Watching brief

The Monitoring at Work Code, published last month, gives employers a guide to when and how they can monitor staff. Katherine O'Brien discusses some potential scenarios.

General guidelines

Paper UK (PUK) is a paper distribution company with about 100 employees. Employees work either at the company's head office, or at the customer advice centre taking queries from customers. The HR manager has read about the new code for monitoring employees, and wants to know what PUK should do.

Katherine O'Brien comments: The third part of the Employment Practices Data Protection Code - Monitoring at Work (published on 11 June 2003 after a lengthy consultation process) provides employers with guidance on how they can monitor job applicants, employees and other staff.

Monitoring is an intrinsic part of the employment relationship, and technological developments mean employers hold extensive information on their staff - often collected automatically and without too much thought. Staff may be filmed on CCTV as they arrive or leave work, electronic swipe cards will indicate their whereabouts on the employer's premises, and computer logs are created when staff switch on their computers.

During the day, records indicate staff access to the internet and sites visited. E-mails sent and received are recorded as well as telephone calls. If staff are provided with work mobile telephones or company cars, then management often makes records of use.

The Code lays down guidelines for steps employers should take in deciding whether any particular form of monitoring is appropriate in the circumstances. Any adverse impact of monitoring on individuals has to be justified by the benefits received. The Code recommends using specific impact assessments to decide whether or not this is the case, to establish what monitoring is to be carried out and to whether a monitoring arrangement is a proportionate response to the problem to be addressed.

An impact assessment involves:

- Identifying the purpose behind the monitoring arrangement and the benefits it is likely to deliver

- Identifying any likely adverse impact of the monitoring arrangement

- Considering alternatives to monitoring or different ways in which it might be carried out

- Taking into account the obligations that arise from monitoring

- Judging whether monitoring is justified.

The following factors may establish whether there is an adverse impact on staff and customers of the organisation:

- What intrusion will there be in private lives or interference with private communications?

- How much information do staff have on how and when they are monitored? The more information provided the better, as it allows staff to limit the adverse impact on them

- Will there be any impact on the relationship of mutual trust and confidence between the staff and employer or any other confidential relationship, such as, for example, trade union representatives?

- As part of the impact assessment, it is important to consider the least intrusive method of monitoring possible and alternatives to monitoring

- In establishing that staff are complying with company policy and procedure, using different methods of supervision, training and clearer communication may deliver acceptable results

- Specific incidents can be investigated by accessing stored e-mails, rather than undertaking continuous monitoring. Monitoring can also be limited to staff about whom complaints have been received or areas of high risk

- Automated monitoring is less intrusive and means the personal information is only 'seen' by a machine

- Spot-checks or audits can be undertaken rather than continuous monitoring (depending on the circumstances, as sometimes continuous monitoring can be less intrusive than human intervention).

As well as the aspects mentioned above, deciding whether a current or proposed method of monitoring is justified involves emphasising the need to be fair to staff, ensuring any intrusion is no more than necessary. Any significant intrusion will only be justified if the employer's business is at serious risk. Consultation with staff and/or trade unions can be of assistance when considering these issues.

CCTV monitoring

PUK has noticed an unusually high amount of stock is being ordered on a regular basis, and believes some is being stolen. It proposes to set up CCTV cameras to monitor the situation. Can it do this?

KO'B comments: When carrying out an impact assessment for video monitoring PUK should consider the following:

- It must establish why it is setting up the CCTV and what benefit it believes it will obtain. Does it wish to obtain evidence that theft is occurring, deter future thefts or catch the perpetrators? PUK should also consider whether it is reasonable to believe stock is being stolen. This will add weight to the belief that monitoring is required.

- In order to reduce the adverse impact, PUK should consider targeting areas of particular risk, for example the stockroom. PUK may feel other areas need monitoring depending on where it feels it is most likely to identify the perpetrators of any theft. Where possible, monitoring should be confined to areas where staff expectation of privacy is low (not the staff toilets, for instance)

- Continuous monitoring will only be justified in rare circumstances due to its particularly intrusive nature

- Are there practical alternatives to CCTV, such as security checks on staff leaving the building?

