Data protection and employment practice (5)

Following the formal publication by the Information Commissioner of the final part of the Employment Practices Data Protection Code - Part 4: information about workers' health - we continue our series of guidance notes on data protection and employment practice with this fifth part, which deals with Part 3 of the Code on monitoring at work ("the Monitoring at Work Code1"). The sixth and final part of the series, on Part 4 of the Code, will appear in a future issue (see the box below for details of the first four guidance notes in the series).

The Monitoring at Work Code encourages employers, in their monitoring activities, to adopt good practices in order to comply with the Data Protection Act 1998 ("the DPA") and other relevant legislation. We examine the balance that the Code strikes between, on the one hand, an employer's legitimate interest to protect its own business within the law in this way and, on the other, the legitimate expectation of workers that personal information obtained through monitoring and surveillance will be handled properly.

From the outset, it should be noted that neither the Monitoring at Work Code, nor the DPA, imposes a general prohibition on monitoring activities. Rather, such monitoring activities must be carried out in a manner consistent with the DPA and other relevant provisions making up the data protection regime in the UK.

Compliance with that regime has been covered in detail in previous guidance notes, to which readers are referred. In this guidance note, however, we begin with a summary of the relevant principles (focusing in particular on how it is envisaged that they will impinge on the monitoring of workers), before moving on to the provisions of the Monitoring at Work Code itself.

Compliance with the DPA

The proper handling of personal information about workers must always be set within the legal context of the DPA. Therefore, firstly, employers must be aware of the important rights that their workers are provided with under the Act, namely the right to gain access to their personal data (information held about them by their employers); challenge any misuse or abuse of that data; to prevent any processing of data that is likely to cause them distress or damage; and to seek redress in the courts against breaches of these rights.

The definition of the term "data" encompasses three groups of information. It certainly includes information held or processed by automated systems such as computers, microfiche and microfilm, audio and video systems and telephone logging systems. The definition refers also to manual data, that is, information recorded as part of, or with the intention that it should be part of, a relevant filing system. Lastly, the term data applies also to accessible records, defined in s.68 of the DPA to include health records consisting of information about an individual's physical or mental health or condition made, for example, by an occupational health practitioner.

All such data will amount to "personal data" within the meaning of the DPA, where they relate to a living individual who can be identified therefrom, or from data and other information possessed by, or likely to come into the possession of, the employer.

According to the Legal Guidance2 issued by the previous information commissioner, an individual will be capable of being identified from data even if their name and address are not known, if the data can be processed to enable the employer to distinguish that individual from another (for example, for the purposes of meting out different treatment to him or her). Therefore, CCTV footage will amount to personal data where it is possible to match the image of an individual caught by the camera with a photograph, a physical description, or a physical person. Email addresses that clearly identify a particular individual will also amount to personal data about that individual, as will an email about an incident involving a named worker.

Data in the "possession" of the employer will also, according to the Legal Guidance, be wide enough to encompass the situation where the employer hires a private detective for the purposes of monitoring and surveilling its employees under an arrangement in which the employer determines the purposes for which, and the manner in which, that data are to be processed. The employer may not have had sight of all or any of the information that identifies a living individual from that data, for example, in circumstances where the private detective receives some of the identifying data from a third party. Nevertheless, the employer is deemed to be in possession of those data (see our guidance note Data protection and employment practice (1) for a consideration of these key definitions in the DPA that dictate its scope and its requirements, and for their interpretation in light of the Legal Guidance).

Personal data and Durant v Financial Services Authority

Only "personal data" within the meaning of s.1(1) of the DPA can form the object of a subject access request under s.7 by a worker. Since the Commissioner's Legal Guidance, the Court of Appeal has given further consideration to the meaning of this term in the case of Durant v Financial Services Authority3. In Durant, the court held that it is likely that only information that names or directly refers to an individual will fall within the definition of "personal data". It must affect the individual's privacy, either in the individual's personal or professional life. Its conclusions represent a significant narrowing of the construction to be placed on the term "personal data", and of the interpretation given to it by the Legal Guidance.

Thus, personal data will, in most cases, be limited to information naming or directly referring to an individual. Whether or not any information that refers to an individual is "personal" in any particular instance will depend on its relevance or proximity to the individual. This will in turn depend on the extent to which the information is biographical, and the extent to which it has the individual as its focus. Consequently, personal data must do more than simply name an individual. It must affect their privacy, whether in their personal or family life, business or professional capacity, in some way.

