The European Court of Human Rights’ (ECHR) recent decision on accessing employees’ private messages has had a lot of publicity.
There have been suggestions that the judgement means that employers can have free reign to go checking up on their staff. That’s not correct at all, and nothing has really changed.
The European Convention on Human Rights, which is incorporated into UK law, states that everyone has the right to respect for their private and family life, their home and their correspondence. There should be a balance between the general interest of the community and the individual’s fundamental freedoms. Although only public bodies must expressly comply with this right, it is relevant to all employers (including the private sector) as courts and tribunals must interpret, as far as possible, all legislation consistently with the right.
In this latest case the ECHR had to determine whether an employer acted lawfully by accessing an employee’s private messages on a business Yahoo Messenger account, where the employer’s rules banned use of the company’s IT systems for private purposes.
The Court held that the right to privacy was engaged, but that it was reasonable and proportional to check that the employee was completing professional tasks during working hours. The Court was, particularly swayed because the account had been accessed on the assumption that the messages related to professional activities.
The Court did not state that employers could access/monitor business or private accounts as a matter of course. Everything will depend on the particular circumstances. In the situation where an employer has a policy that allows employees some personal usage of the company IT equipment and may monitor that usage, monitoring could be acceptable. But it would still have to be reasonable and proportional.
Our data protection law does require employers to provide detailed information to their employees about the employer’s monitoring activities. Employers should have legitimate grounds for the monitoring and avoid unjustified intrusions into employees’ private life. The monitoring of email content from private accounts, for example, would be seen as one of the most intrusive forms of monitoring - and could be very difficult to justify.
When it comes to monitoring, employers also have to consider the interception of communications framework. Before an interception, normally consent from the sender and recipient is required. Employers may, however, intercept employees’ communications which are “relevant to the business” without obtaining consent.
The difficulty though is how will the employer know for certain if an email or message is relevant to the business without opening it?
With the risk of claims, damages and fines, employers should think very carefully before snooping on their employees.