As the workplace becomes increasingly digitised, the need to protect personal data has become more critical than ever before. Employers and employees alike must navigate the complexities of data protection laws while balancing the legitimate needs of business operations.

Processing certain personal information is critical for the performance of an employment contract. In Mauritius for instance, the employer would need an employee's identity card and tax number. The Data Protection Act ("DPA") provides for the employer to process such data without any express consent from the employee.

The Act recognises that employers may need specific information to carry out their obligations, some of which may be required by law, and it serves as a framework for the legitimate processing of such information. Processing of data at the workplace goes much beyond what the DPA provides for without express consent. The main purpose of providing employees with tools such as mobile phones, tablets, messaging apps, and access to company networks is to support the employer's business activities and operations. But by their very nature, and convenience dictating, the employee will usually receive private messages on either their phone or inbox. They will also usually receive other people's personal data through the employer's devices. Few or no problems arise so long as this data relates to the legitimate business of the employer, and they will be covered by the lawful bases available to the employer for such professional/commercial relationships.

Without in any way touching on the problematic area of surveillance, "big brother", "spying" or "snooping", let us explore a scenario that can arise.

Mr X is employed at XYZ Co. He is provided with a laptop and a smartphone by his employer. After some years in employment, this model employee turns bad. He puts up a fraudulent scheme with the help of outsiders to the company. Evidence of the fraudulent scheme is now on the employer's laptop allocated to the employee. The evidence shows that the employee is defrauding the employee's funds and this evidence comes in the form of the employee and the employee's mother's personal bank details, passport numbers and residential address.

Private details of bank transfers into the employee's and his relatives' bank account are now available on the laptop given to him by his employer. The employer is now tipped off from a third party that fraudulent activities are being carried out by Mr. X. The IT team is given the specific mission of remotely inspecting the employee's mailbox. Without much effort, the fraudulent scheme is uncovered.

The employer accuses the employee of fraudulent practices. After a disciplinary committee, the contract of employment is terminated. Mr X. sues XYZ Co. XYZ Co. meets with a strong objection from Mr X to prevent it from making use of the documents retrieved on the company's computer on the basis that they contain personal data (ie, the bank details including bank statements) retrieved by the company without the data subject's consent (Mr. X and his mother's).

One can anticipate very sober arguments from all sides. On the one hand, it can be argued that the evidence is inadmissible. On the other hand, the employer will say that the contract of employment allowed the employer to accede such data for the simple reason that the laptop belongs to the company. Another compelling argument could be that the retrieved data is not covered by the DPA because it was voluntarily provided during the commission of a criminal activity, and therefore may not be protected. Collection of personal data by the controller must always have a lawful basis. In the workplace the contract of employment may provide for such basis. When the contract provides for such basis, the contract should state the purpose for which the data is being collected. The way the purpose is drafted and instilled in the contract is critical in our modern age with improvement in technology being exponential.

The object of this article is not to find or advance the legal argument which will be accepted in court but rather to provide guidance on how to avoid such a situation arising in the first place. To ensure that employees use the company's tools appropriately, employers should use a combination of strategies. Firstly, employment contracts should cover a broad range of scenarios. Secondly, IT policies should clearly outline how company tools can and cannot be used, what happens when rules are broken, and how the employer can use materials resulting from an employee's improper tool usage.

Reviewed by Shrivan Dabee, an Executive at ENSafrica Mauritius

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.