Some personal data form a narrower category defined in s.2 of the DPA as "sensitive personal data". These include information held in workers' records as to their racial or ethnic origin; political opinions; religious or other similar beliefs; trade union membership; physical health or mental condition; sexual life; offences or alleged offences; legal proceedings against them and the outcome of those proceedings. In the context of monitoring, the Code envisages that typical circumstances in which such information may be held include:

  • Monitoring an email containing health information sent by a worker to a manager, personnel department or occupational health adviser.
  • Monitoring internet access logs that reveal that a worker routinely accesses a particular trade union website, thus indicating trade union membership.
  • Information about a worker's political or religious beliefs obtained by intercepting and recording a private conversation.
  • Fair and lawful processing of personal data

    Employers must also take note of what is meant by the term "processing" of personal data. This is a compendious term, which the Legal Guidance envisages as including any action possible involving data. In terms of the employment relationship, the entire range of activities that information about a worker can be subjected to, from the time before the individual is taken on as a worker and extending to after the employment relationship has ended, including all forms of monitoring and surveillance activities involving that worker, will be caught by this definition.

    What all this means for the employer that wants to engage in monitoring its workers is that it must ensure that, in carrying out this activity, its handling of personal data complies with the eight data protection principles which form the backbone of the DPA. As a general requirement, it must ensure that personal data is processed fairly and lawfully in compliance with the first principle. In particular, this means that at least one of the conditions in Schedule 2 to the DPA and (in the case of sensitive personal data) one Schedule 3 condition must also be met. The Schedule 2 and 3 conditions relevant to the activity of monitoring workers are:

  • The worker has given their consent to the processing of his or her personal data, and where the data concerned is sensitive personal data, this consent is explicit.
  • Consent must be "freely given", "unambiguous" and must be "signified" to the employer by means of some active communication, written or otherwise. Explicit consent must not only be absolutely clear, but must cover the specific detail of the processing, the particular type of data (or even the specific information), the purposes of the processing, and any special aspects of it that might affect the worker.

    Because of the difficulty of achieving "freely given" consent in the context of the employment relationship, the commissioner's advice is that it will be prudent for an employer to be able to rely on some other condition as well. However, it is worth noting that, in the case of monitoring activities, an employer who can justify monitoring on the basis of an impact assessment (see below) will not generally need the consent of individual workers.

  • The processing is necessary for the purposes of exercising or performing any legal right or obligation owed by the data controller, other than a contractual obligation.
  • The Code envisages that these will include health and safety at work obligations; anti-discrimination obligations; unfair dismissal protection for workers; and obligations to protect customers' property or funds in the employer's possession.

  • The processing is of sensitive personal data consisting of information as to racial or ethnic origin, and is necessary for the purposes of identifying or keeping under review the existence or absence of equal opportunities or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained.
  • The processing is necessary for the administration of justice, for the exercise of certain statutory functions by public sector bodies, or for the exercise of any functions of the Crown, a minister of the Crown or a government department.
  • A public sector body may find that monitoring is necessary if it is to comply with certain specific legal duties in relation to workers' conduct or probity, or to discharge its wider statutory functions.

  • The processing is in the substantial public interest, is necessary for the prevention or detection of any unlawful act and must necessarily be carried out without the explicit consent of the data subject being sought, so as not to prejudice those purposes.
  • Unlawful acts include criminal activity in the workplace as well as breaches of statutory or common law obligations.

    COMPLIANCE WITH OTHER PROVISIONS

    The developing law of privacy has also meant that the DPA cannot be interpreted in isolation, but always within the context of other domestic and European legislation with which it interrelates. In any case, the general requirement that data processing must be lawful necessarily means that it cannot take place in breach of other legal requirements.

    For the purposes of monitoring workers, the most relevant other pieces of legislation include: the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 ("the Lawful Business Practice Regulations"); the Regulation of Investigatory Powers Act 2000 (RIPA); and the Human Rights Act 1998 (in conjunction with Articles 8 and 10 of the European Convention on Human Rights (right to respect for private and family life)).

    When monitoring is undertaken by means of the interception of electronic communications - telephone calls, fax messages, emails and internet access, the RIPA and Lawful Business Practice Regulations are called into play. Generally, they prohibit interception of communications without consent, but provide a number of exceptions to this rule. Whenever interceptions also involve the processing of personal data, the DPA is also invoked, and an employer will need to satisfy all three pieces of legislation.

    The RIPA makes the interception of communications unlawful except as authorised under the Regulations. This applies to both public and private sector businesses. Thus, it is unlawful under RIPA for an employer to intercept an electronic communication on its own, or another's system, unless the interception is taking place with consent, or the interception is connected with the operation of the communications services itself. The Lawful Business Practice Regulations then set out further exceptions to this general rule in RIPA, including:

  • where the interception is only for monitoring business-related communications, and is to decide whether a communication is a business-related one and all reasonable efforts have been made to inform users of the interception; and
  • where a confidential telephone counselling or support service is involved, and all reasonable efforts have been made to inform users of the interception; or the interception is for an authorised business purpose and all reasonable efforts have been made to inform users of the interception.
  • An interception may take place where a supervisor listens in to calls; emails are opened before they have been opened by the intended recipient, or an automated system opens emails and/or their attachments to check for viruses. There is no interception where a business accesses stored emails that have been received and opened or deleted by the intended recipient, or a business accesses a stored collection of sent emails. Circumstances in which interception without consent is allowed are wide-ranging, and include:

