3. The key legislation covering employee monitoring and privacy

This section examines the main pieces of legislation designed to protect employee privacy in the UK. These are the Data Protection Act 1998 (DPA), which governs how and what kind of information employers can keep on workers, and the European Convention on Human Rights (the Convention), implemented in the UK via the Human Rights Act 1998 (HRA), which covers the issue of personal privacy at work.

In addition, the International Labour Organisation (ILO) has had a Code of Practice on the protection of workers’ personal data since 1996.

The Information Commissioner’s Office (ICO) publishes several useful guides on privacy rights. The ICO also publishes Codes of Practice on recruitment and selection, employment records, monitoring at work, CCTV and medical information and about collecting personal information online, for example, through an online application form (www.informationcommissioner.gov.uk).

Unlike the Data Protection Act itself, the Codes of Practice are not law. The basic legal requirement is to comply with the DPA itself. The Codes contain the Commissioner’s recommendations on how the legal requirements of the DPA can be met but organisations can use other means to meet the requirements. However, if they do nothing, they risk breaking the law.

Reps should also be aware of the provisions of another Act affecting privacy — the Regulation of Investigatory Powers Act 2000, and the draft Protection of Freedoms Bill .

While a thorough knowledge of the law is desirable, there is no doubt that, in practice, strong unions and effective organising are likely to be more effective at securing improvements to the working practices highlighted in this booklet than reliance on individual legal rights, or the actions of enforcement agencies such as the Information Commissioner.

The European Convention on Human Rights and the Human Rights Act

In 2007, a secretary at Carmarthenshire College in Wales won a legal battle against her employers and the UK government after a senior member of staff secretly monitored her personal communications for up to 18 months. She sued her employer for breaching the European Convention on Human Rights (ECHR). The European Court of Human Rights found her employers had violated her right to privacy when they logged details of her personal phone calls, analysed websites she visited and tracked her email correspondence. Represented by human rights organisation Liberty, the secretary was awarded £2,100 in damages for stress and anxiety suffered in the workplace.

The monitoring in this case preceded the implementation of the Human Rights Act 1998, which introduced a general right to privacy in English law. Employers must now ensure that employees are aware that their communications could be monitored, and that there is a good reason for such monitoring in every case. Surveillance must be justified and proportionate.

Article 8 of the Convention provides the right to respect for “private and family life, home and correspondence”. As the TUC states: “Employees have a right to a personal life, and provided they do not breach reasonable conduct guidelines, employers should respect this”.

Although the HRA only binds public bodies and not private employers or individuals, courts and tribunals (including employment tribunals) are public bodies. This means they must take into account the human rights in the Convention when making all decisions. The rights can also be directly enforced by employees of public authorities such as government departments or local authorities.

Arguments about the human right to privacy surface most frequently in cases involving covert surveillance. The leading “covert surveillance” cases in the employment sphere are looked at below.

As you would expect, the right to privacy is not without limits. Intrusions on privacy are allowed where they can be justified as a proportionate means of achieving a “legitimate aim” identified in the Convention. In the context of employment, the “legitimate aims” most commonly relied on are:

• preventing disorder or crime; and

• protecting health.

Tribunals have adopted a relatively wide interpretation of “preventing disorder or crime”. This has given employers considerable confidence and has led to increased use of covert surveillance to investigate issues like clocking infringements, time sheet fraud and sick pay claims. The leading case is McGowan v Scottish Water [2005] IRLR 167:

Reps should note that the fact that Scottish Water considered whether there were alternative means of addressing the problem before deciding to engage private investigators contributed to the tribunal’s conclusion that its decision to use investigators was “proportionate”.

A particular area of concern for workers and union reps has been the growth in the practice of engaging private investigators to snoop on workers claiming sick pay. For example in McCann v Clydesbank College UKEAT0069/09:

Covert surveillance is governed by Part 3 of the Information Commissioner’s Code of Practice, Monitoring at work, which advises, in particular, that covert monitoring of workers can rarely be justified and should not be carried out unless it has been authorised at the highest level of the organisation.

Email and telephone usage

Because the Human Rights Act extends to the workplace, workers have the right to a “reasonable” amount of personal correspondence and calls during work time. This does not mean workers have the legal right to use the work phone, email or internet for personal reasons (although the Act does suggest that employers should make sure workers have access to some private communication system). Good employers will trust their staff to make reasonable private use of these facilities, as long as that use does not interfere with work or bring the employer’s business into “disrepute”.

