothly. Inevitably, this usually leads to organisations also monitoring the activities of workers, for example, by:
- recording on CCTV cameras;
- opening mail or e-mail;
- use of automated software to check e-mail;
- checking phone logs or recording of phone calls;
- checking logs of websites visited;
- making video outside the workplace;
- getting information from credit reference agencies;
- collecting information through 'point of sale' terminals, such as at a supermarket check-out, to check the performance of individual operators.
However, people also have the right to privacy whilst at work. Whilst the UK Data Protection Act does not prevent monitoring, it does set down rules about the circumstances and the way in which monitoring should be carried out.
Monitoring electronic communications at work
You can legally monitor worker use of the phone, Internet, e-mail or facsimile in the workplace if:
- the monitoring relates to the business;
- the equipment being monitored is provided partly or wholly for work;
- you have made all reasonable efforts to inform workers that their communications will be monitored;
Bear in mind that these circumstances cover almost every situation where you might want to monitor worker electronic communications (except, of course, where monitoring is done for purely private or spiteful reasons). As long as you stick to these rules, you don’t need to get worker consent before monitoring them, but only if it is for one of the following reasons:
- to establish facts which are relevant to the business, to check that procedures are being followed, or to check standards, for example, listening in to phone-calls to assess the quality of a person’s work;
- to prevent or detect crime;
- to check for unauthorised use of telecommunications systems, such as whether a worker is using the Internet or email for personal use;
- to make sure electronic systems are operating effectively, for example, to prevent computer viruses entering the system;
- to check whether a communication a worker has received, such as an email or phone-call is relevant to the business. In this case, you can open up their emails or listen to voice-mails but are not allowed to record their calls;
- to check calls to confidential help lines. In this case, you can listen in, but are not allowed to record these calls;
- in the interests of national security.
To monitor or not to monitor?
- Be clear about the reasons for monitoring staff and the benefits that this will bring;
- Identify any negative effects the monitoring may have on staff by completing an impact assessment;
- Consider whether there are any, less intrusive, alternatives to monitoring;
- Is monitoring justified, taking into account all of the above?
Except in extremely limited circumstances, employers must take reasonable steps to let staff know that monitoring is happening, what is being monitored and why it is necessary. Employers who can justify monitoring once they have carried out a proper impact assessment will usually not need to get worker consent.
Some employers monitor their workers without informing them that this is happening, for example, by use of hidden cameras or audio devices. This is rarely legal. Guidance under data protection law says that secret monitoring should not be allowed in private areas at work, such as staff toilets, unless there is serious crime involved, such as drug dealing.
Employer’s policy on monitoring
Ideally, you should have a code of conduct or policy that covers workplace monitoring. If a code or policy has been agreed, it will usually form part of a worker’s individual contract of employment and should be subject to disciplinary procedures.
The Information Commissioner supervises and enforces the law on data protection, and can advise both workers and employers on their rights and duties under the Data Protection Act. If the Commissioner decides that you are not following the law, recommendations can given or an enforcement notice issued. The Information Commissioner cannot award workers compensation.
Employment Practice Codes
You might also want to refer to the Commissioner’s Employment Codes of Practice which gives you some good advice on how to monitor at work and stay within the law
Data Protection | Employment Practices Code (quick guide) | ICO
Data Protection | Employment Practices Code (detailed guide) | ICO
Data Protection | Employment Practices Code (supplementary guidance) | ICO