  • where the interception takes place in connection with the provision or operation of a telecommunications service. Most employers will be such providers in respect of their own electronic communications systems and networks, and so may, for example, rely on this exception, in connection with interceptions carried out by their IT departments on incoming emails in order to free up the gateway to the network;
  • where the interception is solely for monitoring or recording communications involving business-related transactions. This excludes workers' personal communications unless they are somehow business-related, or unless in attempting to access business communications, access to personal communications is incidentally and unavoidably obtained;
  • where the interception is to monitor, but not record, communications to see if they are business-related, such as opening an absent worker's emails to check for business communications that need to be dealt with in the worker's absence. Care should be taken to avoid those that are clearly personal;

  • where the interception is to monitor, but not record, communications to a confidential, free, telephone counselling or support service, in order to enable helpline workers to receive appropriate supervision and support; and
  • where the interception is to monitor or record business communications for the purposes of being able to establish factual evidence of business transactions; compliance with regulatory/business procedures; to check on standards achieved by workers; to facilitate staff training; to prevent or detect crime; to investigate or detect unauthorised use of telecommunications systems, or to secure the system and its effective operation against viruses or other threats.
  • The Lawful Business Practice Regulations, therefore, essentially offer employers the right to intercept telephone calls, without specifying how this power is to be exercised. The fetters on this discretion will have to be determined by reference to the DPA and the interpretative duty in s.3 of the Human Rights Act 1998, requiring interpretation of legislation (as far as is possible) in conformity with the European Convention of Human Rights (Art.8 in particular).

    THE EMPLOYMENT PRACTICES DATA PROTECTION CODE

    The Code of Practice is in four separate parts, each designed to stand on its own, but together forming a comprehensive code of good practice on how data protection laws impact the employment relationship.

    Legal status of the Code

    Issued under s.51 of the DPA, the Code is an aid to compliance with the Act and itself has no legal status. Therefore, employers who have alternative ways of meeting the Act's requirements are not bound to follow it. However, because it represents the information commissioner's recommendations as to how the provisions of the Act can be met, relevant parts of it may be cited by the commissioner in any enforcement action brought against an employer, and an employer who cannot show that it has met its recommendations in any or any alternative way may be held to be in breach of the DPA's requirements.

    Accordingly, adherence to the Code will help protect employers from legal challenges to their data protection practices, and will also help them meet other legal requirements, such as compliance with the HRA and RIPA. Where employers operate global businesses, the Code's consistency with European data protection laws will help ensure that consistent policies and practices with the rest of Europe are adopted.

    Coverage of the Code

    The DPA, and hence the Code, applies to the processing of personal data about any individual who wishes to work, works or has worked for the employer, including: successful and unsuccessful applicants and former applicants for employment; and current and former employees, agency staff, casual staff and contract staff. It also applies to volunteers and those on work experience placements.

    Workers, particularly those in management roles, also have responsibility for the type of personal data they collect and the purposes to which they put them. They must not disclose personal data outside the organisation's procedures, or for their own purposes. Doing so may amount to a criminal offence, unless this is otherwise justified, for example, under the Public Interest Disclosure Act 1998.

    It is envisaged that ultimate and/or overall responsibility for data protection at work will lie with senior management, perhaps in the human resources function (in small businesses, perhaps the owner of the business). However, because data protection issues will arise in any part of the business where workers' personal information is processed, there will clearly be a need to ensure that data protection knowledge, policies, procedures and practices are well established throughout the organisation, and that there is a well thought out approach that takes a company-wide view of the compliance issues involved.

    The Code emphasises the multi-disciplinary nature of data protection compliance, illustrating it in this way: the IT department may be responsible for securing computerised personnel information; the human resources function may be responsible for ensuring that the information requested on an application form is not excessive, irrelevant or inadequate; and line managers may have responsibility for the proper disposal of any waste paper bearing personal information about individuals.

    Clearly, issues of vicarious liability will arise for employers where data protection law is breached in any of these aspects, and they may be liable to pay compensation for damage suffered by individuals as a result, unless the managers involved are acting outside their authority. The need for training, a coordinated approach, and clear procedures is therefore paramount. Indeed, with the publication of the full Code, all employers will be well-advised to determine who in their organisation is involved in processing personal data: from the time it is collected through to its usage, storage and ultimate destruction; and whether, at each point of the process, data protection compliance is met. The Code's division into the four parts of recruitment and selection, employment records, monitoring and medical information is to be seen as helpful in making this assessment.

    Monitoring at work

    Many employers at some point may want to introduce monitoring into the workplace. The DPA does not prevent this: it is only monitoring that takes place without authority, and without taking into account the provisions of the Act and the Code, that places an employer at risk of being in breach of data protection law.