There should be a policy in place explaining clearly what amounts to reasonable use. It should also cover information about monitoring and access. Chapter 5 looks at how to negotiate a good policy.

An employer intending to monitor email or internet use must first inform staff. This is normally done through a policy or employment contract.

The Regulation of Investigatory Powers Act 2000 (RIPA) prohibits intentional “interception” of emails without lawful authority. The Act therefore bans an employer from deliberately reading the content of emails that are obviously private, even when sent using the work email system, unless there is an exceptional reason, for example the investigation of criminal activity.

Protection of personal information under the Data Protection Act

The Data Protection Act 1998 regulates the processing of data about individuals in employment.

What is personal data?

“Personal data” is any information from which a worker can be identified, either on its own or when viewed alongside other information held by the employer, and which affects an employee’s privacy: either his or her personal, family or working life. Personal data can be on paper, stored on a computer system or processed through email and it must be easy to find. The DPA is aimed at computer records and electronic filing systems but it will cover a manual filing system provided it is organised in a logical way that makes it easy to extract information quickly and with minimum effort.

As the TUC points out in its Guide to privacy: “Occasional references to you in a set of minutes from a team meeting, for example, are unlikely to count as personal information. Neither will information about the workforce that has been anonymised in a way that makes it impossible to identify any individual”.

The TUC’s Guide to privacy, lists the following common examples of personal data held by an employer:

• information supplied on an application form;

• details of salary and bank account;

• an email about an incident involving you;

• details of your disciplinary record;

• an assessment of your work performance in a staff appraisal form;

• your image on a CCTV or video recording;

• an opinion your employer has expressed about you e.g. about your promotion prospects; and

• information compiled by your employer about your use of the email or internet at work.

Sensitive personal data

There is a separate category of information known as “sensitive” personal data. This is information or “data” that is so private that the employer must meet a higher standard of protection. Sensitive information is information about an employee’s racial or ethnic origins, politics, religion, trade union membership, physical or mental health, sex life, sexual orientation, or criminal (or alleged criminal) activities, proceedings or convictions.

The core data protection principles

The DPA is built around the following eight “data protection principles” which an employer must follow:

• to process personal data fairly and lawfully and to meet at least one of two conditions set out in the Act, namely either (1) that specific, informed, unpressured consent has been obtained, or if not; (2) that the processing is needed for one of the following purposes:

• for the performance of the worker’s contract;

• to meet any non-contractual employer obligations (for example, accident recording);

• to protect a worker’s vital interests (for example, health);

• for the administration of justice;

• to protect the legitimate interests of the employer or others to whom the information is disclosed, unless this prejudices the worker’s own legitimate interests;

• to obtain and process data only for specified and lawful purposes;

• to hold only data that is adequate, relevant and not excessive, given its stated purpose;

• to ensure stored data is accurate and up-to-date;

• not to keep data longer than necessary;

• to process data in accordance with the rights of individuals;

• to take appropriate measures against unauthorised or unlawful processing, or accidental loss, damage or destruction of the data. This includes taking security measures to keep data safe and making sure third parties (for example, outsourcing companies responsible for paying wages) do the same; and

• not to transfer data outside the European Economic Area without ensuring its adequate protection.

For sensitive personal data, the employer must also meet at least one of the conditions set out in Schedule 3 of the Act. These include express, informed consent. The Act contains an exemption to allow employers to collect data to monitor equality of opportunity, provided the exercise is carried out in a way that safeguards privacy (usually by anonymising results).

The Employment Practices Code

The Code is issued by the Information Commissioner under powers granted by the Data Protection Act (DPA). Like all ICO codes and guidance, it can be freely downloaded from the Information Commissioner’s website. It contains advice on dealing with employment records. It explains that the DPA does not prevent employers collecting information about job applicants and staff, but that the Code aims to strike a balance between the employer’s need for information and an individual’s right to respect for their private life. Here is some of the key guidance taken from the Code:

• employers do not need consent to keep records for employment- related purposes, but the watchword is openness: individuals must know what the information is to be used for, and it should be used only for that purpose;

• anyone with access to employment records must understand that data protection rules apply and that personal information must be handled with respect;

• employers should check that those asking for information are who they claim to be, and that they are entitled to access;

• fairness to the worker should be the first consideration. Data protection law will not prevent disclosures that employers are legally obliged to make, for example to HM Revenue and Customs, but employers must be careful not to disclose more information than is required;

• a confidential reference or similar information should not be supplied without a worker’s consent;

• workers should be allowed to check their own records periodically to ensure mistakes can be corrected and information kept up to date;

• employment records must be secure, with paper records under lock and key and using password protection for computerised records. Only staff with proper authorisation and the necessary training should have access to them;

• where possible, sickness records containing information about a worker’s illness or medical condition should be kept separate from other less sensitive information, for example a simple record of absence. Except with the worker’s express consent, information about a worker’s condition should only be shared with others, for example the line manager, where the information is genuinely needed in order to carry out the job, with maximum collaboration with the individual worker; and

• when employers no longer have a business need or legal requirement to keep a worker’s employment record, it should be securely disposed of, for example by shredding.

