All employers monitor their staff in some way or another. At one end of the spectrum this can involve simply requiring them to clock in or clock out. At the other end of the spectrum the form(s) of monitoring can be more intrusive, such as monitoring employee use of IT or email systems. For employers in the hospitality sector, where the workplace is also, often, a public place, there may be CCTV cameras in the workplace as well.
So what do employers need to do to make this monitoring legitimate and what can they do with the information they gather through this monitoring?
The legal framework is relatively complex and relevant legislative provisions can be found in a variety of sources. These include the European Convention on Human Rights, Article 8 of which contains a general right to respect for private and family life and for correspondence. The Data Protection Act 1998 (the DPA) is also highly relevant. The DPA does not prevent monitoring but it does set out principles for gathering and using personal information.
The Information Commissioner has published a Code relating to employment practices, which includes monitoring staff activities. A breach of the Code will not equate to a breach of the Data Protection Act itself, but it may be taken into account in any enforcement action. The Code starts with the premise that "it will usually be intrusive to monitor your workers" and goes onto state the workers are "entitled to a degree of privacy in the workplace". Where monitoring is to be carried out, the Code recommends that an "impact assessment" should be carried out. As part of this an employer should consider, in particular:
- why the monitoring is being carried out (i.e. what is the benefit, or the risk, to the company that the monitoring is designed to achieve, or prevent); and
- whether the intrusion into the workers' privacy is justified (i.e. is the form of monitoring proposed no more onerous than is strictly necessary).
In other words, for monitoring to be justified, the proportionality test must be met; i.e. is the reason for the monitoring sufficient to justify an intrusion into an employee's private life and are the means of monitoring proportionate. Employers should also consider whether there are any (less invasive) alternatives to the method of monitoring being considered. For example; can you use supervision or training rather than monitoring, can you investigate a specific incident rather than carrying out monitoring, can you limit monitoring to certain individuals about whom complaints have been received rather than the whole workforce, can monitoring be targeted at the areas of highest risk, can it be automated so that private information will only be seen by a machine, can spot checks or audits be carried out instead?
The Code also states that employers should tread carefully if relying solely on employee consent to monitoring taking place, noting that, in an employment context, employee consent is rarely "given freely". It does state though that workers should be aware of the nature, extent and reasons for any monitoring unless there are exceptional reasons to justify covert monitoring.
Covert monitoring can be justified but only in exceptional circumstances, for example as part of a specific investigation into a serious matter, i.e. the prevention or detection of criminal activity or equivalent malpractice. An example of how this has played out in an Employment Tribunal is the case of City and County of Swansea v Gayle. In this case the employee was dismissed for fraudulently completing timesheets stating he was at work when he was in fact at the local sports centre playing squash. A senior manager had seen him when he was meant to be at work and the employer hired a private investigator to video him entering and leaving the sports centre. The Employment Tribunal at first instance found the dismissal unfair as it said the employer did not have a legitimate reason for covert surveillance – it already had all the evidence it needed to discipline Mr Gayle (i.e. the senior manager's witness evidence). The EAT found this did not make the dismissal unfair; stating that the employer should not have been criticised for carrying out too thorough an investigation. Taking this a bit further (a bit too far in some commentator's view), the EAT stated that the employee had no reasonable expectation of privacy when he was on public premises and was defrauding his employer. It is suggested though that this case be treated with some caution, whilst the covert monitoring did not, in the end, render the dismissal unfair, employers should ensure that they consider less intrusive alternatives before embarking on this course of action.
The use of CCTV is referred to in the ICO's Employment Practices Code, however there is also a separate CCTV Code of Practice (an updated version of which is currently in draft form and was recently the subject of a consultation exercise). The ICO has also published a specific FAQ sheet for pub landlords (although this doesn't deal with the use of CCTV in an employment context).
