ECHR judgment and the tricky issue of email monitoring: What now for employers?

How should employers adapt their policies on monitoring employees' use of email or other company systems in the wake of a recent ECHR decision? Sarah Ozanne explains.

The Grand Chamber of the European Court of Human Rights recently determined that a sales employee had his human rights breached when his employer did not notify him of its its intention to monitor his work email communications.

The decision in the Barbulescu v Romania case is notable due to the contradictory decisions by the Chamber and the Grand Chamber of the ECHR. But the decision of the Chamber did not give employers carte blanche to access employee's communications at work, and the decision of the Grand Chamber doesn't it mean that employers cannot dismiss employees for personal use of work email in appropriate circumstances.

In fact, the decisions in this case simply reaffirm existing legal principles in this area of the law.

The ECHR has already previously held (in the case of Copland v UK) that a failure to inform an employee that their use of an employer's IT system might be monitored was a breach of Article 8 of the European Convention on Human Rights, the right to respect for private and family life, the home and correspondence.

Article 8 provides that a public authority shall not interfere with the exercise of an individual's right to privacy except in certain circumstances, including the protection of the rights and freedoms of others.

Striking a balance

In an employment context, the law therefore requires that domestic courts strike a balance between the need of the employer to protect its business against the employee's right to privacy.

When it comes to an individual's right to privacy, employers need to be mindful of proportionality: by identifying a legitimate objective; ensuring that such an aim is sufficiently important to limit an individual's right to privacy; and ensuring that the method chosen is no more than is necessary to achieve the objective.

The issue of employee monitoring under UK law has a fairly well developed regulatory framework.

This includes Article 8, but the key UK regulation is the Data Protection Act 1998, which is supported by guidance set out in the Employment Practices Code.

When considering monitoring employees at work, whether systematically or on an ad hoc basis, an employer should carry out an impact assessment considering the issue of proportionality (as highlighted above), and employees should be given information about the monitoring.

Notifying employees

The Code recommends that employees are notified of the circumstances in which monitoring will take place, the nature of the monitoring, how the information obtained through monitoring will be used and who it may be disclosed to - and the safeguards in place for employees who are the subject of monitoring.

It is not enough to inform employees generally that monitoring of some form may take place.

This area of law is the subject of further development with the implementation of the General Data Protection Regulation next year and guidance being set out by the EU Article 29 Working Party.

The Working Party has recently produced useful guidance on the issue of monitoring in the workplace, taking into account the advances in technology available to do so and the complications of monitoring personal devices.

One of its suggestions is that employers offer alternative unmonitored access or use of their IT systems where employees can legitimately use the IT facilities for private use. Examples could include providing free Wi-Fi to employees for the use of personal devices, or an employer excluding certain types of traffic from its monitoring.

This could also include access to private webmail or online banking where interception is more likely to risk a breach of the balance between the employer's legitimate interests and the employee's privacy.

Employees could also be allowed to designate certain spaces within systems, such as calendars, as private.

Clear policy

Any measures like this should be accompanied by a clear IT policy, which would allow employees to adjust their behaviour so that they are monitored only in appropriate circumstances.

Overall, employers should give priority to preventing abuse of their IT systems, for example blocking access to certain websites, rather than detection. This reduces the need for and consideration of associated issues relating to monitoring in the workplace.

Another tricky area is the use of IT outside the immediate workplace, or where employees bring their own devices and use them during working hours. The key for employers is to approach the risk in all these areas of IT use in a proportionate, non-excessive way.

In short, employees communicating electronically from business premises can be protected under Article 8.

Based on the current Data Protection Directive, which is implemented in the UK through the Data Protection Act, employers may only collect data for legitimate purposes under appropriate conditions - bearing in mind the need to be proportionate and transparent.

Employers should communicate effectively with their staff about any monitoring to take place.

This should include the purpose of this monitoring, and the circumstances and possibilities for employees to prevent their data being captured by monitoring technologies. Policies relating to monitoring should be clear and accessible.