While there are many benefits to both employers and employees of working from home, one of the potential drawbacks for employers is the perceived loss of control over employees and their actions whilst working.
Employers may therefore be tempted to increase the monitoring of their IT systems, not just to check up on whether their employees are working when they should be, but also to ensure the security of their systems and information, including personal data.
Here, we take a look at some of the legal issues surrounding the monitoring of remote workers and some of the practical steps that employers can take to comply with their obligations.
There is no specific privacy legislation that expressly prohibits employers from monitoring its employees. However, the law does impact upon employee monitoring in several ways, including:
The legal issues involved in monitoring employees are complex, but the key points are as follows:
Privacy at Work
While it is only public authorities who are directly subject to the provisions of the Human Rights Act, it is still relevant to private sector employers as courts and tribunals are bound to interpret all legislation in accordance with the rights under the act, including the right to privacy.
For example, a dismissal can be unfair if the circumstances concern an infringement of the employee’s right to a private life that cannot be justified. The right to a private life also impacts upon the way other legislation is interpreted.
It is therefore important that any monitoring that might infringe the right to a private life can be justified by reference to a legitimate business need that cannot be achieved in a less intrusive way.
Intercepting electronic communications
With certain exceptions, the Investigatory Powers Act potentially makes it an offence for employers to intercept communications over its workplace telephone and computer networks that are attached to public telecommunications systems (which most will be) unless they have ‘lawful authority’ to do so.
Lawful authority in this sense means having obtained the consent of both the sender and recipient.
The exceptions where consent will not be required include a range of legitimate business activities, including the detection of unauthorised use of an employer’s sytems.
Electronic monitoring of employees will inevitably involve the processing of personal data and therefore trigger the application of data protection legislation, which sets out a number of principles that must be complied with. These include obligations relating to the purposes for which data can be processed; the manner in which it must be processed; and the information that must be provided to employees about the reasons and forms that monitoring can take.
While it has not yet been updated to reflect the current legislation, there is also the Information Commissioner’s Employment Practices Code, which explains how the data protection principles under the old legislation are likely to be enforced in the employment environment. These are in many cases still relevant and can be taken into account in considering enforcement action.
The Code gives a number of good practice recommendations when monitoring emails, for example limiting the extent to which emails can be read to the address or email header unless it is essential for a valid reason to read the content.
Under the old data protection legislation, it was usual for employers to include a clause in the contract of employment confirming the employee’s blanket consent for the monitoring of phones, emails etc. However, employers can no longer do this under the current legislation and instead need to be able to (1) identify a lawful basis for monitoring employees; and (2) inform employees of that lawful basis and the forms that monitoring will take before engaging in the monitoring. This is usually done by setting the information out in the privacy notice that employers are in any event bound to provide to their employees.
One potential lawful basis for monitoring is to ensure compliance with an employer’s policy as to how its IT systems are used. It is therefore advisable to have an IT policy and for it to include provisions that reinforce the purposes and form that any monitoring will take.
Although a blanket consent to monitoring in a contract of employment is no longer appropriate, it is still worth including a provision in the contract of employment that makes the employee aware of monitoring and signposts the employee to the relevant privacy notice and IT policy that the monitoring is carried out under.
It is also worth noting that employers who electronically monitor their employees are likely to be obliged to carry out an impact assessment of its monitoring activities to assess the necessity and proportionality of doing so. This includes assessing the purposes of the monitoring and whether there is a less intrusive way of doing it.
We will only use this information to handle your enquiry and will not share it with anyone else.