- Is PUK able to make it clear that monitoring is taking place and why, in all areas where the monitoring takes place (placing a prominent sign, identifying the organisation responsible for monitoring, who is to be contacted and why it is being done)? This is particularly important in public areas where people other than staff are likely to be inadvertently caught on camera

- Can PUK justify the continuous monitoring of a particular area? This may not be so simple if individuals are likely to be continuously monitored, for example those working in the stockroom.

In limited circumstances, the Data Protection Act 1998 allows covert monitoring. Covert monitoring should be authorised by senior management, who must satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice, and that notifying individuals would prejudice its prevention or detection. A reliable test is whether or not the activity would be of sufficient seriousness to involve the police (unless covert monitoring is to be carried out in a private area, in which case a suspicion of a serious crime and an intention to involve the police is required).

PUK would find covert monitoring difficult to justify when it doesn't have an individual in mind.

Personal information collected should only be used for the purposes for which the monitoring was introduced, unless it is in an individuals' interest to use it or if it reveals an activity no reasonable employer could be expected to ignore (for example, serious harassment).

E-mail and the internet

Staff working in the customer advice centre at PUK take queries from customers by telephone and e-mail. The manager believes some employees are spending a large part of their time looking at pornography on the internet and sending personal e-mails. He wants to check what members of staff are doing. Can he do it and what methods can be used?

KO'B comments: PUK needs to establish whether it has a current staff policy regulating electronic communications and whether it establishes boundaries of acceptable behaviour with regard to e-mail exchange and use of the internet.

A policy for the use of electronic communications should incorporate the following features:

- Clear boundaries as to the amount and type of personal communications allowed

- Specified restrictions on what can be viewed or copied from the internet

- Clear instructions as to what would be considered offensive rather than simply a reference to 'offensive' material

- Examples of personal information which staff are permitted to communicate

- Alternatives to electronic communications for passing on personal information

- An explanation of the purpose for which any monitoring is conducted, the extent of monitoring and means used. This should include how the policy is enforced and the penalties for a breach of that policy.

In addition, PUK must ensure it is not in breach of the Regulation of Investigatory Powers Act 2000 and Lawful Business Practice Regulations. Interceptions are not permitted without the consent of the sender and recipient unless authorised under the regulations. An interception is likely to be authorised where it is for the purpose of running the business and all reasonable efforts have been made to inform internal users of the interception.

Once PUK has established the purpose of the monitoring arrangement and the benefits it will deliver, it should look at any adverse impact and suitable alternatives.

- Analyse e-mail traffic rather than monitoring the content of messages. If the content is monitored, PUK may be at risk of breaching its duty of trust and confidence

- Detection of personal communications should be possible from the heading or address. The content of personal e-mails should only be accessed where there is a pressing business need to do so

- Establish whether any methods of monitoring can be limited or automated. Automated systems can provide protection from intrusion and malicious codes and detect references to particular matters

- Technology that prevents rather than detects misuse could be used to stop staff accessing unauthorised websites. PUK can also detect time spent accessing the internet rather than monitoring sites visited or content viewed, particularly if web access for personal reasons is not permitted

- Monitoring can also be done on an aggregated basis by examining logs of which sites have been visited and only focusing on specific individuals who have been identified as problematic. Such a log is also likely to identify sites accessed accidentally

- In all cases, before further action is taken, staff should be given an opportunity to explain their actions or challenge any information.

Monitoring e-mails will mean processing information about external people who should be informed of the monitoring. Staff must also be made aware of the nature and extent of e-mail and internet access monitoring.

Katherine O'Brien is a trainee solicitor at Lewis Silkin

Find out more on the code at www.informationcommissioner.gov.uk