Privacy at work: When does monitoring become snooping?

The question of monitoring at work is a delicate balancing act between the employer’s need to maximise productivity during working hours and ensure that its equipment or software are not being used for improper purposes, and the employee’s reasonable expectation of privacy in the workplace.

The Grand Chamber of the European Court of Human Rights (ECtHR) has just overturned an earlier decision from its lower court (the Chamber) regarding employees’ right to privacy in the workplace.

Mr Barbulescu, an employee, was requested to set up an instant messaging account for the purposes of his work. Unbeknownst to his employer, Mr Barbulescu was also using the account for personal purposes, contacting both his brother and his fiancée via the account.

Mr Barbulescu’s employer had a strict policy that internet was not for private usage, and communicated this to employees. Importantly however, the employer did not inform employees that communications would be monitored to ensure the policy was adhered to. Mr Barbulescu’s employers accessed not only the content of his messages of a personal nature which were sent and received on his work account, but also that of his separate personal messenger account.

Mr Barbulescu was subsequently dismissed for personal usage of the internet, which was unauthorised.

The action against his employer before Romanian courts was unsuccessful, and so he appealed to the ECtHR, claiming that the Romanian state had violated his right to privacy and correspondence under article 8 of the European Convention of Human Rights.

Initially, the ECtHR found that the interference with Mr Barbulescu’s rights was proportionate. When personal use of the internet is forbidden, it is reasonable to expect employers to check the content of communications being sent and received from its computers, in order to monitor compliance with their policies.

However, on appeal to the Grand Chamber, this decision was overturned. The Grand Chamber found that Mr Barbulescu’s rights has in fact been infringed. The fact that employees had not been informed of the monitoring and interception of communications was one of the decisive factors, as was the fact that monitoring extended to content, rather than just data about the traffic of the communications. Monitoring the content is necessarily a greater interference, which requires more justification.

In the UK, the Information Commissioner’s Office (ICO) provides guidance on how employers should act in relation to monitoring their employees’ communications. The ICO is more concerned with systematic monitoring (that is, where the monitoring is routine), than occasional monitoring, which is short term and implemented to address a specific problem.

Employers should carry out a thorough impact assessment, taking into account the purpose for the monitoring, identifying the adverse impact on employees, consider the alternatives, take into account their obligations as employers, and consider whether the monitoring is justified.

According to the ICO, it is good practice to inform employees of any policies in place on electronic communications, something that Mr Barbulescu’s employers made very clear. However, it is also good practice to inform employees that monitoring is taking place to enforce that policy, as well as the purpose and extent of the monitoring. Failure to do so, in the Barbulescu case, was something the Court did not look kindly upon. In addition, Mr Barbulescu claimed that the print-outs of the messages were left by the printer for all to see. This is at odds with the ICO’s guidance that the number of people having access to the information that is being collected about employees should be kept to a strict minimum. Finally, the ICO suggests that employers should not access the content of messages which are clearly marked as private or personal. It may be that, had Mr Barbulescu known about the monitoring, he would have marked the messages as personal to prevent his employer from reading it and accessing intimate conversations.

Following the ICO’s guidance reflects good practice, and can help employers comply with their obligations whilst protecting their business. An impact assessment exercise will be particularly helpful in considering whether a specific measure can be justified. Establishing good practice within an organisation also promotes a relationship of trust with employees, who know the extent to which their employers are accessing and processing their personal data.

Barbulescu v Romania (Application no. 61496/08[2017] ECHR 742

The material contained in this guide is provided for general purposes only and does not constitute legal or other professional advice. Appropriate legal advice should be sought for specific circumstances and before action is taken.

 © Miller Rosenfalck LLP, October 2017

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Please contact:

Emmanuelle Ries - Partner

DD +44 (0)20 7553 9938

View profile »