Recruitment and selection

The Data Protection Act 1998 (DPA) applies to recruitment and selection procedures. Again, transparency is key. Applicants should be informed what information is being gathered about them and what it will be used for.

Covert gathering of information about applicants — for example checking an applicant’s profile on Facebook — is unlikely to be justified under the DPA and may also result in unlawful discrimination.

The TUC’s guidance Facing up to Facebook recognises that this “is no doubt a temptation for many managers seeking to appoint staff, but any employer who takes equal opportunities in recruitment seriously should not be considering this. As only a minority of potential staff will have public profiles on social networks, using information from this source can give an unfair advantage or disadvantage to certain candidates.”

The TUC’s guidance points out that employers may be open to charges of discrimination on grounds of ethnicity, sexuality or other criteria, if this information is not available on application forms but can be deduced from a search of personal profiles online. Nevertheless, there is evidence that this practice is becoming widespread. Research by job search website Careerbuilder from early 2010 concluded that well over half of UK employers now use social networking sites such as Facebook, Linkedin and Twitter to informally screen applicants, with two in five admitting to changing a hiring decision as a result of material uncovered. A report commissioned by Acas in 2011, Workplaces and social networking: the implications for employment relations, cites US research from 2009 showing that the most common reasons for rejecting candidates after reviewing their online footprint are “lifestyle” rather than employment-based (for example, posting “provocative or inappropriate” photographs).

The Employment Practices Code recommends:

• making sure the organisation is identified properly in any recruitment advertisement. If a recruitment agency is being used, it must identify itself;

• using the information collected for recruitment or selection only. If an organisation intends using the information for any other purpose, such as adding names to marketing lists, this must be clearly explained;

• ensuring everyone involved in recruitment and selection understands that data protection rules apply and that they must handle personal information with respect;

• not collecting more personal information than is needed. It is a breach of data protection rules to collect personal information that is irrelevant or excessive. For example, bank details will only be needed from the successful candidate and details of motoring offences should only be needed to recruit drivers;

• keeping personal information secure: it should not normally be disclosed to another organisation without the individual’s consent;

• only asking for information about criminal convictions if this is justified by the type of job. An employer must not ask for “spent” convictions unless the job is covered by the Exceptions Order to the Rehabilitation of Offenders Act 1974;

• if information is to be verified, this must be made clear to the applicant, who should be told how this is to be done and what information will be checked;

• if criminal conviction information needs to be verified, this should only be done by obtaining a “disclosure” from the Criminal Records Bureau (CRB). Employers must ensure they are entitled to this information and must follow CRB procedures stringently. An employer should only keep a record that a satisfactory/unsatisfactory check was made and must not hold on to detailed information;

• only keep information obtained through a recruitment exercise for as long as there is a clear business need; and

• Job application forms should warn the applicant of the employer’s intention to process information provided in the course of the job application and asking the applicant to give consent.

Record keeping

How long should records be kept?

The ICO’s Employment Practices Data Protection Code provides guidance on complying with the Data Protection Act 1998 (DPA) when retaining employment records.

The Act does not set a specific period, stating only that personal data should not be kept longer than is necessary for the purpose(s) for which it is being processed. Employers can therefore set their own retention periods, as long as these are based on business need and take into account any professional guidelines.

Records of disciplinary matters and grievances

Consistent handling of disciplinary matters will be difficult unless simple records are kept of decisions and how they were made. These records should be confidential, detailing the nature of any breach of disciplinary rules, the action taken and the reasons for it, the date action was taken, whether an appeal was lodged, its outcome and any subsequent developments. Records of grievances are also protected by the DPA.

Records must be kept confidential and be adequate, relevant, accurate and secure. Records of disciplinary and grievance matters should only be kept if they adhere to DPA principles. Workers should be given the opportunity to check and comment on the minutes of any meetings to ensure accuracy. There must be clear procedures on the handling of spent warnings.

Monitoring at work

Part 3 of the Employment Practices Code covers monitoring at work. There is also a separate Code of Practice, revised in 2008, focusing in more detail on the use of CCTV by employers.

