Julian Allsop, Guildhall Chambers
1. There has always been a tension between the rights of an employee to privacy and the rights of an employer to gather information on the employee’s performance and conduct.
2. Some methods of monitoring, such as time clocks, have been an accepted feature of the workplace since the latter half of the nineteenth century. However, other more modern forms of vetting, monitoring and surveillance are controversial and present challenges to the employer who would like to gather intelligence on its workforce, whilst not breaching the rights of its employee and the legal obligations that it is subject to.
3. Employees also gather information about their employers, particularly if they wish to set up in competition with their employer, or for the use in actual or contemplated legal proceedings. For instance, the reader is likely to be familiar with the scenario of the employee who secretly records a disciplinary meeting in order to protect and possibly enhance his position in relation to his employer. The questions that arise in each instance are how can this evidence be legitimately gathered, retained and deployed? Will the employee do more harm to his cause than good?
4. The line has to be drawn somewhere. This paper examines where it might lie during the currency of the employment relationship and during litigation.
The Overarching Principles
5. In any case involving surveillance in the employment context, it is necessary to consider the extent to which the following legislation is applicable:
(a) The Data Protection Act 1998;
(b) RIPA and The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000;
(c) Article 8 ECHR as incorporated into English law by the Human Rights Act 1998.
The Data Protection Act 1998
6. The Data Protection Act 1998 (‘DPA’) applies to personal data, which can include that information processed in relation to disciplinary and grievance proceedings. In the case of
Durant v Financial Services Authority  IP & T 814,1 the concept of personal data under the DPA was held by the Court of Appeal to require it affect the individual’s personal privacy whether in his personal or family life, business or professional capacity. The focus is on whether the information is biographical and whether it was information that had the data subject as its focus.
Durant v Financial Services Authority is regarded as the leading case on this issue, subsequent case law has suggested that it is not prescriptive of the only approach. In the case of Kelway v The Upper Tribunal  EWHC 2575 Admin, the Court held that whilst Durant was starting point, in a more complex case it was one of a number of aspects to consider. Other relevant tests, which are suggestive of a broader approach included the definition of ‘personal data’ in the European Data Protection Directive, the WPO test2 and the TGN test.3 In the case of Edem v Information Commissioner and another  EWCA Civ 92 it was held that a person’s name (unless it was so common that it required a further work related identifier) was their personal data under the DPA.
8. With this concept in mind, we turn to the cardinal principles of the DPA regime (known as the Data Protection Principles) which are contained in Schedule 1, Part 1 of the DPA. There are eight Data Protection Principles.
9. The first, and probably the most important Data Protection Principle is that personal data shall be processed fairly and lawfully and , in particular, shall not be processed unless-
(a) At least one of the conditions in Schedule 2 is met, and
(b) In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
10. Schedule 2 DPA contains the conditions relevant for the purposes of the First Data Protection Principle, namely the processing of any personal data. Schedule 3 sets out the conditions pertaining to the processing of sensitive personal data. ‘Sensitive personal data’ is defined by section 2 DPA 1998 and includes data consisting of information as to the racial or ethnic origin of the subject, his beliefs, health and criminal record.
11. Schedule 1 Part II DPA is the interpretation provision that supplements Part I. Paragraph 1 of Part II states that in determining for the purposes of the First Data Protection Principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.
12. Paragraphs 2 to 4 of Schedule 1 Part II DPA requires, amongst other things, the employer data controller to make information readily available to its employees as to the identity of the data controller, the purpose or purposes for which the data are intended to be processed, and any further information which is necessary having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
13. Schedule 2 DPA sets out six conditions applicable to the processing of personal data. These include the consent of the employee (data subject) and five other circumstances, which are essentially where the processing of data is necessary for the compliance with a legal or other legitimate purpose.
14. The DPA extends to the retention of employment data and the monitoring of employees at work and is supplemented by Parts 2 and 3 of the Information Commissioner’s Data Protection: Employment Practices Code (2011). This Code is not legally binding but may be referred to in any proceedings alleging a breach of the DPA.
15. Parts 2 and 3 of the Code should be carefully read by all employment practitioners. However, for the purposes of this paper, it should be noted that amongst the practice guidance in Part 2 includes provisions at paragraph 2.l3 that relate to the application of the DPA to discipline, grievance and dismissal proceedings. For instance, if there are unsubstantiated allegations, these should be removed unless there are exceptional reasons for retaining some record of them.
