7. The key laws covering employee monitoring and privacy
[ch 7: pages 58-59]This Chapter examines the main pieces of legislation designed to protect employee privacy in the UK that might impact on the workplace and employment relations. These are:
• The European Convention on Human Rights (the Convention), implemented in the UK via the Human Rights Act 1998 (HRA);
• Data Protection Act 1998 (DPA);
• Regulation of Investigatory Powers Act 2000 (RIPA);
• Telecommunications Regulations 2000; and
• Protection of Freedoms Act 2012 (POFA).
There are also important Codes of Practice:
• International Labour Organisation (ILO) Code of Practice on the protection of workers’ personal data, published in 1996;
• Data Protection Employment Practices Code published by the Information Commissioner’s Office (ICO) on privacy rights, including recruitment and selection, employment records, monitoring at work, CCTV and medical information and on collecting personal information online, for example, through an online application form;
• A new ICO data protection Code of Practice dealing with surveillance cameras and personal information, published in May 2015;
• A separate statutory Code of Practice on Surveillance, published in June 2013 under the Protection of Freedoms Act 2012, (which also created the new post of Surveillance Commissioner).
Unlike the Data Protection Act itself, the ICO data protection Codes of Practice are not law. The basic legal requirement for organisations is to comply with the DPA. The Codes contain the ICO Commissioner’s recommendations on how this can be achieved. Although organisations are free to use other means to meet the requirements rather than following the Code, if they do nothing, or if the measures they take fall short of the eight “data protection principles” in the DPA (see page 60), they risk breaking the law.
The employment contract is also an important source of workers’ rights in this area. In particular:
• the contract is likely to contain express contract terms permitting some degree of monitoring at work. As explained in this Chapter, without a clear express term, many forms of workplace monitoring are likely to be unlawful;
• intrusive monitoring may be a breach of the fundamental duty of trust and confidence implied into all employment contracts, as well as a breach of the duty of good faith, especially where it is introduced without a proper impact assessment and full consultation with a recognised trade union;
• where a union is recognised, collective agreements may be in place regulating workplace monitoring, especially the uses an employer can make of the results. In some cases, collectively agreed terms on monitoring may be legally enforceable.
Although a thorough knowledge of the law is desirable, in practice, improvements to the working practices highlighted in this booklet rely on strong unions and effective organising. Even before the introduction of employment tribunal fees led to a collapse in employment tribunal claims (down 79% by March 2014), “individual rights-based” approaches were largely ineffective in this area. The same is true of the powers of over-stretched enforcement agencies such as the ICO. In 2010, the ICO was given the power to issue fines of up to £500,000 for breaching the DPA but to date the power has been used very sparingly.
A 2012 report by the Equality and Human Rights Commission into privacy rights in the UK described the UK’s legislative framework as “patchy” and concluded that “the current legal and regulatory system is not providing adequate protection for personal information” and that regulators are “not equipped to deal with the sheer amount of information being processed and shared”. Broadly, the legislative framework has failed to keep up with technological change and with the spread of surveillance, monitoring and data collection.