    The Code does not provide a definition of monitoring. As with the meaning of "personal data" and Durant, we may have to wait for case law to provide the definitive meaning of the term. The Code states, however, that it covers "activities that set out to collect information about workers by keeping them under some form of observation". This may involve one individual simply watching another, or it may involve the manual recording or automated processing of personal data about the individual under observation.

    For our purposes, the principal reason for conducting monitoring is likely be to check the performance and conduct of workers. Thus, such monitoring activities may be carried out directly, indirectly, by examination of work output, or by electronic means.

    Systematic and occasional monitoring

    The Code distinguishes between systematic and occasional monitoring. In the former, the employer monitors all workers or particular groups of workers routinely, for example, by scanning all email messages, or by installing monitoring devices in company vehicles. The Code particularly applies to this type of monitoring and to the larger employers or organisations who, it may be expected, are in a position to undertake it.

    The Code will, however, still apply to occasional monitoring, which refers to monitoring introduced in the short-term

    in response to a particular problem or need, for example, scanning the email messages of a particular worker suspected of wrongdoing such as racial harassment, or by installing hidden cameras in parts of the workplace or other criminal activity.

    The general approach to monitoring

    The Code emphasises a number of core principles that should inform an employer's approach to monitoring. These are that:

  • Monitoring is intrusive in nature and, thus, may have an adverse impact on the workers monitored.
  • Workers have a legitimate expectation that they can keep their personal lives private, and that they are entitled to a degree of privacy in the workplace. The monitoring of information of a private nature, such as emails, should be avoided if possible, and those who have access to such information should be restricted in number and well trained to ensure the security, proper use and disclosure of such information.
  • There should be clarity about the purpose of monitoring. Therefore, if an employer's reason for monitoring is to enforce its rules and standards, these rules and standards must themselves be clearly known and understood by workers, and the best way to do this may be to have a policy incorporating those rules and standards. Then, either in such a policy, or separately, the circumstances in which monitoring may be used to enforce those rules and standards, the nature it will take, the use of the information obtained and any safeguards for affected workers, should be set out.
  • Where an employer has informed workers that monitoring is for a particular purpose, any personal information obtained as a result must be used only for that purpose, unless it is in the worker's interest to use the information for another purpose, or the information reveals something that no employer could reasonably be expected to ignore, such as criminal activity or gross misconduct, or breaches of health and safety.

  • The particular monitoring arrangement decided on should be justified by the real benefits that will be delivered. Whether or not these benefits justify the likely adverse impact on workers should be determined, preferably by means of an impact assessment (see below).
  • The awareness of workers as to the nature, extent and reasons for any monitoring is a fundamental requirement unless, exceptionally, covert monitoring is justified. Again, this may be achieved by means of a policy, for example, on the use of electronic communications systems. Awareness means that workers also have a clear understanding as to how the information is to be used and to whom it may be disclosed. Periodical reminders may be necessary, and it will also be necessary to inform them of any significant changes to monitoring arrangements.
  • Employers should bear in mind the possibility that information obtained through monitoring where workers are suspected of drug dealing could be rendered misleading or inaccurate through equipment or systems malfunction, or could be misinterpreted or even deliberately falsified. Monitoring systems bought off the shelf should comply with data protection requirements.
  • Where monitoring is made a condition of a contract by a third party, this cannot override the employer's obligation to comply with the DPA.
  • Adverse impact of monitoring

    Monitoring can clearly have an adverse impact on the lives of individuals at work. It may intrude on their private lives, undermine respect for their correspondence or interfere with the relationship of trust and confidence between employer and employee. The potential consequences of monitoring may not always be obvious as it may not always be easy to draw a distinction between what should be regarded as private in the workplace and what should not be.

    The requirements of the DPA are that if there is to be an adverse impact on workers, this should be justified by the benefit to the employer and others of the monitoring activity being carried out. The Code then demonstrates to employers how to determine when this is the case.

    Impact assessments

    The underlying message of the Code is that, despite the potential for monitoring to have adverse consequences for workers, the DPA does not prevent monitoring and, indeed, recognises that monitoring may be used as a necessary means of satisfying the Act's own requirements. However, the DPA requires that any adverse impact of monitoring on individuals must be justified by the benefits thereof to employers and others. The process of deciding whether or not this is the case is by means of conducting an "impact assessment".

    An impact assessment may be deployed in all but the most straightforward of cases in order to decide whether or not, and how, to carry out monitoring. It is an aid to an employer in determining whether the particular monitoring it wants to carry out is a proportionate response to the problem at hand. Thus, the Code assists employers in identifying and giving appropriate weight to the other factors they need to take into account.

    An impact assessment may be a formal or informal process. In many cases, it will not involve more than a simple mental evaluation of the risks faced by the business, and assessing whether the planned monitoring would reduce or eradicate those risks. In other cases, it will take a more complicated course as, for example, where an employer faces a number of different risks of varying degrees of seriousness. An employer is well-advised in such cases to keep appropriate documentation.