16. Part 3 of the Code is specific to monitoring at work. The core principles (paragraph 3.1) are:
(a) It will usually be intrusive to monitor workers;
(b) Worker have legitimate expectations that they can keep their personal lives private and that they are entitled to a degree of privacy at work;
(c) Employers who wish to monitor their workers should be clear about their purpose and should be satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered;
(d) Workers should be aware of the nature, extent and reasons for any monitoring unless (exceptionally), covert monitoring is justified; and
(e) Workers’ awareness will influence their expectations.
17. Impact assessments should be carried out before any monitoring activity is implemented to determine whether it is justified. An impact assessment involves:
(a) Identifying clearly the purpose(s) behind the monitoring arrangement and the benefits it is likely to deliver;
(b) Identifying any likely adverse impact of the monitoring arrangement;
(c) Considering alternatives to monitoring or different ways in which it might be carried out;
(d) Taking into account the obligations that arise from monitoring; and
(e) Judging whether monitoring is justified.
18. Paragraph 3.2 of Part 3 of the Code sets out guidance in relation to the monitoring of telephone, fax, email, voicemail, internet access and other forms of electronic communication. The key points are that an organisation should decide whether to have an electronic communications monitoring policy, it should be reviewed to ensure that it is up to date with relevant data protection principles and up to date with practice in the workplace, and that the workforce is aware of them. Monitoring should not be conducted in such a way that would infringe the Regulation of Investigatory Powers Act 2000 (also known as RIPA).
19. Paragraph 3.3 of Part 3 of the Code sets out the guidance in relation to video and audio monitoring. The key points from this part of the Code are that any video or audio monitoring should be targeted at areas of particular risk and confined to areas where expectations of privacy are low, and that continuous video or audio monitoring of particular individuals is only likely to be justified in rare circumstances. Workers and visitors should be given clear and adequate notifications that video or monitoring is being carried out.
20. Paragraph 3.4 of Part 3 of the Code sets out the guidance in relation to covert monitoring. In relation to this part of the Code, the guidance states that covert monitoring is an exceptional measure and that senior management should normally authorise any covert monitoring. This should be done where they are satisfied that there are grounds for suspecting criminal activity or equivalent malpractice and that notifying individuals about the monitoring would prejudice its prevention or detection. Covert monitoring should be strictly targeted at obtaining evidence within a set timeframe and should not continue after the investigation is complete. It should not be used in areas where workers would usually expect privacy. Information obtained by covert monitoring should only be used for the purpose for which it was collected. Any other information collected during the covert investigation should be disregarded and if feasible, deleted, unless it reveals information no employer could reasonably ignore.
21. If a private investigator is engaged to collect information on employees in a covert manner, it is necessary to make sure that a contract is in place that requires the private investigator to only collect information in a way that satisfied the employer’s obligations under the DPA.
22. Supplementary Guidance to this Code has also been published and provides further assistance in relation to the statutory regime associated with the monitoring and interception of communications.
Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
23. If an employer intends to monitor electronic communication such that it will involve the interception of communications in the course of their transmission, the Regulation of Investigatory Powers Act 2000 (also known as RIPA) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 are likely to apply.
24. RIPA prohibits the interception of a communication in the course of its transmission unless an employer has lawful authority to do so on the basis of a reasonable belief in the consent of the sender and recipient or there is a Court Order, or it is otherwise authorised by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. If RIPA is infringed, the offender may face criminal and civil penalties.
25. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 provide lawful authority for employers to access and monitor their own systems for standard business purposes such as maintenance of an IT system or to ascertain the extent of compliance with its IT policies and procedures. Whilst the employee’s express consent is not required, it is a prerequisite to a lawful exercise of this right for users of the system to be notified.4
26. Further, before any steps are taken it may be necessary to consider whether the accessing of the employee’s computer or data held on the computer is a breach of section 1 of the Computer Misuse Act 1990, which provides for a criminal penalty in the event of unauthorised access.
Article 8 ECHR
27. Article 8 of the European Convention on Human Rights was incorporated into UK Law by the Human Rights Act 1998. It ensures an individual’s right to respect for his private and family life, his home and correspondence. It is a qualified right. Interference with this right is justified where it is:
“in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
28. It is applicable to public authorities, which includes the Courts and Tribunals who are tasked with determining issues that sometimes involve the balancing of competing rights, some of which are protected by the European Convention on Human Rights. It is also potentially applicable to a third tier of public authority, namely ‘hybrid public authorities’ which carries out partly public/partly private duties, in so far as it carries out functions of a public nature.
