Monitoring employee communications: WhatsApp case raises concerns
A recent legal case involving messaging service WhatsApp raises issues about monitoring employee communications. Nick Le Riche, a partner at Bircham Dyson Bell, offers practical tips on balancing employees' privacy rights with employers' need to protect confidential data.
In March 2017, the Financial Conduct Authority (FCA) issued a fine of £37,198 to former Jefferies' investment banker Christopher Niehaus for using mobile phone message service WhatsApp to disclose confidential client information separately to a friend and to a client. This is the first time that WhatsApp has featured in a FCA disciplinary decision of this kind, and the case demonstrates that the FCA will treat the disclosure of confidential information using messaging apps in the same way as disclosure using more traditional methods.
Between January and May 2016, Mr Niehaus used WhatsApp to disclose information about two clients that he had obtained through his role as a managing director at Jefferies to another client and to a friend. The information disclosed by Mr Niehaus included the identities of the clients, details of the transactions that he was working on for those clients and the fees that Jefferies was expecting to receive as a result of its work.
One feature of the disclosure that was of particular importance was the fact that some of the information that Mr Niehaus disclosed concerned a client company that was a competitor of the client that he sent the WhatsApp messages to.
The messages were ultimately discovered by Jefferies when Mr Niehaus voluntarily handed over his phone as part of an investigation into an unrelated complaint against him. He was then suspended pending a disciplinary investigation, but resigned prior to a decision being made.
As Mr Niehaus had freely handed over his phone to Jefferies for inspection, the legal issues over the extent to which an employer can monitor an employee's messaging on their mobile phone never arose in this case. But what issues do employers need to consider when they are considering monitoring their employees' use of their IT systems and/or social media in the workplace?
The main legal framework in this area involves an employee's right to privacy under the European Convention on Human Rights and the Human Rights Act 1998, together with ensuring that the monitoring of an employee's email, internet and phone usage complies with the employer's obligations under the Data Protection Act 1998 (DPA).
Privacy and monitoring employee communications
In terms of privacy considerations, employers are expected to afford employees some degree of privacy in the workplace. The main issues which will be scrutinised in these situations will be whether or not the employee had a reasonable expectation of privacy in relation to the particular communication, and if so whether or not the interference with that privacy was in accordance with the law and was proportionate.
Monitoring is more likely to infringe an employee's privacy if the employer does not have an IT policy in place and the employee has not been informed that their use of IT systems might be monitored.
The courts will also expect to see that the employer's monitoring of an employee goes no further than is necessary to investigate the alleged misconduct in question and that other areas of an employee's email or internet usage that are not relevant are ignored.
Similar issues are relevant to an employer's obligations in relation to monitoring under the DPA. The Information Commissioner's "Employment practices code" recommends that employers provide employees with information in relation to the circumstances in which monitoring may take place, the nature of the monitoring, how the information obtained through monitoring will be used and the safeguards in place for the employees subject to monitoring.
Simply telling employees that their IT usage may be monitored is unlikely to be sufficient and the notification should go further. Employers will also be expected to consider whether or not the reason for the particular monitoring is justified and whether or not the means of monitoring chosen are proportionate to meet that need.
As with the general privacy considerations, the Information Commissioner's office expects employers to ensure that any monitoring will go no further than is necessary, and that consideration is given to whether or not the needs of the employer's business can be met without monitoring.
As well as the obligations under the European Convention on Human Rights and the DPA, employers should also consider general employment principles as well. Inappropriate monitoring of an employee's IT usage may amount to a breach by an employer of the implied duty of trust and confidence, which could justify the employee's resignation and a claim of constructive dismissal. Similarly, relying on evidence obtained through illicit monitoring in order to dismiss an employee could render such a dismissal unfair.
Had Mr Niehaus not been so willing to hand over his phone for inspection then it would have been important for Jefferies to have had a clear and well-publicised IT policy in place, which set out the extent to which its employees' IT usage would be monitored. It would also have had to include up-to-date details of the types of messages that would be monitored in order for it to have been carried out lawfully.
If an employer has a belief that confidential information is being disclosed by employees inappropriately then it can consider monitoring employee communications provided that such monitoring is proportionate and that its scope does not extend to areas which are not relevant to its concerns. Such monitoring may be easier to justify, such as in Mr Neihaus's case, where there are regulatory issues that also have to be considered.