    Monitoring electronic communications

    An employer who wishes to monitor telephone calls, fax messages, emails, voicemails, internet access and other forms of electronic communications must establish a policy on their use which is documented and communicated to workers. If there is already one in existence, this should now be reviewed in light of the DPA and the Code. Employers must then ensure that actual practice is in-line with the policy, otherwise they will not be able to rely on the policy to justify carrying out monitoring.

    A policy should indicate the circumstances in which the employers' electronic communications systems may or may not be used. It should clarify the extent and type of private use allowed. Restrictions on overseas telephone calls, the size/type of email attachments that can be sent or received, internet material that can be viewed or copied, should all be specified. What is regarded as impermissible or offensive material should be specified, for example, racist material or pornography.

    A policy should also outline what personal information a worker should include in particular types of communication, and any alternatives that can be used. For example, that communications to the company doctor should be sent by internal post rather than email. There should also be clear rules about the use of the company's electronic equipment when workers are at home or away from the workplace.

    The purpose, extent and means of monitoring should be explained. Finally, how the policy is enforced and any penalties for breach should also be outlined.

    Interception of communications

    As discussed on pp.6 and 7, monitoring that involves the interception of communications should be in line with the RIPA and the Lawful Business Practice Regulations. There will be an interception where, in the course of transmission, the contents of a communication are made available to someone other than the sender or intended recipient - as in accessing emails before they have been opened by the intended recipient, but not when they have already been received and opened. The monitoring of communications where the intended recipient is the business itself rather than specific individuals, such as monitoring customer enquiries, will not involve an interception. Where, however, incoming communications are intended for specific individuals, whether they are private communications or not, the monitoring of these before they have been received and opened by the individual may involve an interception.

    The monitoring of electronic communications should be limited to ensuring the security of the system alone if at all possible. Therefore, monitoring should be aimed at protecting the system from intrusion from malicious code such as viruses and Trojans, and to the detection of the misuse of passwords. Full use should be made of the ability of increasingly sophisticated automated monitoring systems to assist data protection compliance, and an impact assessment should give consideration to this.

    Where calls are recorded to provide evidence of business transactions, such as telephone banking, this will not be monitoring within the scope of the Code, however. An impact assessment should still consider whether the acceptable benefits might not be achieved by using itemised call records instead.

    Workers need to be informed about the nature and extent of any monitoring being undertaken. Those who use electronic equipment at home will have greater expectations of privacy at home than at work, so must be told the nature and reason for the monitoring of company equipment. However, workers do not have to be informed of covert monitoring, where this is justified, as this would defeat the purpose. External callers of, or recipients of calls from, monitored workers, should be made aware of the monitoring and the purposes of it, unless they are obvious.

    Monitoring emails

    Employers should avoid opening emails if at all possible, especially where they are marked private or personal. Accessing workers' personal emails is particularly intrusive and should be limited to exceptional circumstances only, such as where wrongdoing is suspected - for example, that a worker is subjecting another worker to email harassment, or there is a pressing business need, such as some work-related criminal activity. The suspected wrongdoing must be sufficient to justify the degree of intrusion involved and there must be no other reasonable, less intrusive alternative. An impact assessment should be used to determine this.

    An impact assessment of email monitoring should therefore consider the following matters:

  • Whether analysis of email traffic is sufficient for the employer's purposes, rather than monitoring the content of emails. Alternatively, consideration should be given to whether traffic analysis can be used to narrow the scope of content monitoring, such as by restricting the examination of content to those that are being sent to a rival organisation.

  • Whether monitoring of content breaches any duty of confidence owed to workers or customers; whether some sensitive information, such as between workers and occupational health advisors or trade union communications can be exempted from monitoring; whether a system that allows workers to mark personal communications as such can be used; whether the system can be adjusted to allow messages to be sent that do not bear the employer's official heading so as to reduce the risk of the employer being liable for personal emails sent using the employer's equipment; and whether monitoring can/should be confined to external emails alone, where monitoring of internal emails is more intrusive for workers.
  • A ban on personal emails does not entitle an employer knowingly to open emails that are clearly personal. It may be possible to detect these from the header or address information without opening them, so allowing the employer to take action against the employee. It may also be possible to avoid such interception altogether by providing workers with a separate email account or encryption capability, or to allow access to web-based mail services for personal use. Employers should bear in mind the possibility that emails can be misleading or falsified and so can be challenged in court.

    Monitoring workers' emails also involves processing information about those who send emails to, or receive them from, an organisation, and this means that where practicable these people have to be told, particularly where personal information about them is to be used in ways they would not expect. This may not be easy to achieve in practice. However, where, for example, job applications are required to be sent by email, any necessary information about monitoring should be provided beforehand. Unsolicited emails could have the information provided in any response.

    Where workers are absent, the purpose of opening their emails should be limited to responding properly to customers and other business contacts. Workers should be aware that their communications will be opened in their absence, and there should be a system to ensure that personal communications are protected during a worker's absence.

