Data Protection Principles and
Monitoring Electronic Communications –
Considerations for Internet and Email Use Policies

An enforceable and sensible email and internet use policy requires that the demands of employers must be tempered with the rights granted to individuals and their personal rights to privacy granted under European Directive and brought into force in the UK.

Monitoring Employees at Work

Employee monitoring may be considered more relevant to some businesses than others. In a highly digitised work environment information may be used and misused with onerous consequences for employers. It is important to understand the legal background to enable tailoring of particular dangers and risks for the particular business. Monitoring for the purposes of the health and safety of workers or the public, measuring efficiency of workers, monitoring addressees of emails sent by employees, conducted sensibly are legitimate goals.

Legislative Enactments and the Law

The rise of legislative influence from Brussels has resulted in the law being consolidated in three major enactments: Regulation of Investigatory Powers Act, Human Rights Act 1998 and Data Protection Act 1998.

This legislation forms the backdrop to an internet and email policy, which also needs to take account of employment law in the UK, and contract law in the case of independent consultants to businesses and play an important part in constructing a framework by which the interests of the employer is balanced with those of the employee, within a commercial context.

Notice of Monitoring Activities

Monitoring is a risky business and the headline theme to be drawn from the law is informed notice to those who may be monitored. Employees must have notice that they are or may be monitored intermittently. More specifically, the Regulation of Investigatory Powers Act and Human Rights Act 1998, both require the employer to tell the employee what they intend to track their online activity and furthermore, what they may do in tracking online activity.

There are several purposes for monitoring within the workplace; in order to make a judgement to determine whether the reasons are justified, the adverse effects of them must be taken into account. Acceptable objectives for monitoring include:

• checking the quality and quantity of work being done to make business more efficient.
• protecting business from potential legal action.
• protection of employees and customers e.g. ensure that sale working practices are adopted.
• Encouraging workers to treat customers’ personal information with respect and care.
• Prevent illicit use of information by workers.
• check compliance with legal requirements and company rules.
• Avoidance of harassment within the workplace.

Instances of Monitoring include:

• Gathering through point of sale terminals in order to check the efficiency of individuals e.g. supermarket check-out operators.
• CCTV recording on premises to ensure that health and safety rules are being followed.
• Checking email and voicemails to uncover any signs of malpractice.
• Using automated checking software to check for inappropriate emails, website logs.
• Recording phonecalls to and from call centres.
• Monitoring telephone logs e.g. for premium numbers, excessive personal calls.

The adverse impacts of monitoring are:

• intrusion into employee’s private lives, which may extend to the workplace.
• undermines the relationship of mutual trust, respect and confidence between employers and employees.
• sensitive information could be revealed; consider who is permitted to see such information e.g. disability/sickness records, racial origin/religious beliefs, trade union membership information or sexual preferences.
• obligations of confidentiality may be compromised.
• monitoring may be perceived as oppressive.

Alternative methods of achieving business objectives may be:

• implementing new methods of supervision within the workplace.
• working to achieve clearer communication between managers and staff.
• monitor specific individuals instead of the entire workforce, i.e. are they deemed "high risk".
• automated machine monitoring is less intrusive than an actual person doing it.
• random spot-checks and audits might be fairer and less onerous on the workforce than constant monitoring.

Information Commissioner's Employment Practices Code

Part 3 of the Employment Practices Data Protection Code “Monitoring at Work” issued by the Information Commissioner, offers guidance to employers and sets out the scope of data protection issues in the workplace. The Code requires that an employer must carry out an ‘impact assessment’ before monitoring, as employees are entitled to a degree of privacy. An impact assessment involves identifying the benefits of monitoring in the workplace, the potential adverse impact and the alternatives. Furthermore, the legal obligations of monitoring must be adhered to. Finally, in concluding whether such monitoring is justified, the advantages and disadvantages must be balanced, with emphasis on the need to be fair to individual employees’ right to privacy. The Code may be used as a reference point by the Commissioner in deciding whether a particular practice is contrary to the Data Protection Act.

Acknowledgement that monitoring takes place is ideally dealt with in contracts of employment.

Contents of the Policy

Absolute prohibitions in most cases will be appropriate to prevent employees inadvertently contracting over the Internet, or via email; banning of defamatory or obscene material; any illegal or criminal activity; and harassment and discrimination; and copying of third parties’ copyright material. Disclaimers with adequate coverage for the particular type of business may be appropriate, and inserted at the bottom of emails.

What To Do

It is important make it clear business objective and purposes for making Internet access and email available to staff. The purpose of the monitoring should be made clear, and a balance struck between the proposed measures the benefits to be obtained from the monitoring. It is usually cost effective to appoint a data protection officer to oversee and approve monitoring practises.

Employees should be informed of the nature extent and reason of the monitoring, unless secrecy of monitoring is justified in the circumstances.

There can be no blanket policy to cover all businesses; there must be consideration for everyone to do with the business, including freelance workers and consultants. Therefore, employers should refer to contracts of employment and prepare handbooks or content available over an intranet to ensure that their employees are on proper notice and reminded regularly of the monitoring practises implemented.

More on the Data Protection Act: Security – The Seventh Principle