Covert monitoring
[ch 4: pages 143-144]Part 3 of the Data Protection Code of Practice includes important guidance on when covert monitoring at work is permitted (see also Chapter 10, page 363). The Code says that covert monitoring can “rarely be justified”, must be authorised at the highest level and there must be grounds for suspecting criminal activity or equivalent malpractice which would be difficult to prevent or detect if staff were told about the monitoring.
The human right to respect for private and family life (Article 8 of the European Convention on Human Rights) is engaged when an employer conducts covert surveillance to investigate serious suspected misconduct (McGowan v Scottish Water [2005] IRLR 167).
Article 8 is not normally relevant where surveillance takes place in a public space with no reasonable expectation of privacy (City and County of Swansea v Gayle [2013] UKEAT/0501/12/RN).
The right to privacy is a qualified, not an absolute, right (see Chapter 1: Human rights, page 21). This means, for example, that covert surveillance will not breach the human right to privacy if the employer can show that the surveillance was a proportionate means of achieving a legitimate aim — usually fraud or theft prevention. Surveillance is likely to be proportionate in this context if:
• it is limited in time (for example, lasting just one week);
• surveillance is reactive – a short-term response to legitimate suspicions of grave and serious misconduct, such as suspected theft, as opposed to being permanently in situ, waiting to catch people out;
• alternatives have been considered;
• staff have been consulted (where a union is recognised, consultation should be via the union) and
• staff have been warned of the possibility of covert surveillance (for example in posters and written policies).
Private emails sent using a work system will normally be protected by Article 8 if there is a reasonable expectation of privacy (for example, if they have been clearly marked as “private”). In Garamukanwa v Solent NHS Trust [2016] UKEAT/0245/15/DA, a worker who sent malicious and unpleasant emails to colleagues’ work addresses did not have a reasonable expectation of privacy and so had no Article 8 protection.
Even so, it is common sense to avoid using devices belonging to the employer to send messages or create documents that you do not want to share with the employer, as the following case demonstrates:
In Barbulescu v Romania [2016] ECHR 61, the European Court of Human Rights (ECHR) ruled that Mr Barbulescu’s right to privacy was engaged when his employer read obviously private messages that had been sent to his girlfriend and brother using a Yahoo Messenger account set up at the employer’s request for work purposes. However, the court also ruled that there was no breach of privacy here. The employer had a rule banning private use of office IT systems and was entitled to check whether Barbulescu, (who denied using the Messenger account for private purposes) was “wasting time” instead of working. The only way to test whether he was telling the truth, said the ECHR, was to read the messages. An appeal was heard in November 2016 and is pending as Law at Work goes to press.
Barbulescu v Romania [2016] ECHR 61
In the UK, employers who read private messages without their employees’ consent risk breaching the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000 (RIPA).
Employers who breach the DPA 98 and/or the HRA 98 can be ordered to pay damages for distress and where proven, personal (psychiatric) injury (Brown v The Chief of Police of the Metropolis Claim No. 3YM 09078/2016).
LRD booklet: Monitoring and Surveillance at work, 2015 (www.lrdpublications.org.uk/publications.php?pub=BK&iss=1800)