In an age when the vast majority of people use at least one device at work – be it a computer, laptop, tablet or smartphone – it is increasingly common for organisations to monitor staff use of IT systems. The law doesn’t prevent this sort of monitoring but charities must be able to justify the intrusion into their workers’ private life as a proportionate response to the problem they are seeking to address.
With the new General Data Protection Regulation (GDPR) on the horizon promoting transparency and accountability, a recent decision by the European Court of Human Rights (ECtHR) provides a timely reminder of when staff monitoring may be unlawful.
The case
The case was brought by Mr Bărbulescu. His employer had an IT policy that strictly prohibited personal use of its IT equipment and Mr Bărbulescu had signed a memo that warned: "The employer has a duty to supervise and monitor employees' work and to take punitive measures against anyone at fault! Your misconduct will be carefully monitored and punished!”
Mr Bărbulescu’s employer asked him to set up a Yahoo Messenger account to deal with client enquiries. They monitored his Messenger communications and found that he was using it for personal purposes in contravention of their IT policy. Mr Bărbulescu was subject to disciplinary proceedings and, as part of the investigation, his employer produced transcripts of messages he had exchanged with his brother and fiancée containing intimate personal information about his health and sex life. Mr Bărbulescu was dismissed for unauthorised personal use of the internet.
Decision
After his unfair dismissal case in the Romanian courts was unsuccessful, Mr Bărbulescu brought a claim against the Romanian government in the ECtHR arguing that it had failed to protect his right to privacy. Although a Chamber of seven judges initially found that the use of the Yahoo Messenger communications in disciplinary proceedings was a proportionate interference with Mr Bărbulescu’s rights, that decision was overturned on appeal to the Grand Chamber of 17 ECtHR judges.
In reaching its decision that the monitoring had unlawfully infringed Mr Bărbulescu’s rights, the ECtHR Grand Chamber took into account the following key points:
- the right to a private life extends to professional activities and individuals have a right to respect for the privacy of the communications they send from business premises
- an employer must demonstrate that it has legitimate reasons to justify monitoring and monitoring the actual content of communications will require weightier justification. In this case, it would have been possible for Mr Bărbulescu’s employer to establish a monitoring system based on less intrusive methods.
- Mr Bărbulescu had a reasonable expectation of privacy as his employer did not tell him in advance of the nature and extent of the monitoring, or the possibility that they might access the content of his communications. Neither the IT policy nor the memo expressly stated that the content of messages would be monitored or intercepted.
Lessons to be learned
The Information Commissioner’s Office (ICO) publishes guidance for UK employers carrying out monitoring at work, which reflects the ECtHR’s approach in Mr Bărbulescu’s case.
The ICO recommends that employers carry out an impact assessment before monitoring communications, which should involve identifying any adverse impact on workers and considering alternatives to monitoring or different ways in which it might be carried out.
Workers should also be made aware of the nature, extent and reasons for any monitoring, for example via an IT policy or intranet message; covert monitoring will only be justified in exceptional circumstances. The employer should also clearly set out the standards expected of workers and the potential consequences of any breach.
Employers should keep to a minimum those within the organisation who can authorise monitoring and who have access to the information obtained, and they should receive training and must be subject to confidentiality and security requirements.
Next steps for charities
The introduction of the GDPR in May 2018 will strengthen individuals’ rights and will increase the obligation on employers to be accountable for any monitoring they carry out and to be transparent about their practices.
With maximum fines for data protection breaches set to rise significantly under the GDPR, organisations monitoring staff use of IT systems should take this opportunity to review their practices and policies.
Our charity and social business team can advise on impact assessments, provide training for staff, draft or review IT policies and prepare confidentiality undertakings.