In many workplaces, particularly in the hospitality sector, CCTV will be used in the workplace primarily to monitor customers rather than workers (i.e. for the prevention of crime and for health and safety purposes). Where this is the case, if the employer wants to be able to use the footage in connection with its employees (i.e. as evidence in a disciplinary context), staff need to be told this. The same impact assessment described above should be conducted where an employer intends to monitor customers and/or staff through CCTV. The cameras should only be used in high risk areas, and cameras and listening devices should not be installed in private areas such as toilets and private offices (except in the most exceptional circumstances where serious crime is suspected).
Employers also have to be mindful of the implied term of trust and confidence. An employer's monitoring activities may, in some circumstances, constitute a breach of this duty, enabling the employee to resign and claim constructive dismissal or breach of contract.
The growth in recent times of use of social networking sites such as Twitter and Facebook has complicated matters further. A thread of case law involving employee misconduct through their use of social media has developed over the last decade and one of the consistent themes emerging from those cases is the extent to which the employers in question have infringed the relevant employees' right to privacy by accessing the employees' social networking accounts.
Some of these cases have involved consideration of Article 10 of the European Convention on Human Rights as well as Article 8. Article 10 provides that everyone has a right to freedom of expression which can only be restricted in certain circumstances. One of which is for "the protection of the reputation or rights of others". In Preece v JD Wetherspoons plc the Employment Tribunal considered the extent to which Ms Preece's Facebook comments (concerning a customer) were private, before concluding that her comments on Facebook could not be considered to be private and that the action taken by Wetherspoons (Ms Preece's dismissal) was justified in view of the risk of damage to its reputation.
However, another consistent theme to emerge from the relevant case law is the need for employer's to draft and publish clear policies on the use of social media and IT systems generally. Excessive personal use of internet and email is one area where the courts have been quick to find that dismissals can be unfair if the rules haven't been clearly communicated to staff. Organisations need to ensure that if they want to take a 'zero tolerance' approach to use of social media or personal email accounts at work, that this is communicated to staff. Similarly, dismissing an employee for making negative comments about an employer (or its representatives/staff), is more likely to be held to be fair if employees are given an indication as to what is, and what isn't, likely to be acceptable to the employer.
Monitoring of staff activity at work can be necessary for a variety of reasons. Generally speaking, as long as staff are aware of what is being monitored and why, this should cause no significant difficulties. However, an impact assessment should be conducted whenever any form of monitoring is being conducted. The more intrusive the monitoring is, the more serious the reason for it needs to be. Any information obtained through such monitoring must be kept securely and processed in accordance with the provisions of the DPA.
Top tips for employee monitoring
- Carry out an impact assessment - the assessment should identify whether monitoring is necessary and, if so, what form it should take to achieve the best balance between employees' rights to privacy and the employer's needs for carrying out its business. Alternatives should be considered. A written record of the impact assessment should be kept, including the process used, the findings made and the conclusion reached.
- If the monitoring is necessary, is it proportionate? If not, don't do it.
- Establish an electronic communications policy - the policy should include: the circumstances in which employees can use the employer's systems for private communications; the extent and type of private use that is allowed; any restrictions on internet material that can be viewed or copied; what alternative methods of communication can be used to ensure confidentiality; the reasons, methods and extent of monitoring; how the policy is enforced; and the penalties for breaching it. Other policies will be relevant and you should ensure they are up to date, eg IT policy, disciplinary procedure, data protection policy, bullying and harassment policy, equal opportunities policy, social media policy and BYOD (Bring Your Own Device) policy.
- Do you need employees' consent - consider whether employees need to be asked for their consent to be monitored. This will be required if the monitoring cannot be brought within any of the "necessary" grounds in the DPA. Consent must be freely given and unambiguous.
- Notify employees of any intention to monitor in order to overcome any expectation of privacy - if CCTV footage is to be used to monitor employees (particularly if this is not the primary purpose for which it has been installed), they need to know.
- Communicate the rules (particularly around personal use of internet and email) to all staff.
- Conduct training - training may be carried out to raise awareness of monitoring and its purposes. Managers should also be trained on what can and can't be monitored and what they can do with information gathered.
- Carry out regular audits - audits should be carried out at least annually to ensure that policies are current, relevant and being followed.