If workers are monitored by collecting or using information about them, the Data Protection Act will apply. This covers CCTV, phone call logging, email and internet monitoring. The DPA does not prevent monitoring, but sets out principles for the gathering and use of personal information. Any adverse effect on workers must be justified by its benefit to the employer.

The DPA requires transparency. Workers must be told the nature, extent and reasons for any monitoring unless, exceptionally, covert monitoring is justified (see below).

Employers engaging in monitoring activities should:

• demonstrate good cause for monitoring employees and consider whether alternative approaches or different methods of monitoring might deliver the same benefits and be more acceptable to workers;

• ensure workers know they are being monitored and why;

• if monitoring is to be used to enforce rules and standards, make sure workers know clearly what these rules and standards are;

• only use information obtained through monitoring for the purpose for which it is carried out, unless it leads to the discovery of an activity that no employer could reasonably be expected to ignore, for example breaches of health and safety rules that put other workers at risk;

• keep information gathered through monitoring secure and not retain it for longer than necessary, or keep more information than is strictly necessary;

• only allow one or two people access to computer logs or phone recordings – consider, for example, whether these activities should be carried out by security or HR personnel, rather than line managers;

• not read emails or listen to calls which are clearly personal or private;

• make sure workers know it may be necessary to check their email accounts or voice mails in their absence;

• target video or audio monitoring where it is justified, at areas of particular risk, and only use it where workers would not expect much privacy;

• obtain information about a worker’s criminal convictions for monitoring only if justified and only through a “disclosure” from the Criminal Records Bureau; and

• not monitor workers just because a customer imposes a condition requiring this, unless the employer is satisfied the condition is justified under the DPA.

Covert monitoring

The Code contains clear guidance limiting the covert monitoring of workers. In particular:

• covert monitoring “can rarely be justified” and should not be carried out unless authorised at the highest level;

• there should be grounds for suspecting criminal activity or equivalent malpractice which would be difficult to prevent or detect if staff were told about the monitoring;

• covert monitoring must never be used in places such as toilets or private offices “unless serious crime is suspected and there will be police involvement”; and

• covert monitoring must only be used as part of a specific investigation and must stop once the investigation is complete.

General union Unite recommends reps negotiate clear agreements or codes to protect staff from unjustified surveillance and monitoring. Clear rules will ensure everybody knows where they stand and should commit employers to basic principles for privacy protection, including the need to set out the precise limits of any monitoring. Unite recommends reps negotiate the right to be consulted whenever covert monitoring is suggested or implemented, and that covert monitoring should be limited to cases where there is a genuine, specific need to protect the safety, security and integrity of the organisation.

Covert monitoring should never be used to monitor workforce performance or attendance. Reps could consider negotiating the right to audit the use of covert surveillance after the event, to make sure the practice is kept under critical review, although reps may understandably be reluctant to do this, if there is a danger of appearing to condone the surveillance activity. In any event, any surveillance must be strictly time-limited and all attempts to extend monitoring into employees’ private lives should be fiercely resisted.

Use of CCTV

Most uses of CCTV by organisations or businesses will be covered by the DPA and specifically by the 2008 CCTV Code of Practice issued by the Information Commissioner (free to download from the ICO website).

Before installing CCTV, the employer should always conduct an impact assessment to assess its impact on privacy and to decide whether it is a proportionate response to the problem identified. Where a union is recognised, reps should be involved in drawing up and reviewing the results of the impact assessment. Important issues to cover include:

• identifying the purpose of the CCTV and addressing whether it is likely to resolve the problem;

• asking whether another less intrusive solution might work equally well;

• finding out the views of those who will be under surveillance; and

• examining how to minimise intrusion for those who will be monitored, in particular, addressing any specific concerns raised during the consultation.

Employers should be reminded that monitoring is usually intrusive, that workers legitimately expect to keep their personal lives private and that they are entitled to some privacy in the work environment. The Code describes the use of recording in particular as “highly intrusive” and warns organisations that its use would only ever be justified under the DPA in “highly exceptional circumstances”.

Making a Data Subject Access Request

Workers have a right to access their own personal data as long as this is held either on a computerised system or on paper and organised as a “relevant filing system”, in other words, a system that enables information to be retrieved quickly and easily. This includes data about an individual worker relating to issues such as performance management, discipline, grievances and individual sickness absence. The technical term for the request is a “Data Subject Access Request”. Workers can be asked to pay a fee but this must be limited to £10.

