Staff Surveillance - How Far Can You Go?

Just how far can an employer legitimately go in his attempts to control what his employees do during their working hours?

Developments in technology, in particular internet and e-mail messaging, mean that an employer may now face new problems with his employees. For instance, he may find that his employees spend too long surfing the net or e-mailing friends during working time. This is in addition to problems he may have experienced in the past with similar employees spending far too long on the telephone or taking long coffee breaks.

Along with the problem of potential internet abuse comes a whole host of other technology-related problems. For example:

• employers may be vicariously liable for any harassment carried out by employees within the course of their employment whether or not it is work related. This covers situations where employees use work computers to send abusive e-mails.
• employees who download pornography could be in breach by the employee of their duty of mutual trust and confidence.
• similarly there are also problems with employees uploading or downloading unauthorised materials that could carry viruses.
• employers could face liability for defamation, especially through internal and external e-mail circulation. In a recent case Norwich Union was forced to settle a defamation action as a result of a widely circulated internal e-mail that was defamatory of another insurance company’s financial state.
• if employees download documents they could involve their employers in possible liability for breach of copyright.

When formulating e-mail and internet policies an employer should deal with the following issues:

• whether employee’s private use of the internet and e-mail is allowed.
• restrictions on downloading information and images from the internet.
• the provision of training for maximum efficiency usage of external e-mail and the internet for business purposes.
• disciplinary measures against employees who breach the terms of the policy.
• employee agreement (or failing that, actual knowledge) that their activity on their company laptop and PCs at work will be monitored (whether inside or outside normal working hours and for whatever reason).
• an employer should try to ensure that e-mail conventions are established and that an appropriate disclaimer is sent with all e-mails and attachments in order to restrict liability for any potentially incomplete or inappropriate information.
• the bottom line is that guidance should be given to employees about both the amount and type of personal use that is and is not permitted. Any policy must make it absolutely clear what conduct could lead to either the imposition of disciplinary penalties or in more serious situations, dismissal.

Providing that such policies are clear and are communicated to employees and are necessary for the legitimate interests of the employer, they should not fall foul of the measures for the protection of privacy for employees.

The Data Protection Act 1998 came into force on 1 March 2000. This provides a basic framework of protection against intrusion into a person’s information privacy. A code of practice is to be issued to provide guidelines for employers in such matters as monitoring e-mails and web surfing or tracking the whereabouts of staff through mobile phones.

Once the code is in place, failure to comply with its provisions could lead to enforcement action by the Commissioner or a claim for compensation by any individuals who have suffered as a result. The code will illustrate the serious intent of the Data Protection Commissioner in attempting to ensure employers establish clear policies and put up perimeters under which staff could be subject to surveillance.

The Protection from Harassment Act 1997 was predominately intended to tackle the problem of victims being harassed by stalkers.

However, the provisions of the Act are wide enough to encompass any form of harassment including harassment of an employee in his or her workplace on the grounds of sex, race or disability.

The Human Rights Act 1998 came into force on 2 October 2000 and implements the European Convention on Human Rights (the Convention). Article 8 of the Convention is of particular importance to employers who monitor their workforce. It provides that everyone has the right to respect for his private and family life, his home and his correspondence. Certain methods of monitoring currently used by employers could breach Article 8.

The implied duty of mutual trust and confidence.

It is arguable that unjustified surveillance could amount to a breach of such a term.

The Interception of Communications Act 1985 made it a criminal offence to intercept a communication in the course of its transmission by post or by a public telecommunications system, unless the interceptor had a warrant or believed that the other person consented to interception. This Act never covered private networks and employees had little protection against unauthorised telephone monitoring. It regulated only the interception of calls made on a public network - it did not prevent employers listening to telephone calls made from an internal workplace telephone communication system even if those calls are made to people outside the workplace, provided that the interception took place on the non-public side of the network.

The Regulation of Investigatory Powers Act 2000 (RIPA 2000), which came into force this month, repeals the Interception of Communications Act 1985, and establishes a single legal framework covering the interception of communications in the UK regardless of the means of communication and the point at which they are intercepted.

Under proposals set out in the Lawful Business Practice Regulations (due to come into force this month) employers will not be required to obtain authorisation for telephone monitoring which takes place in the course of lawful business practice provided they have a reasonable ground to believe that those parties taking part in the communication have consented to the monitoring. This specific authorisation is given on a case-by-case basis to carry out interception on private networks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.