Most organisations are aware that the Data Protection Act 1998 governs the collection and dissemination of employee information. Unfortunately, since its introduction, there has been little practical assistance to help employers understand their responsibilities, especially when it comes to monitoring staff. This is something that the Information Commission has now addressed with the launch of the third instalment of its Employment Practices Data Protection Code entitled "Monitoring at Work". These guidelines form a three step programme to best practice for employers and are well worth considering incorporating into your business.
The Data Protection Act should be considered a vital component of Human Resources by any organisation employing or thinking of engaging staff. It relates to all types of employee including agency and casual, contractors, ex-employees and even candidates submitting applications for employment whether successful or not. It covers all aspects of the information cycle, from the obtaining of data through to its retention, access (reading or displaying it) and disclosure. One of the most basic requirements for employers who gather and hold employee information on a computer or in a sophisticated filing system is that they must notify the Information Commissioner of their data processing activities. Failure to comply with that or any other part of the Data Protection Act can lead to criminal law sanctions, fines and convictions – not just for the company but for its officers as well. This is why employers should carefully consider whether they are adhering to all eight principles of the Act – many prudent organisations have procedures in place to ensure they do.
If your organisation believes that monitoring your employees is a "recognised component of the employment relationship" or your management style includes any review of the performance or the conduct of your employees, then you need to ensure you are also following the new Monitoring at Work code. Its basic purpose is to balance employee rights with the efficient running of a business.
The code starts with the acknowledgement that monitoring staff is usually an intrusive process and that all employees have a right to expect their personal lives to remain private and be able to retain a degree of privacy in the work environment (as required under the Human Rights Act 1998). With this in mind, the code states the basic requirement that employers are clear about the purpose of any staff monitoring and satisfied that the particular arrangements are justified before they commence.
At all times, heavy emphasis is placed on the employer’s justification and communication of procedures to employees. Staff should always be made aware of the nature and extent of, and reasons for, monitoring unless the nature of the monitoring is covert – something that can only be undertaken in exceptional circumstances. There is no legal requirement for an employee to give consent to monitoring as long as the case for monitoring is justified. In any case, for consent to be freely given by the employee, then the policy must be capable of being withdrawn by the employer, which is impractical.
The method used to monitor staff is another primary consideration. Employers must clearly weigh benefits against any adverse impact on the daily running of the company as well as satisfy the legal requirement of being fair to staff. Intrusions into employee’s private lives will only be justified if the employer’s business is at real risk of serious damage. For instance, the code states that, where possible, employers must avoid opening obviously ‘personal’ emails although this can be balanced against the possibility of bullying or the transmission of obscene material and defamatory statements. The interception of emails, faxes, internet use and telephone calls is covered in the Regulation of Investigatory Powers Act 2000 and the Lawful Business Practice Regulations 2000 which, again, regard such interception as illegal unless sound justification can be given.
Employers need to take great care when implementing their monitoring procedure. The code encourages the use of tools such as Data Audits and Impact Assessments prior to setting policies in place. More important however is the drawing up of a formal monitoring policy that clearly sets out procedures such as how employees are informed of the policy, the storage and potential future use of information and even the appointment of a Data Protection Officer. You should also draw up a set of guidelines to provide employees with a clear indication of what you deem to be acceptable behaviour and what is not. One thing to remember though is that, in the case of a dispute, any written procedures will be open to scrutiny by a court or tribunal so it is advisable that you gain the help of a legal expert to ensure the policy is watertight.
Although this latest code has only been available for a few months, when utilised with the earlier two codes, it is proving an excellent step towards helping organisations comply with this all-too-often confusing area of law, we strongly advise all employers to read it as soon as possible. The document can be downloaded from the Information Commissioner’s website at www.informationcommissioner.gov.uk Although it isn’t a law of itself, it is highly likely to be a source of future reference for this subject – particularly in any claims brought against employers at tribunals. Any employer who has failed to consider the codes is likely to be the subject of adverse comment and consideration at such hearings.
©Pictons 2003. First published in Pictons' "In the Know" email newsletter.
Pictons Solicitors is regulated by the Law Society. The information in this article is correct at the time of publication in December 2003. Every care is taken in the preparation of this article. However, no responsibility can be accepted to any person who acts on the basis of information contained in it. You are recommended to obtain specific advice in respect of individual cases.