As an employer, you should read the employee monitoring law below if you want to understand the legalities of employee monitoring. In short, it says that you, the employer, can monitor your employees’ actions on your computers. Employers should have an Acceptable Use Policy (AUP) in place that is made known to all their employees and they should be made aware that their computers and Internet activity are being monitored. Basically the law states that you can do whatever you want because the computers and the work done on them is your property.
The Information Commissioner published the final code of practice for the use of personal data obtained by employers as a result of monitoring at work (the "Code") on 11 June 2003. This article reviews the Code and compares it to the earlier drafts published by the Data Protection Commissioner in October 2000 (the "DPC Draft Code") and the Information Commissioner in July 2002 (the "IC Draft Code"). The comparison will examine how in the field of data protection public policy resolves the common tensions between upholding private rights and supporting commercial interests.
The Code recognizes that employers have a primary obligation to comply with the Data Protection Act 1998 (the "1998 Act"). It is implied in the opening remarks at Section 2 of the Code that the purpose of the 1998 Act is to protect the fundamental rights and freedoms of employees, notably their rights to privacy. Monitoring systems must, therefore, respect these fundamental rights and freedoms as well as contribute to economic and social progress, trade expansion and the well being of individuals. The Code, given that it is part of a wider code of practice for employment practices, addresses head on the competing interests that lie behind data processing. The Code notes that balancing these interests is made more difficult by the fact that "it is not always easy to draw a distinction between work-place and private information".
The Code distinguishes between two types of monitoring. "Systematic monitoring" is the routine monitoring of all or a particular group of employees and "occasional monitoring" is monitoring as a short-term measure to respond to a particular need. As systematic monitoring is likely to be the most problematic, this is the type of monitoring which the Code principally addresses. To emphasize the point that the Code is more relevant to larger employers, the new Information Commissioner, Richard Thomas, insisted that a short guidance note addressed to small businesses be published at the same time as the Code.
The key to compliant monitoring under the Code is the implementation of an impact assessments procedure. The procedure outlined in the Code should be familiar to any employer used to assessing risk, for instance to comply with its obligations under the Health and Safety at Work etc. Act 1974. Unlike health and safety law, there is no legal requirement for employers to document formally any assessments that are made. However, as these assessments would indicate that the employer was following the Code, they would be influential should the employer find itself on the receiving end of an Information Commissioner’s investigation. It should be noted that the first step in the Information Commissioner’s audit procedure when investigating a data controller, after any preparatory meeting or visit, is to review relevant documentation. The Code sets out the requirements for impact assessments. They should identify the purpose of the proposed monitoring and its expected benefits as well as identify the adverse impact of the monitoring, the alternatives considered and other monitoring obligations to enable the employer to set out a conclusive justification for the monitoring.
The proportionality and lawfulness of any monitoring is therefore determined by the employer’s judgment of the benefits of any monitoring against the adverse impact of that monitoring. The Code sets out factors that should be considered when assessing adverse impacts, which include consideration of the level of intrusion into the private lives of the employees via interference with their private e-mails, telephone calls or other correspondence. In considering alternatives to monitoring, the Code recommends use of targeted or automated monitoring to reduce intrusion to employees in the workplace. The Code calls for employers to come to "a conscious decision as to whether the current or proposed method of monitoring is justified". This can only be achieved after a proper examination of the adverse impact of any monitoring and consideration of all alternatives to it.
The Code includes a number of good practice recommendations, which are set out in section 3 of the Code and are explained in further detail in separate Supporting Guidance (the "Guidance"). These include the Information Commissioner’s "Core Principles" for monitoring, which are:
- It will usually be intrusive to monitor your workers.
- Workers have legitimate expectations that they can keep their personal lives private and that they are also entitled to a degree of privacy in the work environment.
- If employers wish to monitor their workers, they should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
- Workers should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified.
- In any event, workers’ awareness will influence their expectations.
The area of most controversy has been the monitoring of electronic communications of employees. The Code recognizes this by setting out a number of data protection issues and points that should be incorporated into employers’ policies on the use of electronic communications. The Information Commissioner also includes under each guidance note in the Guidance a helpful list of key points and possible actions for employers to consider. The Guidance includes an explanation of the regulations made under the Regulation of Investigatory Powers Act 2000 that permit businesses in most cases to be able to intercept electronic communications (the "Lawful Business Practice Regulations").