In the recent case of Bărbulescu v Romania the European Court of Human Rights (ECtHR) handed down a decision on the right to privacy under Article 8 of the European Convention on Human Rights in the context of an employer’s monitoring of private messages sent by an employee.
Headlines in the press suggested that the law had changed and that employers were at liberty to do whatever they wanted to in relation to the interception and monitoring of employees. This is not true and the headlines are inaccurate. The law has not changed.
Before going further, the issue of monitoring employee communications at work is complex, fragmented and very dry. The law is not in one place and the rights of employees and employers has to be teased out of various sources. For those of you without a strong coffee in front of you, please feel free to go straight to the Speedread summary below.
Mr Bărbulescu was an engineer working for a heating company. At his employer’s request he set up a Yahoo Messenger account to deal with client enquiries. Subsequently, Mr Bărbulescu’s employer informed him that they had monitored his Yahoo Messenger communications over the course of a week and that he had used it for personal purposes in contravention of the employer’s internal rules, which prohibited any personal use whatsoever of the company’s computers, internet or telephones.
Mr Bărbulescu was dismissed for personal internet use at work, contrary to the employer’s internal rules. As part of its investigation, the employer accessed his private messages sent to friends and family relating to personal matters and discovered he had used the internet for personal purposes, contrary to internal regulations. These messages were used in the disciplinary proceedings as well as in the subsequent court cases.
Mr Bărbulescu argued that the Romanian courts should have excluded all evidence of his personal communications on the grounds that it infringed his rights to privacy.
The Romanian courts upheld the employee’s dismissal, and so he applied to the ECtHR. The Court agreed with the Romanian court and held that the monitoring and use of the personal messages was a proportionate and reasonable interference in his Article 8 rights.
It is important for employers to have at least a broad understanding of the law surrounding the monitoring of employees and how it affects what monitoring employers are permitted to undertake:
The HRA incorporates the ECHR into UK law. Only public authorities are expressly subject to the HRA. However, before private employers ignore this section, it is important to be aware that the HRA is relevant to all employers (including the private sector) because courts and tribunals must interpret all legislation (both past and future) consistently with the rights incorporated by the HRA as far as possible.
Article 8(1) of the ECHR states that “everyone has a right to respect for his private and family life, his home and his correspondence”.
However, this is not an absolute right and interference with the right is allowed where it is:
The legitimate aim for most employers will be protecting business interests and ensuring employees are working during work hours.
The ECtHR has previously concluded that Article 8 was infringed where:
We refer to this below.
Surveillance in the UK is governed by RIPA, which seeks to provide the legal basis in the UK as required by Article 8.
RIPA concerns the interception of communications in the UK “by, or with the express or implied consent of a person having the right to control the operation or the use of a private telecommunication system”. If such an interception is “without lawful authority”, it is actionable by the sender, recipient or intended recipient if the interception is either:
So, if an employer’s internal telephone or computer systems are attached to public telecommunication systems, the employer’s interception of employees’ emails or messages would be caught by this legislation. If the interception is unlawful the sender, recipient or intended recipient of the communication can claim damages against the employer.
However, the employer will not be liable if it intercepts communications “with lawful authority”; that is, in the manner allowed by RIPA or the Telecommunications Regulations 2000.
The next piece in the jigsaw for employers who wish to monitor employees is the Telecommunications Regulations 2000. These provide for circumstances where, in a business context, it is lawful (for the purposes of RIPA) to intercept communications without consent. RIPA provides:
A. To establish the existence of facts relevant to the business, businesses can monitor or record communications without consent to:
B. Regulation 3 also allows businesses to monitor but not record without consent for the purposes of:
This gives employers a fair amount of latitude to monitor.
Monitoring an employee’s use of email and the internet involves the processing of personal data and so the DPA must be considered. It is important for employers to have an awareness of the eight key principles set out in Schedule 1 of the DPA which apply to the processing of personal data. For example, personal data should be processed fairly and lawfully and personal data shall be obtained only for specified lawful purposes.
The Employment Practices Code is issued by the Information Commissioner to sit alongside the DPA. The Code contains the Information Commissioner’s recommendations on how to meet the legal requirements of the DPA. Employers should be aware of Part 3 of the Code which considers monitoring in the workplace. The main principles of the Code are:
As we have said above, the law is disparate and in our view not clearly drafted. We have distilled the key points below.
1. Monitoring of employees’ IT use and systems at work can be lawful. This is clear. There is no overarching right to privacy which allows employees to do what they like at work when using an employer’s IT systems, provided the use is private.
2. Employers need to consider what monitoring they need and why they are monitoring.
3. Carry out an impact assessment. The Employment Practices Code recommends that employers undertake impact assessments to demonstrate they have achieved the desired balance between:
4. Employees need to know. Employees must have a clear understanding of:
5. Employers should take advice. You might say this is an easy thing for us to say and that it suits lawyers to say this. Believe us, this is an area where it’s well worth spending a few pounds with your chosen lawyer.
6. Do not try to do this without a policy. You need a set of written rules and guidelines. This is set out in a policy.
7. Make sure your monitoring policy works with your other rules, such as working from home and your disciplinary policy.
8. Data Protection. In your day to day monitoring, make sure you comply with the DPA.
9. Personal devices and social media. Think also about related issues such as the use of personal devices and social media.
It is beyond the scope of this article to set out precisely what should go into a policy to address these issues. However we advise you not to lift a policy off the shelf or just accept what your lawyers or HR consultants give you. Tailor the policy to your business. You should have a policy or policies covering:
Some employers have 1 policy covering all of the above; some split it up. Once you have your policy:
In short, nothing has changed. The case of Bărbulescu should not be seen by employers as providing them with a laissez-faire right to access employees’ personal emails or messages. In this case, the ECtHR recognised the need for employers to be able to verify that employees are completing professional tasks during work hours. Importantly, the decision does not overrule previous ECtHR case law on the reasonable expectation of privacy, and nor does it override existing UK legislation, including the DPA and RIPA, which place important limitations on employers’ power to monitor their employees’ private communications.
There are clearly different levels of monitoring that can take place but whatever is done should be proportionate and with an awareness of an employee’s right to privacy. Employers, therefore, are still tasked with the tricky balancing act of an employee’s Article 8 rights to privacy and the employer’s own interests.