Last month, Facebook backtracked on using facial recognition technology to automatically detect the faces of its users after a US court deemed the software an invasion of “private affairs and concrete interests”. The software sent “tag suggestions” to users if their faces appeared in recently uploaded photographs, whether or not they had been tagged in them.
There are interesting comparisons to be drawn between how a company monitors its users and how a business monitors its employees. With privacy rights increasingly hitting headlines, employers should carefully consider how such rights might affect how they monitor their employees.
Reasons for monitoring
Employers can monitor employees in a number of ways; dedicated software is increasingly being used, as are more traditional methods, such as checking emails, voicemails and recording telephone calls, as well as using CCTV.
There are myriad reasons to carry out such monitoring, for example…
Most IT security breaches happen through employee negligence. By monitoring and restricting employees’ online activity, a company can protect its systems, and the information contained within, against attacks.
2. Data protection
There has been a significant increase in data protection regulation. Tracking employees’ actions can help ensure that employers are aware of data breaches and that relevant rules are complied with.
3. Leaks of confidential information
Monitoring may not prevent a leak, but it can help spot one and gives the business a fighting chance of damage limitation.
4. Internal rules
Monitoring can help employers ensure that a range of policies and internal procedures are being adhered to and detect misconduct.
5. Remote working
Tracking communications and login details allow employers to confirm that employees are performing their job appropriately, wherever they are.
6. Boosting productivity
Certain data generated from monitoring can be analysed to devise productivity strategies to move the business forward.
It is arguable that these might be even more important to an SME, given that a smaller number of employees often means a wider knowledge of sensitive company information – and a greater reliance on each employee complying with the rules and performing their role adequately.
Mitigate the risk
Failing to take account of the relevant legal protections afforded to employees when monitoring staff can result in claims for compensation, negative publicity and fines.
It is therefore critical that employers are aware of their employees’ rights. Human Rights Act 1998 (“HRA”) Underpinning all other rights is the HRA, which protects an individual’s right to respect for private and family life and correspondence.
Employee rights are paramount
In the workplace, it means that employers should only access an employee’s personal correspondence with a legitimate objective (such as protecting the company’s reputation and ensuring productivity), and having considered whether there might be a less intrusive way to accomplish that objective.
Investigatory Powers Act 2016 (“IPA”) and the Investigatory Powers Regulations 2018 (“IPRegs”) Under the IPA, employers must have “lawful authority” before they can intercept an employee’s email.
“Lawful authority” could mean obtaining the consent of both the sender and the recipient, or by monitoring for one of the reasons specified in the IPRegs, which include ascertaining compliance with certain procedures, detecting unauthorised use of the email system and detecting crime.
General Data Protection Regulation 2016 (“GDPR”) and the Data Protection Act 2018 (“DPA”) The GDPR and the DPA will be relevant as almost all forms of monitoring will involve “processing” the personal data of the employee being monitored.
In order to comply with the GDPR and DPA, employers must generally warn employees about the monitoring taking place, limit monitoring as far as possible, only use the data collected by that monitoring for the purpose disclosed to the employee and ensure any data collected is kept secure.
Clearly, there is tension between an employer’s interests in monitoring employees and an employee’s interest in preserving their privacy. This tension is reflected in the complexity of the legal framework, which seeks to strike a balance between the two competing interests.
The core legal principle is that employees have a reasonable expectation to privacy in their personal communications, including workplace communications, and this should not generally be interfered with unless there is a good reason to do so and, in most cases, the employee has been fairly warned.
When monitoring employees, employers should ensure that they:
1 – Put policies in place that clearly explain the extent of the monitoring that may take place, with an explanation as to why monitoring may be carried out;
2 – Check the policies are up to date and have been brought to employees’ attention;
3 – Review alternative, less intrusive options to monitoring as part of a risk assessment;
4 – Put processes in place to ensure that the information collected is kept securely, not given to too many additional employees and deleted when no longer needed;
5 – Do not jump to conclusions when the monitoring appears to reveal potential misconduct. It is easy to see why SMEs are increasingly keen to monitor employees, but they must be careful not to overstep the mark.
Infringing their employees’ rights could result in claims, fines and reputational damage, which might have lasting effects on the business. Businesses would be wise to know where the line lies; know your rights and those of your employees.
This piece was co-written by Emily Hocken, Trainee Solicitor, at Stevens & Bolton LLP.
Sign up to our newsletter to get the latest from Business Advice.