Q&A: Employment Practices Data Protection Code

Part three of the Employment Practices Data Protection Code deals with staff monitoring. Mark Mansell and Lucy Baldwinson from Allen & Overy offer a quick guide on how to comply.

What does this section of the code add to my "urgent list of things to do"?

Employers will need to take steps to comply with the Code if they carry out any workplace monitoring that goes beyond one individual simply watching another. If monitoring involves manual recording or automated processing of personal information it must be carried out fairly and lawfully. There is no single definition of monitoring but it could include activities such as taping phone calls for training purposes or checking workers' e-mails and internet use for access to pornography.

As an immediate response to the Code, employers should do a quick audit of their monitoring activities. They should then conduct an impact assessment to assess whether or not their monitoring is lawful in terms of data protection compliance.

An impact assessment involves the following steps:

  • Identify the purpose(s) of monitoring and the benefits it's likely to deliver;

  • Identify any likely adverse impact;

  • Consider alternatives to monitoring or less intrusive ways in which it could be carried out;

  • Take into account obligations that arise from monitoring such as notifying workers about monitoring arrangements, keeping the information gathered secure and the implications of individuals' rights to access copies of information collected through monitoring; and

  • Judge whether monitoring is justified when weighing up the benefits against any adverse impact.

  • Employers should also double-check that workers are aware of the nature, extent and reasons for any monitoring, unless covert monitoring (i.e. without workers' knowledge) can be justified.

    The general approach under the Code is that employers can carry out workplace monitoring provided that the right balance can be struck between the legitimate expectations of workers and the interests of employers.

    What do you recommend when it comes to managing compliance on a long-term basis?

    The nature and size of the organisation will influence what it is reasonable to expect in terms of the systems employers should put in place to manage data protection compliance. The Code's recommendations include the following:

  • Designate a particular person to take responsibility for ensuring that employment policies and procedures comply with data protection legislation;

  • Carry out an audit of personal data within the organisation to highlight any gaps in data protection compliance that need to be remedied;

  • Ensure that both line managers and workers are aware of their data protection responsibilities and potential liabilities through guidance notes and training;

  • Check that the organisation has a valid and up-to-date notification in the Information Commissioner's register of data controllers;

  • Consult workers and/or worker representatives, where appropriate, over the development of employment practices and policies that involve processing personal information about workers; and

  • Conduct an impact assessment to ensure that all monitoring activities are fair and lawful.

    Is there an exemption from the provisions of the Code for small employers?

    No. The Data Protection Act 1998 (DPA 1998) and the Code apply to all organisations regardless of their size. However, the Information Commissioner has published guidance on monitoring at work that is specifically aimed at small employers, offering a simplified version of the Code's requirements.

    We often record our workers' phone calls for training purposes. Can we carry on doing this under the Code?

    Yes, but there are some conditions that need to be satisfied. Recording worker telephone calls (as well as intercepting any other telecommunications, such as e-mails, in the course of transmission) is subject to the Regulatory of Investigatory Powers Act 2000 (RIP) and the Lawful Business Practice Regulations (LBP Regulations) as well as data protection legislation. Provided that the call is being monitored for training purposes and workers have been notified in advance of any monitoring, recording the call will be allowed under RIP and the LBP Regulations.

    For the purposes of data protection, the Code recommends carrying out an impact assessment to determine whether the benefits justify the adverse impact. If so, inform workers about the nature and extent of monitoring. In addition, the Code requires those making calls to, or receiving calls from, workers to be informed of any monitoring and its purpose, unless this is obvious. This could be done by a recorded message or by workers telling callers that their calls could be monitored.

    Surely it's OK to read workers' emails when they're on holiday to make sure that there isn't anything business-critical which goes unattended?

    Yes, but the Code advises that if it is necessary to check e-mail accounts in a worker's absence, make sure that they know this will happen. Where practicable, the Code recommends that those sending e-mails to workers are also made aware of any monitoring and the purpose behind it.

    The employer is advised to encourage the use of a marking system to help protect private or personal communications. Where possible, monitoring should be confined to the address or heading. The Code requires employers to avoid opening e-mails, particularly those that are clearly private or personal, unless there is a valid and defined reason to examine content.

    We would like to monitor Internet use as there have been several instances of workers downloading pornography at work. Can we do this?

    Yes, the Code does permit the monitoring of Internet access. However, it recommends carrying out an impact assessment to ensure that the benefits are not outweighed by any adverse impact.

    It also requires workers to be informed of the nature and extent of all internet monitoring, as well as the extent to which information about internet use is retained and for how long.

    Generally, it is advisable to set out explicitly in a policy document what is permitted use and what is considered an abuse of an employer's Internet and communications facilities, particularly where the employer permits a degree of personal use. The Code gives guidance on the basic contents which should be included in a communications policy.

    There is a suspicion that some of our workers are buying and selling drugs in the mens' toilets. Can we install a secret camera to catch them red-handed? What happens if we notice some other misconduct in the course of filming?

    According to the Code, covert monitoring should only be used in exceptional circumstances, for example, where there are grounds for suspecting criminal or equivalent malpractice. It must be strictly targeted at obtaining evidence within a set timeframe and should normally be authorised by senior management.

    Covert monitoring in private places, such as the toilet or a private office, is even more restrictive under the Code as it requires that this should be confined to cases of suspicion of serious crime where there is also an intention to involve the police. A suspicion of drug dealing is likely to equate to suspicion of a serious crime.

    Any other information collected in the course of covert monitoring should be disregarded, according to the Code, unless it reveals information that no reasonable employer could be expected to ignore (e.g. where it concerns other criminal activity or equivalent malpractice).

    Can we take a short cut by obtaining workers' consent to all forms of monitoring with or without their prior knowledge?

    The Code is moving away from using consent as a means of justifying monitoring. This reflects the European approach which stipulates that consent must be "freely given". The Code recognises this may not always be the case in the employment context. Consent can also be withdrawn at any time.

    Accordingly, it may be safer for employers to ensure that their monitoring activities can be justified on the basis of an impact assessment, in which case consent is generally not needed to monitor workers.

    What happens if an employer's monitoring activities fail to comply with the Code?

    The Code sets out the Information Commissioner's recommendations as to how the legal requirements of the DPA 1998 can be satisfied. However, there may be alternative ways of meeting these obligations that are not contained in the Code. Non-compliance with the Code does not mean automatic non-compliance with the DPA 1998. Only breaches of the DPA 1998 will trigger enforcement action.

    However, if the employer does not take any steps towards data protection compliance, there is a strong likelihood that it will be breaking the law.

    Where can I find the code in full?

    At the Information Commissioner's website, www.informationcommissioner.gov.uk .

    Partner Mark Mansell and professional support lawyer Lucy Baldwinson are frominternational law firm Allen & Overy's Employment, Pensions and Incentives Department.