The employer must respond to a written request promptly and in any case within 40 days. The request can be refused if releasing the information would:

• breach a duty of confidence to someone else (this objection can sometimes be overcome by suggesting that the identity of other individuals is covered over);

• involve “disproportionate effort”. (The low maximum fee of £10 is intended to reflect the fact that information retrieval is meant to be a simple administrative step, requiring minimal thought and effort. The rule of thumb is whether a newish temp could retrieve it easily. The best way to avoid this objection is by ensuring any request is as simple, specific and straightforward as possible, and confined to information you really need, rather than “fishing” more generally); or

• risk damaging ongoing negotiations between you and your employer, for example as to pay, or legally privileged (i.e. confidential) communications with your employer’s solicitors about you.

There is no right of access under the DPA to management planning data where this would prejudice the conduct of the business, for example, future plans about redundancy or reorganisation.

It is worth remembering that an email system such as Microsoft Outlook is likely to be a “relevant filing system” for the purposes of the DPA. The management practice of planning and sharing personnel decisions internally using email can provide a fertile source of evidence of the employer’s real intentions and the timing of decisions. Any request for copies of emails should be as specific as possible, to overcome an objection that the request is disproportionate, where possible identifying clearly the names of senders and recipients, with approximate dates.

Useful guidance on making requests is provided on the ICO website. See also the Equality and Human Rights Commission’s publication: Using the Data Protection Act and Freedom of Information Act in discrimination cases, free to download from its website at: www.equalityhumanrights.com/uploaded_files/research/rr69.pdf.

Discrimination — the statutory questionnaire procedure

If a worker suspects that a decision about him or her has been taken for a discriminatory reason (for example, disability or pregnancy) an alternative way of forcing an employer to disclose useful information is via the statutory questionnaire procedure. These questions can be wide-ranging, and can ask, for example, about past practice when making similar decisions. Guidance on using the questionnaire procedure can be found on the equality and human rights commission website at: www.equalityhumanrights.com/advice-and-guidance/information-for-advisers/taking-discrimination-cases/.

It can also be a good idea, when considering a claim against an employer, to ask for a written undertaking that electronic folders (for example, Outlook folders) containing potentially relevant content will not be deleted. Then if you later bring legal proceedings and the employer turns out to have deleted potentially important electronically stored data such as emails for administrative reasons, you can draw your original request to the tribunal’s attention to help undermine the employer’s credibility.

Remedies under the Data Protection Act

The remedy for breach of the Data Protection Act (DPA) is an enforcement notice issued by the Information Commissioner. An enforcement notice is a legally binding document setting out what an organisation must do (or stop doing) to comply with the law. Since April 2010, the ICO has been empowered to impose fines of up to £500,000. In practice, however, enforcement notices for data infringement are very unusual and confined to the most serious cases.

A Freedom of Information request by encryption firm ViaSat in 2011 revealed that of 2,565 data breaches reported to the watchdog in the year following the introduction of the new higher penalties, only 36 cases resulted in any action and only four cases resulted in a fine.

Contact details for the Information Commissioner’s office appear at the end of this booklet. Directions explaining how to make a complaint are set out on the website.

The ILO Code: The Standard for Workers’ Rights

In 1996, the International Labour Organisation (ILO) adopted a Code of Practice for the protection of workers’ personal data. Like all ILO Codes of Practice, it is non-binding and does not replace national or international laws and regulations but it is intended to provide practical guidance on best practice for use in the development of legislation, policies and collective agreements. Most of the ILO Code is now reflected in the eight data protection principles enacted via the DPA.

The full text of the Code can be downloaded at: www.ilo.org/wcmsp5/groups/public/---ed_protect/---protrav/---safework/documents/normativeinstrument/wcms_107797.pdf.

A 2010 report by Big Brother Watch revealed that 372 local authorities have used RIPA powers to launch over 8,500 covert surveillance operations, including offences such as fly-tipping and dog fouling. These have included surveillance of their own staff.

London’s Hammersmith and Fulham Council checked on their employees claiming time off sick, and Darlington Council made sure their employees were following parking regulations. According to updated figures released by Big Brother Watch in January 2012, Newham Council in east London paid £10,392 to private investigators to snoop on a member of staff, while north London’s Barnet Council paid £6,785 to investigate two employees who had brought personal injury claims against the council.

The coalition government has promised to curb the use of surveillance powers and has produced a draft Bill — the Protection of Freedoms Bill (see box below). Under the Bill, once enacted, councils will need to justify their need to use RIPA powers before a Magistrates’ Court.