The European Court of Human Rights (ECHR) has confirmed that monitoring an employee’s private electronic communications in the context of disciplinary proceedings did not breach his fundamental right to respect for his privacy.
Under Article 8 of the European Convention on Human Rights, everyone has a right to respect for his private and family life, his home and his correspondence, subject to certain limitations. It is well-established that this right extends to an employee’s telephone calls, emails and internet use in the workplace, provided that they have a reasonable expectation of privacy. Therefore, for example, if an employer does not inform its workforce that workplace communications will be monitored for specified purposes, any such surveillance is likely to breach the right to privacy.
Article 8 is incorporated into our domestic law under the Human Rights Act 1998. It applies to all public sector authorities directly and it is also highly relevant for private sector employers, as courts and tribunals must interpret all legislation consistently with Convention rights.
In Barbulescu v. Romania, Mr Barbulescu was employed as a sales engineer. He was asked by his employer to create a Yahoo Messenger account to enable him to respond to clients’ enquiries. The employer had put in place internal regulations, under which the use of computers and other electronic equipment for personal purposes was strictly forbidden.
Mr Barbulescu was informed by his employer that his messenger communications had been monitored for just over a week and the records showed that it had been used for personal messages. When he denied the allegations, he was presented with a 45-page transcript of communications with his brother and fiancée to discuss private matters, including his health and sex life. His employment contract was terminated for breach of the company’s internal regulations.
Mr Barbulescu brought domestic proceedings in the Romanian courts, claiming that his dismissal was null and void due to a breach of his privacy rights. This claim was rejected and he subsequently lodged an application at the ECHR.
The ECHR held that there was no violation of Mr Barbulescu’s privacy rights under Article 8. In balancing that right against the employer’s interests, in the context of disciplinary proceedings, it noted that:
- the employer had monitored Mr Barbulescu’s messages in the belief that it was used for professional purposes only, based on his claim that he only used it for client communications. It accessed the account on the assumption that the information it was reviewing would relate to professional activities only;
- it is not unreasonable for an employer to want to verify that employees are completing their professional tasks during working hours; and
- the search was limited to the Yahoo Messenger account and did not extend to other data and documents stored on his computer. Therefore, it was proportionate.
Monitoring communications at work is a complex legal issue, operating within a tangled web of regulatory requirements. Aside from human rights law, the ability to keep tabs on what employees are doing will also be affected by data protection obligations and specific legislation dealing with surveillance and the interception of communications (such as the Regulation of Investigatory Powers Act 2000).
Suffice to say, it is certainly not the case that this judgment gives employers a free hand to look at private messages and listen in on telephone calls indiscriminately. Monitoring without consent in circumstances where an employee has a reasonable expectation of privacy is still likely to be unlawful in many cases – and, in that regard, some of the media coverage on this case has been wide of the mark.
However, having a clear IT and communications policy that explains the nature and extent of any monitoring that may take place (and the underlying business reasons for it) is a good starting point. It should be well known to employees and accessible on an intranet site or in a staff handbook.
Even if a policy sets out strict rules on email and internet use, employees who are allowed to engage in personal activities using work systems during working hours are still likely to have a reasonable expectation of privacy (on the basis that, while such behaviour is not expressly authorised, it is tolerated). Therefore, employers should be prepared to justify the use of surveillance in specific circumstances, by reference to the purpose of monitoring and ensuring that the methods adopted are proportionate. This can often be achieved by carrying out an impact assessment in advance on the benefits of monitoring communications (for example, for a particular investigation) and weighing those against the potential detriment to the employee.
Further guidance is set out in Part 3 of the ICO’s Employment Practices Code (available here).