    Workers should be aware of retention periods for their emails and internet access. This may be provided by means of an information pack addressing this issue when they are given access to the office's internet or email systems, or by displaying online information on their computer. They should not be misled into thinking their information will either be deleted or retained when this is not the case.

    Allowances should be made for situations where websites are visited unwittingly, and workers should be given an opportunity to explain or challenge any information before action is taken against them.

    Internet access monitoring

    An impact assessment should consider: whether monitoring can be used to prevent rather than detect misuse, for example:

  • by using web-filtering software to block access to inappropriate sites;
  • whether misuse can be prevented by recording the time spent accessing the internet rather than by monitoring the sites visited or contents viewed: whether the use of the information obtained can be limited, for example, where time spent on the internet is the issue, it may not be necessary to disclose the sites visited to the worker's manager;
  • whether private internet use can be separated from business use, perhaps by having a different log-on for private use, and then limiting monitoring private use to time spent; and
  • whether monitoring can be done on an aggregated basis, for example, by limiting the monitoring of sites accessed on a departmental basis, and only focusing on specific individuals if there is a problem.
  • Video and audio monitoring

    An impact assessment should be conducted into whether video and audio monitoring are justified in the workplace. Because some of the data protection issues that arise with video monitoring in public places apply to the workplace, the CCTV Code of Practice will be useful, and employers are referred to it for guidance, although it is outside the scope of this guidance note4.

    If video and audio monitoring are justified, they should be targeted at areas of particular risk only, or confined to areas where employees' expectations of privacy are low. This means that toilet areas are to be excluded from monitoring. Moreover, workers should be notified as to where and why it is being carried out unless it is being done covertly and this is justified. Notices should also be put up to inform visitors or customers who may be caught by the monitoring as to why it is being carried out.

    The Code considers continuous video or audio monitoring to be particularly intrusive, and a combination of the two even more so. Therefore, this practice will be justified only rarely, and will be limited to cases such as in particularly hazardous work environments in refineries or nuclear power stations, or where security is a particular issue, such as at a precious stone dealer's. This does not apply to continuous monitoring in more public areas where workers may pass from time to time, such as in car parks or corridors.

    An impact assessment of video or audio monitoring should consider: whether they can be targeted at areas of particular risk, such as where there is a risk to safety or security; whether they can be confined to areas where workers' expectations of privacy will be low, that is, in public areas; whether video and audio capability can be treated separately; whether the employer will be able to meet its obligation to provide subject access; whether it will be able, if necessary, to remove information identifying third parties from such monitoring.

    The fundamental requirement of the awareness of workers (and others who might be caught by the monitoring) applies, and they should be told where and why it is being carried out. Signs displayed in areas subject to monitoring detailing the organisation responsible, the reason for the monitoring and contact details will suffice. It will not be sufficient to simply tell workers that they may be subject to such monitoring from time to time. Employers can be guided as to the fairness of their monitoring if they consider whether workers, at the point to which they are subject to monitoring, would be aware that it is taking place. If not, the covert monitoring guidance applies.

    Covert monitoring

    Covert monitoring can be performed through video or audio monitoring, as well as any monitoring of other electronic communications that workers do not expect to happen. It is important to note that the covert watching of an individual by another is not in itself caught by the DPA, but once it results in a record being kept about the person, the Act will apply.

    It should normally be authorised at senior management level and is only justified when there are grounds for suspecting criminal activity or equivalent malpractice, and also where notifying individuals about it would prejudice prevention or detection, or the apprehension or prosecution of offenders. Therefore, it should properly be undertaken only as part of a specific investigation.

    An impact assessment should therefore consider whether such prejudice is likely, or whether the activity being monitored is of sufficient seriousness that it would be reasonable to involve the police. Note that this does not mean the police actually have to be involved.

    Covert monitoring should aim to obtain evidence within a set timeframe, namely, the completion of the investigation, after which it should be discontinued. The number of people involved should be restricted as much as possible, and places where workers would reasonably expect to have privacy - toilets, private offices - should be avoided. The only exception would be where serious crime is suspected of being committed, such as drug-dealing, and where the intention is to involve the police.

    Where a private investigator is used for covert monitoring, this arrangement should ideally be regulated by a contract that restricts the investigator to collecting information only in a way that satisfies the employer's obligations under the DPA, so that information can be collected, used and secured according to the employer's instructions. By such an arrangement, the private investigator will be a data processor and the employer will retain responsibility for data protection compliance unless the contract between them places data protection obligations on the investigator.

    The information collected through covert monitoring must be used according to clearly defined rules set up beforehand that limit disclosure and access to information, and that limits usage only to the prevention or detection of criminal activity or equivalent malpractice. All other information should be disregarded and deleted unless they reveal something that no employer could reasonably be expected to ignore, such as criminal activity, gross misconduct or health and safety breaches.

