Companies are not allowed to snoop on employees' private messages - at least not without letting them know first, the European Court of Human Rights (ECHR) has ruled.
It all began when an employer asked Bogdan Bărbulescu to set up an email account for work purposes. He was subsequently dismissed after his employer checked his messages and found he had been sending personal messages to his brother and fiancée during working times. The original ECHR judgment found that Bărbulescu ‘s right to respect for private and family life under Article 8 of the European Convention on Human Rights had not been breached. They judged that it was reasonable for employers to check whether employees were carrying out work during working hours. The decision of the Grand Chamber, however, overturns this decision. They found the employer had not struck a fair balance between the right to privacy and the employer’s right to ensure the effective running of the company.
"There is already UK case law that states secret monitoring of employee calls, emails and internet use is a breach of the right to privacy and the latest case, required to be taken in to account by UK judges, reiterates the importance for employers to get the balance right before carrying out any monitoring of employees," says Peninsula Employment Law Director Alan Price.
Mr Price explains: "The European Court of Human Rights’ judgment on the right of a Romanian worker to privacy in his email accounts clarifies the boundary for UK employers on rights to privacy in the workplace. This decision does not mean that employers are completely prohibited from monitoring employee communications if they suspect the employee is using these for personal use during working time. However, in the future employers need to act carefully, in line with the Court’s guidance, to ensure they can lawfully take action. This will require employers to:
- Ensure they have a fair, proportionate and legitimate reason to carry out monitoring of employee communications
- Inform employees at the outset that monitoring of communications will take place - including how, when, which communications e.g. mobile, email etc. and what action can take place as a consequence of this. This will usually happen in specific policies within the employee handbook but employers may wish to periodically remind employees to minimise the risk of future complaints;
- If there isn’t a monitoring policy in place, or this isn’t specified in individual emails regarding the use of company phones, emails and internet, then these should be put in place and communicated to all staff. Receiving a signed notice that employees have received, read and understood this will be invaluable evidence when employers are looking to enforce these policies;
- Carry out a fair assessment to ensure the extent of any monitoring is not breaching the employee’s right to privacy;
- Review whether a less intrusive method can be used, for example, having a formal discussion with the employee to ask them whether they use workplace emails for private use, rather than simply accessing their accounts immediately.
A statement from Peninsula said: "We’re currently waiting on the UK Data Protection Bill to be published later this month to see how the GDPR will be implemented in the UK. It is likely that the employer requirements will not be affected as this case concerns monitoring, rather than the processing of employee data. However, the GDPR focuses on receiving clear, informed consent to data processing so employers may wish to transfer this to their monitoring requirements and ensure the employee signs a notice saying they are aware monitoring takes place and provide consent to this.
GDPR Summit London is a dedicated event which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/