ECHR says employers free to snoop – well, they already could

It’s all over the press with headlines such as “Bosses free to spy on employee emails”, “Bosses can snoop” and references to “big brother”.
This week, the European Court of Human Rights (ECHR) ruled in a Romanian case that there had been no breach of the employee’s right to privacy when the employer accessed the employee’s private messages sent to his family, sent on work time and on the employer’s system.
But hold your horses for a moment. Let’s look a bit more carefully at this. The UK already has in place legislation allowing “snooping” subject to certain conditions, and this case actually changes little for us. This case certainly does not give free rein to employers to access an employee’s Hotmail account and take a look at what he or she has been sending. Not at all. But what they can do is monitor what is going on within limits.
In very broad terms, those limits are these: Employers need to tell the employees that they should have no expectation of privacy and that their data will be monitored. Employees need to know what the purpose of that data monitoring is, not only to comply with the monitoring legislation, but also for data protection reasons. Those reasons should be business-related – such as: compliance with the employer’s policy and procedures, to check whether the employee is doing his job properly etc.
Tips for employers

  • Make sure you have a policy on monitoring in place and that you can prove that it has been brought to the employee’s attention.
  • Make sure the policy is clear and well-defined covering exactly what systems you will be monitoring and for what purpose. Include internet access, emails, instant messaging systems. Precision is key – for instance, stating that personal internet use is only ok outside of “core working hours” was held by a Tribunal not to be clear enough to justify a dismissal for unauthorised use.
  • Consider who will be responsible for the monitoring and who will see the data gathered.
  • Include in your contracts express clauses dealing with data protection consent.
  • When monitoring, consider if there are other ways of finding the required information.
  • If you are looking at an employee’s emails, do you really need to look at the content, or is the subject header going to be enough? Don’t go further than is necessary.