    In-vehicle monitoring

    The DPA covers the monitoring of vehicle movements by use of devices that record or transmit information as to location, distance covered, and driver's using habits, where the monitored vehicle is allocated to a specific driver so that the recorded information can be linked to him or her.

    Once again, an impact assessment should be conducted and should consider whether monitoring can be done without it disclosing information about the private use the employee makes of the vehicle. Information about a vehicle's location will be particularly intrusive, and the approach should be that where the employer allows private use, it will rarely be justified to monitor vehicle movement. The freely given consent of the driver must be obtained. If the vehicle is for both private and business use, there should be some mechanism for disabling monitoring during private use. However, a legal obligation to monitor the use of a vehicle, even if used privately, such as by means of a tacograph, will take precedence over data protection rights. Therefore, an employer should have a policy for the use of vehicles that states what private use can be made of vehicles, conditions of use, and the nature and extent of any monitoring, and should make workers aware of this.

    As far as a worker's own vehicle is concerned, any monitoring will of course be justified only where it is being used for business purposes, the worker has freely consented to having a monitoring device installed and used, and the information collected is strictly to be used for business purposes, such as to reimburse the worker for the cost of business use.

    Monitoring through third-party information

    This applies to information held by credit reference agencies or electoral roll information; information held by an employer in a non-employment capacity, such as a bank monitoring its workers' bank accounts; and information about a worker's criminal convictions (which must always be obtained by means of disclosure from the Criminal Records Bureau).

    An impact assessment should be conducted, which should be based on the presumption that an employer should not intrude in workers' private lives unless they face a real risk to which intrusion is a proportionate response. The question for employers is: does evidence that monitoring is justified exist?

    Thus, a worker's financial circumstances should not be monitored unless there are firm grounds to conclude that financial difficulties would pose a significant risk to the employer. Workers should be told what information sources are to be used to carry out checks on them and why, and the third party agency must be told the use to which the information is to be put. The Code emphasises that a facility used to conduct credit checks on customers should not be used to monitor or vet workers, and warns that this may amount to a breach of s.55 of the DPA, which makes it an offence to obtain personal information without the authority of the data controller.

    SMALL BUSINESSES AND THE MONITORING AT WORK CODE

    Small businesses are not exempt from the requirement to conduct an impact assessment, although the Monitoring at Code clearly envisages that continuous or systematic monitoring is probably going to be something undertaken by larger, rather than smaller businesses. However, the commissioner does offer separate guidance to smaller businesses as to how to meet their obligations on monitoring5.

    This article was written by Ako Buckman, a freelance writer specialising in employment law.

    1The Information Commissioner, The Employment Practices Data Protection Code Part 3: Monitoring at Work (2003), available at: www.informationcommissioner.gov.uk.
    2The Information Commissioner, The Data Protection Act 1998 - Legal Guidance (2001).
    3[2004] EWCA (Civ) 1746.
    4Available at www.informationcommissioner.gov.uk.
    5The Information Commissioner, Monitoring at Work: Guidance for Small Businesses (2003).


    Monitoring at work: Main points to note

  • The Monitoring at Work Code strikes a balance between employers' legitimate interest in protecting their businesses by monitoring their workers, and on the other hand, the legitimate expectation of workers that their personal information, obtained through monitoring, will be handled properly.
  • The Code does not prevent employers from monitoring their employees. It does, however, require that any monitoring that yields personal information about employees should be carried out consistently with the DPA and other legislation.
  • Monitoring is not defined, but includes "activities that set out to collect information about workers by keeping them under some form of observation". It may be carried out systematically, where all workers are routinely monitored, or occasionally, where monitoring is introduced as a short-term measure to respond to a particular problem.
  • An employer's general approach should be that monitoring is intrusive in nature, and conflicts with workers' legitimate expectations of privacy in the workplace. So, where it is to be carried out, it is to be justified by an impact assessment and there should be clarity as to its purpose.
  • An impact assessment is to be carried out where monitoring will have an adverse impact, the aim being to justify the monitoring in terms of the perceived benefits to the employer. It may involve anything from a simple mental evaluation of the risks to the business and how the planned monitoring will reduce or eradicate them to a more complicated process.
  • An employer who wishes to monitor electronic communications must have a policy in place that outlines when its electronic communications systems may or may not be used.
  • Emails marked private or personal should not be opened, unless wrongdoing is suspected, or a pressing business need is made out.
  • Employers should avoid monitoring the actual internet sites visited by workers wherever possible. The aim should be to seek to prevent, rather than detect, misuse.
  • Video and audio monitoring are particularly intrusive, and if justified, should be targeted at areas of particular risk to the business, or confined to areas where workers have low expectations of privacy.
  • Because workers are unaware of it and do not expect it to happen, covert monitoring should be authorised only at senior management level, and will be justified only where there are grounds for suspecting criminal activity or equivalent malpractice.
  • An impact assessment of in-vehicle monitoring should consider whether it can be done without disclosing private use by the employee. Rarely will this kind of monitoring be justified where an employee is allowed private use.

