Workplace surveillance, conditions of employment, and privacy

Surveillance widgets, by Chris Slane

The Hawthorne effect is alive and well, and living in the interstices between private law and privacy law. In particular, I recently saw the following clause in a contract (the names have been changed to protect the innocent, the guilty, bystanders, and anyone else involved ):

The employer’s workplaces are subject to overt workplace surveillance. You agree that you consent to this surveillance which is primarily to ensure the safety and security of the employer’s workplaces and the appropriate use of the employer’s resources. The overt surveillance is in the form of computer, internet usage and camera surveillance and is of an ongoing and continuous nature, in accordance with the employer’s relevant policies as amended from time to time.

This surveillance is carried out by all means available to the employer, which may include accessing your email account; accessing your files; accessing your computer or other electronic devices and recording internet usage by you including remote access internet usage and accessing those records.

The Citizens Information website has a lot of information on the legitimate scope of surveillance in the workplace, and the Data Protection Commissioner has issued Guidance Notes on the Monitoring of Staff, which emphasises that

monitoring, including employees’ email or internet usage, surveillance by camera, video cameras or location data must comply with the transparency requirements of data protection law. Staff must be informed of the existence of the surveillance, and also the purposes for which personal data are to be processed. If CCTV cameras are in operation, and public access is allowed, a notice to that effect should be displayed. Any monitoring must be carried out in the least intrusive way possible. Only in exceptional circumstances associated with a criminal investigation, and in consultation with the Gardai, should resort be made to covert surveillance.

The leading case is probably Barbulescu v Romania 61496/08 [2016] ECHR 61 (12 January 2016), in which the European Court of Human Rights held that there had been no violation of Article 8 when the applicant had been dismissed by his employer, a private company, for having used the company’s internet facilities for personal purposes during working hours in breach of internal regulations. The employer had monitored the applicant’s Yahoo Messenger communications, so the Court held that the applicant’s Article 8 rights relating to his “private life” and “correspondence” had been engaged, but that they had not been infringed:

56. The Court notes that the applicant was able to raise his arguments related to the alleged breach of his private life and correspondence by his employer before the domestic courts. It further notes that they duly examined his arguments and found that the employer had acted in the context of the disciplinary powers provided for by the Labour Code … The domestic courts also found that the applicant had used Yahoo Messenger on the company’s computer and that he had done so during working hours; his disciplinary breach was thus established …

57. In this context, the Court notes that both the County Court and the Court of Appeal attached particular importance to the fact that the employer had accessed the applicant’s Yahoo Messenger account in the belief that it had contained professional messages, since the latter had initially claimed that he had used it in order to advise clients …

59. While it is true that it had not been claimed that the applicant had caused actual damage to his employer … the Court finds that it is not unreasonable for an employer to want to verify that the employees are completing their professional tasks during working hours.

60. In addition, the Court notes that it appears that the communications on his Yahoo Messenger account were examined, but not the other data and documents that were stored on his computer. It therefore finds that the employer’s monitoring was limited in scope and proportionate …

Update (8 June 2016): Colin Foote, writing on Irish Legal News, reminds employers that covert surveillance will breach employees’ right to privacy if there is a reasonable expectation of privacy, and that employers must also comply with laws relating to data protection:

The Employment Practices Data Protection Code issued by the Information Commissioner [available here] provides guidance on monitoring employees and states that action should only be carried out if there are grounds to suspect criminal activity or serious malpractice. It also states that an employer would not be justified in carrying out monitoring where workers have a genuine and reasonable expectation of privacy, such as in workplace changing rooms or lavatories or at home. The code recommends that covert monitoring should only happen in extreme cases, for clearly targeted purposes, and only for a limited period of time. …

It is also advisable to have a clear policy on monitoring and employees should be made aware of its contents. A policy should set out why monitoring may take place, the nature of the monitoring, when information about employees is likely to be obtained, how it will be used and who will have access to it.