Publications / McDermott Newsletters / Employment Alert No. 65 - The "Monitoring at Work" Code

Employment Alert No. 65 - The "Monitoring at Work" Code

June 11, 2003

Richard Thomas, the Information Commissioner, has now published the third part of the Employment Practices Data Protection Code, which deals with how to monitor employees.

Monitoring is described in the Code as "activities that set out to collect information about workers by keeping them under some form of observation, normally with a view to checking their performance or conduct … directly, indirectly … or by electronic means".

The Code is available for download on the Commissioner's website - www.dataprotection.gov.uk/dpr/dpdoc.nsf. We advise all human resources departments to obtain a copy, to keep with the two other parts (on recruitment and selection, and employment records).

What status does the Code have?

This part of the Code, like the earlier two parts (see Employment Alerts No. 43 and 49), supplies good practice guidance and does not have the force of law per se. The Data Protection Act 1998 is still the primary source of employer legal obligations. The Code sets out the Information Commissioner's recommendations as to how the legal requirements of the Act can be met. Employers may have alternative ways of meeting these requirements, but, the Code warns, "if they do nothing they risk breaking the law".

What does the Code say?

The Code sets out some common sense core principles - at some length. Part 3 is 43 pages long and full of cross-references to Parts 1 and 2 and to a further document called "Supporting Guidance", which is also available on the website. In brief, however, the following are the "Core Principles" to bear in mind.

  • It will usually be intrusive to monitor your workers.
  • Workers have legitimate expectations that they can keep their personal lives private and that they are also entitled to a degree of privacy in the work environment.
  • If employers wish to monitor their workers, they should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
  • Workers should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified.
  • In any event, workers' awareness will influence their expectations.

What specific guidance is given in the Code?

The Code balances the recognised and legitimate need of employers to check on quality and quantity of work, health and safety, security and conduct with the adverse impact such checking may have on workers.

It calls on employers to carry out an ends/means analysis or "impact assessment" when they decide to conduct monitoring.

The Code suggests particular steps to take in doing "impact assessments"

  • identify clearly the purposes behind the monitoring arrangements and the benefits;
  • identify any likely adverse impact of the monitoring arrangement;
  • consider alternatives to monitoring or different ways in which it might be carried out;
  • take into account the obligations that arise from monitoring (primarily to keep information secure and to allow access to it by the individual concerned);
  • judge whether monitoring is justified.

This series of factors would be easy to capture in a form for use by management where any unusual monitoring is to be used. The Code says that making an impact assessment need not be complicated or burdensome. A simple mental evaluation may suffice, but if in doubt, a check list form will be helpful.

When is covert monitoring lawful?

The Code describes covert monitoring as "monitoring carried out in a manner calculated to ensure those subject to it are unaware that it is taking place".

The Code's advice recognises that employers may need to monitor covertly where there are grounds for suspecting criminal activity "or equivalent malpractice" AND where notifying individuals, about the monitoring would prejudice its prevention or detection.

Provided such monitoring is

  • strictly targeted at obtaining evidence within a set time frame;
  • not used in areas which workers would genuinely and reasonably expect to be private
  • carried out by people - including private investigators - who follow strict instructions to look only for relevant information and to keep it secure and confidential; and
  • confined to set purposes - with irrelevant information destroyed;

it should be lawful.

What if an employer wants to monitor a senior employee covertly in his office because of fears that confidential information is being leaked by him to a competitor? This would be "malpractice" but in an area where privacy, according to the Code, is expected. The Code allows "exceptions" in cases of suspicion of serious crime. This is where an impact assessment would be crucial.

Forewarn workers of likely monitoring

The Code emphasises that even though employers usually have good reasons for monitoring, it is important to manage employee expectations of privacy. Policy statements, particularly about e-mail and internet monitoring, are encouraged.

A helpful list of core features for an electronic communications policy is included in the Code:

Policy for the use of electronic communications

Employers should consider integrating the following data protection features into a policy for the use of electronic communications:
  • Set out clearly to workers the circumstances in which they may or may not use the employer's telephone systems (including mobile phones), the e-mail system and internet access for private communications.
  • Make clear the extent and type of private use that is allowed, for example restrictions on overseas phone calls or limits on the size and/or type of e-mail attachments that they can send or receive.
  • In the case of internet access, specify clearly any restrictions on material that can be viewed or copied. A simple ban on 'offensive material' is unlikely to be sufficiently clear for people to know what is and is not allowed. Employers may wish to consider giving examples of the sort of material that is considered offensive, for example material containing racist terminology or nudity.
  • Advise workers about the general need to exercise care, about any relevant rules, and about what personal information they are allowed to include in particular types of communication.
  • Make clear what alternatives can be used, e.g. the confidentiality of communications with the company doctor can only be ensured if they are sent by internal post, rather than by e-mail, and are suitably marked.
  • Lay down clear rules for private use of the employer's communication equipment when used from home or away from the workplace, e.g. the use of facilities that enable external dialling into company networks.
  • Explain the purposes for which any monitoring is conducted, the extent of the monitoring and the means used.
  • Outline how the policy is enforced and penalties which exist for a breach of policy.
  • There may, of course, be other matters that an employer also wants to address in its policy.

 

A time saving tip

The Information Commissioner's website has teething problems, but when it is accessible, we also advise downloading "Monitoring at Work: Guidance for small businesses", whatever the size of your business.

The full Code is well worth reading, but to gain a quick overview of all the principles expounded at length, try reading the seven page "Monitoring at Work: Guidance for Small Businesses" document first.

McDermott Will & Emery

McDermott Will and Emery