A story recently made the headlines about the Care Quality Commission issuing guidance on how relatives and care home bosses could undertake covert surveillance of carers. The Mail described it as the "official green light to spy on care home staff". In fact, the reports appear to have exaggerated the reality, but they felt to me a stark reminder that we now live in a digital world in which to the ability to record conversations secretly is only a smartphone button away.
However, whilst the technical aspects of recording may be relatively simple, the legal issues are undoubtedly complicated and employers would be well advised to keep abreast of them before embarking on any monitoring of employees.
Monitoring of employees
Typically monitoring undertaken by employers concerns their employees' use of electronic systems in the workplace, such as the websites they visit, the content of email and their use of the telephone. In deciding to carry out such monitoring, employers should have regard to an increasingly complex plethora of legal considerations, including:
- The Data Protection Act 1998 – monitoring email and internet use will involve the processing of personal data. Any monitoring should be carried out in accordance with the data protection principles.
- The Employment Practices Data Protection Code – issued by the Information Commissioner's Office and available here, part 3 deals specifically with the monitoring of employees and provides good practice recommendations to employers. It and the supplementary guidance are worth reviewing if monitoring is contemplated.
- Human Rights Act 1998 – employees have a reasonable expectation of privacy in the workplace (even if their employer is a private body), unless an employer can justify interfering with that.
- The Regulation of Investigatory Powers Act 2000 – the interception of communication is allowed if the individual has consented or if it is authorised by the Lawful Business Regulations, for example, if it is necessary to establish the existence of facts relevant to the business, to investigate or detect the unauthorised use of communication systems or to ascertain compliance with procedures relevant to the business etc.
- An employee's contract of employment – employers have an implied duty of trust and confidence towards employees. Inappropriate monitoring could amount to a breach of this term.
The basic principle is that the law does not prevent employers from monitoring employees but it should be done in a way which is consistent with these laws. The main points which employers should take away from the legal framework include the following:
- It will usually be intrusive to monitor employees.
- In an employment context, it will normally be hard to rely on an argument that employees have "consented" to monitoring (since to apply, consent must be given freely which is hard to prove). Instead, employers will need to show that monitoring is in the "legitimate interests" of the business and proportionate.
- Employers should carry out an "impact assessment" before undertaking any monitoring - as set out below. The aim of this is to ensure a balance is achieved between employees' privacy and protecting the interests of the business.
- Methods of monitoring which are less intrusive (and so easier to justify) include sporadic or time-limited monitoring, monitoring for a particular purpose, obtaining anonymous data and targeted monitoring, such as using key word searches. More intrusive methods, which will be harder to justify, include continuous monitoring, blanket monitoring, such as trawling through all available data or checking the content of emails, and reviewing personal communications.
- Employees should be put on notice that monitoring may take place and provided with full information about that monitoring (see below).
- The bar for covert monitoring is high and will usually only be recommended in cases of criminal or equivalent malpractice. A useful rule of thumb is to ask whether the activity to be monitored is so serious that it would be reasonable to involve the police.
Impact assessment - practical steps for employers
Taking the main principles into account, in making a decision to monitor employees, employers should carry out an impact assessment covering the following:
- Clearly identify the purpose of the monitoring.
- Identify the benefits of the monitoring, including the risks to the business if it does not take place, and any adverse impact, for example on employees. It may be necessary to acknowledge that some personal data will be caught by the monitoring, but that this is justified (as below).
- Consider whether there are any alternatives to monitoring or less intrusive ways of achieving the same purpose.
- Judge whether the monitoring is justified.
- Identify how the information obtained will be secured, to ensure that it is retained in accordance with the Data Protection Act.
- Limit the number of people who will have access to the data, ensuring that they have received appropriate training.
The impact assessment does not need to be a complicated exercise – a "simple mental evaluation" may be sufficient – but it is advised that some sort of paper trail is retained showing the employer's considerations.
Informing employees about monitoring
It is a critical component of monitoring that employees and workers are provided with full information about monitoring in advance. It is not enough simply to tell employees that, for example, their email will be monitored. Instead, employees should be told enough to enable them to truly understand when and why information will be obtained, how it will be used and to whom it will be disclosed.
Typically this information is included in an electronic communications policy or sometimes in employees' contracts of employment. Such policies should include a full statement of the purposes for which monitoring should be undertaken, detail the potential types of monitoring which might take place, set out who will make the decision to monitor and who will have access to the results of monitoring. It is also advisable for policies to set the standards for acceptable behaviour, giving examples, and identify the risks and consequences of inappropriate use.
Employers are under a positive obligation to be pro-active in ensuring workers are aware of any electronic communications policy or equivalent. It will be insufficient simply to post the policy on an intranet and hope employees read it. Instead, it is recommended that the contents of the policy are dealt with in the induction process and that staff are reminded about it periodically.
Recordings by employees
This note has concentrated on monitoring by employers. It is worth remembering though that "monitoring" can and does take place the other way round, usually in the form of covert recordings of conversations or meetings. Further information about recordings of disciplinary hearings by employees can be found in a piece by Rachel Lewis here.