What are the rules on monitoring remote staff?

Employers may therefore be tempted to increase the monitoring of their IT systems, not just to check up on whether their employees are working when they should be, but also to ensure the security of their systems and information, including personal data.

Here, we take a look at some of the legal issues surrounding the monitoring of remote workers and some of the practical steps that employers can take to comply with their obligations.

Is monitoring your remote staff illegal?

There is no specific privacy legislation that expressly prohibits employers from monitoring its employees. However, the law does impact upon employee monitoring in several ways, including:

• The Human Rights Act 1998, incorporating Article 8 of the European Convention on Human Rights relating to the right to a private life.
• The Investigatory Powers Act 2016, which governs the interception of electronic communications.
• The Data Protection Act 2018, where electronic surveillance of employees involves the processing of personal data.

What are the legal issues when monitoring your employees?

The legal issues involved in monitoring employees are complex, but the key points are as follows:

Privacy at Work

While it is only public authorities who are directly subject to the provisions of the Human Rights Act, it is still relevant to private sector employers as courts and tribunals are bound to interpret all legislation in accordance with the rights under the act, including the right to privacy.

For example, a dismissal can be unfair if the circumstances concern an infringement of the employee’s right to a private life that cannot be justified. The right to a private life also impacts upon the way other legislation is interpreted.

It is therefore important that any monitoring that might infringe the right to a private life can be justified by reference to a legitimate business need that cannot be achieved in a less intrusive way.

Intercepting electronic communications

With certain exceptions, the Investigatory Powers Act potentially makes it an offence for employers to intercept communications over its workplace telephone and computer networks that are attached to public telecommunications systems (which most will be) unless they have ‘lawful authority’ to do so.

Lawful authority in this sense means having obtained the consent of both the sender and recipient.

The exceptions where consent will not be required include a range of legitimate business activities, including the detection of unauthorised use of an employer’s sytems.

Data Protection

Electronic monitoring of employees will inevitably involve the processing of personal data and therefore trigger the application of data protection legislation, which sets out a number of principles that must be complied with. These include obligations relating to the purposes for which data can be processed; the manner in which it must be processed; and the information that must be provided to employees about the reasons and forms that monitoring can take.

While it has not yet been updated to reflect the current legislation, there is also the Information Commissioner’s Employment Practices Code, which explains how the data protection principles under the old legislation are likely to be enforced in the employment environment. These are in many cases still relevant and can be taken into account in considering enforcement action.

The Code gives a number of good practice recommendations when monitoring emails, for example limiting the extent to which emails can be read to the address or email header unless it is essential for a valid reason to read the content.

Under the old data protection legislation, it was usual for employers to include a clause in the contract of employment confirming the employee’s blanket consent for the monitoring of phones, emails etc. However, employers can no longer do this under the current legislation and instead need to be able to (1) identify a lawful basis for monitoring employees; and (2) inform employees of that lawful basis and the forms that monitoring will take before engaging in the monitoring. This is usually done by setting the information out in the privacy notice that employers are in any event bound to provide to their employees.

One potential lawful basis for monitoring is to ensure compliance with an employer’s policy as to how its IT systems are used. It is therefore advisable to have an IT policy and for it to include provisions that reinforce the purposes and form that any monitoring will take.

Although a blanket consent to monitoring in a contract of employment is no longer appropriate, it is still worth including a provision in the contract of employment that makes the employee aware of monitoring and signposts the employee to the relevant privacy notice and IT policy that the monitoring is carried out under.

It is also worth noting that employers who electronically monitor their employees are likely to be obliged to carry out an impact assessment of its monitoring activities to assess the necessity and proportionality of doing so. This includes assessing the purposes of the monitoring and whether there is a less intrusive way of doing it.

If you are an employer seeking legal advice on a particular matter or employment circumstance, please contact Peter Rolph by emailing [email protected] or by completing the form below. 

Useful links:

• Human Rights Act 1998
• Investigatory Powers Act 2016
• Data Protection Act 2018