Out-Law Guide | 25 Aug 2011 | 10:30 am | 7 min. read
Employers have always monitored their staff in one way or another because they have always needed to be able to check the quality and quantity of their employees' work. As employers are very often liable for the actions of their employees, they also need to be sure that their staff members are behaving properly.
Most employees have access to a variety of hi-tech tools such as email, the internet, mobile phones and PDAs to help them with their work. Employers need to be sure that these ways of working do not give rise to additional liabilities – for example, some employers have found themselves liable for claims of sexual harassment, defamation or breach of contract due to their employees' improper use of their systems or equipment. It is also all too easy for company security to be breached, confidential business information to be leaked or for employers to become the victim or perpetrator of fraud because of the deliberate or inadvertent acts of their staff. In addition, the increasing use of social network sites by staff has the potential to damage an employer's reputation.
There is an abundance of technology - such as CCTV or monitoring software - which employers can use to monitor their staff, but employers need to ensure they do not go too far and risk claims for unfair dismissal or breach of the considerable volume of legislation which dictates what employers can and cannot do in terms of monitoring their staff. Nonetheless, employers can protect their businesses and obey the law if they stick to some basic rules about monitoring.
What should you do if you want to monitor your staff?
Weigh up the pros and cons
Before carrying out any monitoring at all, the employer should go through a process of weighing up carefully the pros and cons of the proposed monitoring – for further information, see the Information Commissioner's Employment Practices Code. What exactly is the purpose of the monitoring? How much of a real difference will it make to the company to have information which could be obtained? What steps would the employer put in place to make sure the information was properly handled once it was obtained?
The employer should then consider whether there are any less intrusive ways in which it could achieve the same goal. For example if an employer is worried that staff are sending too many personal emails at work, could it reduce the number simply by sending a 'round robin' reminder to staff or does it need to set up a system to check the number of personal emails being sent?
The employer should then weigh up the advantages of the monitoring against the adverse impact it might have for staff or customers of the business. Any adverse impact of monitoring on individuals must be justified by the benefits to the employer and others and monitoring must be a proportionate response to the problem it seeks to address. More often then not, employees' private lives do extend into the workplace and the employer should assess how much the proposed monitoring will affect employees' privacy or damage their trust in their employer.
Ideally, once the employer has considered the pros and cons it should set out briefly in a note the issues they have considered and the reasons they have come to the decision they have made.
Tell staff what you are doing
More often than not, employers do not need to keep monitoring a secret. Employees understand and expect their employers to keep an eye on their business and if the employer can explain the reason why it believes monitoring to be necessary they will not normally have any objections. Employers must always tell their staff about the types of monitoring taking place, the reasons for it, the sort of information that will be obtained and when, why and how it will be obtained, how the information will be used and to whom it will be disclosed.
By far the best way to tell staff what you are doing is to have a clear policy which sets out the monitoring which is taking place and the reasons for it. Our free Out-Law communications policy gives an example of the type of policy you may wish to put in place for staff and sets out the standards expected or employees when using company systems together with the type of monitoring that the employer might be carrying out.
A policy alone will not suffice, however, and employers must make sure that employees are made aware of the policy and that they practice what they preach. To be safe, employers will be expected to clearly communicate to staff what they can and cannot do and the best way to do this is by training them. If and when systems change, the policy should be updated and employees should be told about any changes.
There may be times when an employer would prefer not to tell staff that it is monitoring them, but this type of 'covert' monitoring is rarely justifiable. There is a huge difference in law between an employer who openly operates CCTV in order to protect its staff or property and an employer who covertly installs CCTV just in case it finds a member of staff asleep on the job.
Before considering implementing any type of covert monitoring, employers should therefore remember that the only time covert monitoring might be justifiable is where they have grounds for suspecting criminal activity or extremely serious malpractice - for example, breaches of health and safety which might jeopardise the safety of others.
The employer should ensure that any covert monitoring is strictly targeting, that monitoring does not continue for any longer than absolutely necessary and that as few people are involved in the investigation as possible. Senior management would be expected to sign off on any decision to use covert monitoring.
Keep the information properly
The purpose of monitoring is obviously to collect information whether this is in the form of emails, video footage, audio recordings or information about someone's internet usage. However, employers must remember that with information comes obligations. Employers must be able to manage and store the information they receive properly, especially if it relates to a living person who can be identified from that information. The Data Protection Act (DPA) sets down rules about how this information should be used and stored. For more information about these duties, see our Out-Law Guide to the Data Protection Act.
In addition to the DPA, the Human Rights Act gives every individual a right to respect for their private and family life, home and correspondence. Although the Human Rights Act applies directly only to public authorities and their employees, it indirectly affects private employers and employees because employment tribunals and courts are expected to take it into account when deciding cases. Although the employees' right to privacy does not outweigh all other rights and must be balanced against other interests - such as public safety, the prevention of crime and certain economic considerations - it is valued very highly by employees. Employers will be expected to balance their own needs very carefully against their employees' legitimate right to privacy in the way they hold and use information they gather in the course of monitoring.
Employers should ensure that the number of people who have access to the personal information obtained through monitoring is kept to a minimum. Those in receipt should be subject to confidentiality and security requirements and should be properly trained where the nature of the information requires this. Information collected through monitoring should only be used for the purpose for which the monitoring was introduced.
Monitoring your employees' emails legally
Laws on the interception of communications are also relevant. The Regulation of Investigatory Powers Act (RIPA) makes it unlawful to intentionally intercept communications in the course of transmission without lawful authority. Intercepting basically means making some or all of the content available, while being transmitted, to a person other than the sender or intended recipient. Transmission also covers diverting or recording the content to look at later. RIPA will cover monitoring email use at a content level rather than at a traffic level.
One way of getting this lawful authority is to obtain the consent of both the sender and the recipient. However, this is impractical for most organisations that send and receive emails externally. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations provide another means of lawful authority if the monitoring is for one or more of the purposes specified in the Regulations and that the system controller has made all reasonable efforts to inform every person who may use the system that communications may be intercepted.
The list of purposes includes ascertaining compliance with regulatory or self-regulatory practices or procedures, detecting unauthorised use and preventing or detecting crime. It is likely that most organisations will be able to bring monitoring within one of these grounds.
The main problem is that the Regulations only apply to business communications and not to personal communications and the Code reinforces the point that if monitoring involves interceptions of the content of non-business related communications then this is unlawful. Employers need to consider how they will comply in practice.
Once an employer is satisfied that it has lawful authority, it must make reasonable efforts to inform people about interception. This is where communications policies again come in, telling employees what may happen. Employers may also have to consider how they make reasonable efforts to inform third parties - can they include this in their terms of business, on their email disclaimer notices or on their web sites?
What should you do if you find out your staff have been misbehaving?
Employers who discover their staff members have been committing misconduct should make sure they follow their own internal disciplinary procedures carefully if they have them before taking any disciplinary action against an employee, and whether they have internal procedures or not they should ensure that they follow the Acas Code of Practice. The Out-Law guide to disciplining employees fairly sets out in more detail the steps employers should follow in investigating alleged misconduct, holding a disciplinary hearing and ensuring that any disciplinary sanction they impose can be justified.