Latest Thinking

Monitoring of Employee Internet and Systems Use – How to Reduce the Risk of Successful Claims

The recent European Court decision on the monitoring of employee private messages is a timely reminder of the need for all organizations to have in place clear policies regulating the use of the Internet and systems and how these are monitored by the employer.

On January 12th the European Court of Human Rights (ECHR) ruled that an employer could review an employee's personal messages and that in doing so it had not breached the employee's right to privacy. The case is a timely reminder to all employers to ensure that appropriate and well-publicized policies are in place prior to taking any legitimate monitoring of employee Internet/systems use. Without such policies, the employer will be vulnerable to legal claims.

In the ECHR case, the employee was employed by a private company as an engineer in charge of sales. At his employer's request he created a Yahoo Messenger account for the purpose of responding to customer enquiries. The employee was informed by his employer that his Yahoo messages had been monitored and that the records showed that he had used it for personal purposes. The employer terminated the employee's employment for breach of the company's internal policy which prohibited the use of company resources for personal purposes. Among other things, the employee claimed that his messages were protected by Article 8 of the European Convention on Human Rights which states that "everyone has a right to respect for private and family life, his home and correspondence". The ECHR held that the employer's conduct had been reasonable and that the monitoring of the employee's communication had been the only method of establishing whether there had been a breach of policy by the employee. The ECHR also noted that the employee had been informed of the employer's internal policy on Internet and systems use.

Generally, employees have a reasonable expectation of privacy even in the work environment and therefore if an employer wishes to monitor Internet/systems use it should be clear as to the reasons and ensure that the particular monitoring arrangements are proportionate and justifiable. The employer should ensure that all employees are aware of the nature, extent and reasons for monitoring unless covert monitoring is justified. In addition, given the increased use of employee's own devices for work purposes it is necessary for employers to provide clear guidance on monitoring of Internet and systems use via the employee's own device.

In order to lawfully monitor employers should undertake the following:

  • identify (and document) the reasons for the need for monitoring, e.g., compliance with internal policies on access to inappropriate content, training purposes etc.;
  • undertake a formal or informal impact assessment to decide if and how to carry out monitoring. Best practice suggests that this impact assessment should be documented so that there is a paper trail to justify why and the circumstances under which monitoring can take place, why there are no reasonable alternatives and that the monitoring is proportionate and justifiable - that is, employers should undertake a balancing exercise considering the impact on the employee's private life as against the benefits to the employer;
  • formulating and publicizing an IT/Communications policy which fully explains the nature of the monitoring and how information obtained through monitoring may be used and who has access to the information. The policy should be as specific as possible since a general notice of potential monitoring will be insufficient. The policy should be made available to new employees during their induction and IT systems should be set up so that employees must read (or at least acknowledge) the policy in full before they can access email or the Internet. Furthermore, periodic training should be provided to all staff. In addition specific training should be given to those employees who will have access to the information obtained through monitoring, so that this may reduce the risk of there being claims that the information is being used for inappropriate purposes.

If you have any questions about this note, or if you would like further information, please contact Barry Fishley.