29. The Employment Tribunal is not competent to adjudicate upon any freestanding claim of a breach of Article 8, but as it is a public authority under s.6(3) of the Human Rights Act 1998, it is required to act in a way that is compatible with Convention Rights. As such it will be called upon to consider whether Article 8 has been engaged as part of the balancing exercise that it will have to carry out in determining the admissibility of evidence and the impact of any relevant breach of Article 8 on matters within its competence, such as the fairness of a dismissal, see further
X v Y  IRLR 625 at paragraph 53 et seq.
30. Whilst an employee may not have a claim under the Human Rights Act 1998 against a private sector employer, any claim that he brings is likely to be determined in accordance with all of the applicable legal principles, including if necessary, potentially applicable Human Rights. See
X v Y at paragraphs 55 -58 and 63, also Turner v East Midlands Trains  IRLR 107, in which the Court of Appeal indicated a higher standard of investigation (within the range of reasonable responses) would be placed on the employer in an unfair dismissal case where Article 8 interests were engaged.
31. Article 8 entered the UK workplace in the case of
Halford v United Kingdom  IRLR 471. In this case, Ms Halford’s employer (a public authority, Merseyside Police) intercepted her telephone calls from her home and from her workplace. It was held by the European Court of Human Rights that the calls that were made to her from the workplace (in circumstances in which she had not been warned that her calls were being monitored and would therefore have a reasonable expectation of privacy) were capable of engaging the concepts of ‘privacy’ and ‘correspondence’.
32. In the case of
Copland v United Kingdom  IP & T 600, the European Court of Human Rights held that Ms Copland, who had worked in a state run college, had her Article 8 rights infringed by her employer’s collection and storage of personal information relating to her telephone, internet and email usage. As with Ms Halford’s case, the fact that Ms Copland was not warned of the possibility of this monitoring by her employer led the Court to the view that she had a reasonable expectation of privacy, and it did not matter to the overall analysis of the case that her this personal data had not been otherwise disclosed or used against her in disciplinary proceedings.
33. In addition, it should be noted that depending upon the circumstances in which interception is taking place and the purposes for which it is being conducted it is possible that the employer's actions may constitute a breach of the relationship of trust and confidence. It is also conceivable that a disciplinary investigation predicated on a breach of these provisions, or in breach of the ECHR could be procedurally unfair.
Considerations arising when there is surveillance by the employer
34. There are myriad ways that an employer can monitor its employees. These include:
(a) Physical Surveillance (inside and outside of the workplace);
(b) Telephone monitoring, such as by recording telephone calls or reviewing telephone records;
(c) Email and Instant Message Monitoring;
(d) Internet log reviews, such as the review of browser data;
(e) Social media surveillance;
(f) Digital surveillance, for instance by the installation of software on an employee’s workstation to ascertain precisely how and when the machine is being used.
Physical Surveillance / Video Surveillance
35. Video surveillance by the employer of the employee in the workplace, typically by the use of CCTV cameras, is prima facie lawful and does not engage Article 8, so long as it does not infringe a reasonable expectation of privacy.
36. There may nevertheless be a breach of the DPA in relation to the nature of the retention and processing of the data gathered. In order to avoid this outcome, as above, the collation and storage of the data gathered by CCTV monitoring must be in accordance with paragraph 3.3 of Part 3 of the Code. Before it is undertaken there should be an impact assessment within the meaning of the Code. The video monitoring should be targeted at areas of particular risk and confined to areas where expectations of privacy are low, and that continuous video or audio monitoring of particular individuals is only likely to be justified in rare circumstances.
1 Butterworths Intellectual Property and Technology Cases.
2 This is a reference to Opinion WP136 dated 20th June 2007 of the EU Article 29 Working Party, which is the body that advises the European Commission on data protection.
3 Technical Guidance Note on Determining Personal Data, dated 21st August 2007 issued by the ICO. It contains a checklist of eight matters which would assist with the determination of whether something is personal data or not.
4 'Users of the system' in this context means employees of the organisation rather than third parties (e.g. those sending emails to the organisation), according to the Information Commissioner’s guidance on the matter.
Article continues below...