  •  


    Document Extract

    Examples of monitoring

  • Gathering information through point-of-sale terminals to check the efficiency of individual supermarket checkout operators.
  • Recording the activities of workers by means of CCTV cameras, either so that the recordings can be viewed routinely to ensure that health and safety rules are being complied with, or so that they are available to check on workers in the event of a health and safety breach coming to light.
  • Randomly opening up individual workers' emails or listening to their voicemails to look for evidence of malpractice.
  • Using automated checking software to collect information about workers, for example, to find out whether particular workers are sending or receiving inappropriate emails.
  • Examining logs of websites visited to check that individual workers are not downloading pornography.
  • Keeping recordings of telephone calls made to or from a call centre, either to listen to, as part of workers' training, or simply to have a record to refer to in the event of a customer complaint about a worker.
  • Systematically checking logs of telephone numbers called to detect use of premium rate lines.
  • Video recording workers outside the workplace to collect evidence that they are not, in fact, sick.
  • Obtaining information through credit reference agencies to check that workers are not in financial difficulties.
  • Source: The Employment Practices Data Protection Code Part 3: Monitoring at Work.

     


    Document Extract

    Impact assessments

    An impact assessment involves:

  •         
  • Identifying clearly the purpose(s) behind the monitoring arrangement and the benefits it is likely to deliver.

  •         
  • Identifying any likely adverse impact of the monitoring arrangement.

  •         
  • Considering alternatives to monitoring or different ways in which it might be carried out.

  •         
  • Taking into account the obligations that arise from monitoring.

  •         
  • Judging whether monitoring is justified.

    Adverse impact

    Identifying any likely adverse impact means taking into account the consequences of monitoring not only for workers, but also for others who might be affected by it such as customers. Consider:

  •         
  • What intrusion, if any, will there be into the private lives of workers and others, or interference with their private emails, telephone calls or other correspondence? Bear in mind that the private lives of workers can, and usually will, extend into the workplace.

  •         
  • To what extent will workers and others know when either they, or information about them, are being monitored and then be in a position to act to limit any intrusion or other adverse impact on themselves?

  •         
  • Whether information that is confidential, private or otherwise sensitive will be seen by those who do not have a business need to know, eg IT workers involved in monitoring email content.

  •         
  • What impact, if any, will there be on the relationship of mutual trust and confidence that should exist between workers and their employer?

  •         
  • What impact, if any, will there be on other legitimate relationships, eg between trade union members and their representatives? . . .

  •         
  • Whether the monitoring will be oppressive or demeaning.

    Alternatives

    Considering alternatives, or different methods of monitoring, means asking questions such as:

  •         
  • Can established or new methods of supervision, effective training and/or clear communication from managers, rather than electronic or other systematic monitoring, deliver acceptable results?

  •         
  • Can the investigation of specific incidents or problems be relied on, for example, accessing stored emails to follow up an allegation of malpractice, rather than undertaking continuous monitoring?

  •         
  • Can monitoring be limited to workers about whom complaints have been received, or about whom there are other grounds to suspect wrongdoing?

  •         
  • Can monitoring be targeted at areas of highest risk, eg can it be directed at a few individuals whose jobs mean they pose a particular risk to the business rather than at everyone?

  •         
  • Can monitoring be automated? If so, will it be less intrusive, eg does it mean that private information will be "seen" only by a machine rather than by other workers?

  •         
  • Can spot-checks or audits be undertaken instead of using continuous monitoring? Remember though that continuous automated monitoring could be less intrusive than a spot-check or audit that involves human intervention. . .

    Justified?

    Making a conscious decision as to whether the current or proposed method of monitoring is justified involves:

  •         
  • establishing the benefits of the method of monitoring;

  •         
  • considering any alternative method of monitoring;

  •         
  • weighing these benefits against any adverse impact;

  •         
  • placing particular emphasis on the need to be fair to individual workers;

  •         
  • ensuring, particularly where monitoring electronic communications is involved, that any intrusion is no more than absolutely necessary.

  •         
  • bearing in mind that significant intrusion into the private lives of individuals will not normally be justified unless the employer's business is at real risk of serious damage;

  •         
  • taking into account the results of consultation with trade unions or other representatives, if any, or with workers themselves.

    Source: The Employment Practices Data Protection Code Part 3: Monitoring at Work.

     


    Data protection and employment practice guidance notes

    (1) Data protection and employment practice (1): The Data Protection Act 1998, covering the key definitions that dictate the scope of the Act and the nature of its requirements and the Data Protection Principles.

    (2) Data protection and employment practice (2): The rights of data subjects under the Act; the exceptions, exemptions and defences available to data controllers; and the information commissioner's powers and duties.

    (3) Data Protection and employment practice (3): The Employment Practices Data Protection Code of Practice Part 1: Recruitment and Selection.

    (4) Data protection and employment practice (4): The Employment Practices Data Protection Code of Practice Part 2: Employment Records.