The UK Information Commissioner’s Office has just published the third part of the Employment Practices Data Protection Code (‘Code of ethics’, SMT, June 2002, pp26-28), entitled ‘Monitoring at Work’. Based on the Data Protection Act 1998, the Code provides guidance for managers on monitoring employees’ Internet and e-mail use – and should be followed by every employer.
There’s no doubt that monitoring in the workplace can be intrusive, whether it encompasses the examination of e-mails, recording of telephone calls or installing CCTV cameras. As the Information Commissioner Richard Thomas rightly states: Employees are entitled to expect that their personal lives remain private, and that they have a degree of privacy in the working environment."
The nature and extent of monitoring
The fundamental message to be borne in mind by managers is that, where monitoring does take place, employees should be made aware of its nature and extent, and the reasons for it being carried out in the first place. "Only in exceptional circumstances will it be appropriate for employers to monitor their employees without their prior knowledge," adds the Information Commissioner.
The 1998 legislation places responsibilities on any organisation to process personal data that it holds on employees "in a fair and proper way". Failure to do so can amount to a criminal offence. The general position is that, while the Act doesn’t prohibit the monitoring of employees, it does place restrictions on the way that this may be carried out. However, other legislation does lay down rules about the interception of communications.
Managers should understand that the Employment Practices Data Protection Code is intended to aid compliance with the Data Protection Act. It doesn’t address compliance with other legislation, which does make it somewhat difficult for the employer to navigate what is really a monitoring ‘minefield’.
The Code contains guidance – but managers should note that this guidance is not legally binding. It comprises the benchmarks that the Information Commissioner will use when deciding whether or not to enforce the Act.
Consequently, all end user organisations would do themselves a favour by considering its contents very carefully indeed.
Making an impact assessment
Essentially, the Act provides that the ‘adverse impact’ of any monitoring on employees must be justified by the benefits. The Code recommends that this is best carried out by an impact assessment. Such an assessment must consider the purpose behind the monitoring, any likely adverse impact on the employee(s) or others (such as customers), alternatives to the type of monitoring suggested, the obligations that will arise from the monitoring and whether monitoring is justified.
In considering any likely adverse impact, the security manager and the Board of Directors must take into account the likely intrusion into employees’ private lives, the extent to which employees will be aware of the monitoring, who will see the information (which may be of a sensitive nature), the impact on the employment relationship and other professionals and how the monitoring will be perceived – will it be seen as oppressive or demeaning, for example?
Bear in mind another of Richard Thomas’ comments here. "In reality," states the Information Commissioner, "there are few circumstances in which covert monitoring can be justified."
Ensuring DPA compliance
As stated, the Code makes good practice recommendations to ensure compliance with the Data Protection Act.
In summary, these centre on:
