In Copland v The United Kingdom (2007), the European Court of Human Rights (ECHR) found that the UK had violated Ms Copland's right to respect for her private life and correspondence under Article 8 of the European Convention on Human Rights ("the Convention"), by the way in which it monitored her telephone calls, e-mail correspondence and internet use. Although the circumstances of the case took place before employers started introducing policies covering the monitoring of employee communications as a matter of course, the case does highlight the care that employers should take in managing employees' expectations and in ensuring that policies are applied fairly in practice.
Briefly, the facts of this case were that Ms Copland was employed by Carmarthenshire College ("the College"), a State-administered body. At the Deputy Principal's request, Ms Copland's telephone, internet and e-mail use were monitored in order to ascertain whether she was making excessive personal use of them. The parties disputed the nature and duration of the monitoring. The government claimed Ms Copland's telephone use was monitored only by analysing College telephone bills, while Ms Copland claimed her incoming calls were also monitored, and that the length, volume and telephone numbers were logged. The government claimed that Ms Copland's telephone calls and emails were monitored for a few months while Ms Copland claimed that her calls were monitored for at least 18 months, and her emails for at least six months.
At the time, the College did not have a policy on monitoring employees' communications.
The decision
The ECHR held that the monitoring was in breach of Article 8 of the Convention. It therefore ordered the State to pay Ms Copland €3,000 in respect of non-pecuniary damage (stress, anxiety, low mood and inability to sleep), and €6,000 in respect of her costs and expenses.
The ECHR reasoned as follows:
- Just as telephone calls from business premises could be part of an employee's "private life and correspondence" (Halford v UK (1997)), so could e-mails sent from business premises and information derived from the monitoring of personal internet use. So, in the same way that Ms Halford, (who was not warned that her calls would be monitored), could have reasonably expected that they would not be monitored, an employee could expect his e-mails and internet use would not be monitored if he had not been warned.
- Even if the monitoring was not as extensive and intrusive as Ms Copland claimed, the collection and storage of Ms Copland's personal information which the government admitted had taken place without her knowledge would itself amount to an interference with Ms Copland's right to respect for her private life and correspondence. It was therefore necessary to determine whether that interference was "in accordance with the law and necessary in a democratic society" and, as such, permitted by Article 8.
- As the government's statutory powers did not permit it to do anything necessary and expedient for the purposes of providing further and higher education, there was no domestic law regulating the monitoring of communications at the relevant time, and the College had no policy informing employees that they could expect such monitoring to take place, the interference was not "in accordance with the law" and Article 8 had therefore been violated.
It is worth noting, however, that the ECHR specifically stated it would not rule out that the monitoring of an employee's use of a telephone, e-mail or internet at the place of work may be considered "necessary in a democratic society" in certain situations in pursuit of a legitimate aim. So the ECHR has left the door open for employers to monitor employees' communications, without clarifying the circumstances in which it would be acceptable to do so.
Impact of subsequent legislation
The ECHR noted that the Regulation of Investigatory Powers Act 2000 (RIPA) and the Telecommunications (Lawful Business Practice) Regulations 2000 (LBP Regulations) made under the RIPA, had not come into force at the relevant time in this case.
This legislation makes it a criminal offence for employers to intercept employees' communications unless both parties consent, or the employer has taken reasonable steps to inform the employee that their communications might be monitored. In this case, as Ms Copland had not consented nor had she been informed of the monitoring, any interceptions by the College would not only have been in breach of Article 8, but could also have resulted in a criminal conviction if RIPA had been in force.
It should also be borne in mind that there are other potential consequences of a breach like the College's. For example, if an employee's communications were monitored in breach of Article 8, RIPA and, indeed, the Data Protection Act 1998 (1998 Act) (see below), this could amount to a breach of the duty of trust and confidence, entitling an employee to resign and claim constructive dismissal, or to claim unfair dismissal if he was dismissed because of the monitoring. Significant compensation could be awarded against the employer and, in the case of constructive dismissal, any restrictive covenants would fall away.
The Information Commissioner's Office guide to monitoring at work (ICO guide) (Part 3, Employment Practices Code) and the supplementary notes and examples which accompany the guide, though designed to advise employers how to comply with the requirements of the 1998 Act, will, if followed, stand employers in good stead for compliance with the 1998 Act as well as the various other legal requirements in this area.
The core principles set out in the ICO guide are:
- It will usually be intrusive to monitor your employees.
- Employees have legitimate expectations that they can keep their personal lives private and that they are also entitled to a degree of privacy in the work environment.
- If employers wish to monitor their employees, they should be clear about the purpose and be satisfied that the particular monitoring arrangement that they adopt is justified by real benefits that are delivered.
- Employees should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) cover monitoring is justified.
The ICO guide also contains a number of recommendations for monitoring employees' communications (see "Checklist for monitoring employees' communications").
Conclusion
It is unlikely these days that a large employer would not have a monitoring policy in place, as was the case in Copland. Even so, following Copland, unless an employer has drawn employees' attention to its monitoring policy, if one day it decides to monitor employee's communications, it might be hard pressed to argue the employee should have expected it.
|
Checklist for monitoring employees' communications |
|
|
√ |
On each occasion, identify the purpose(s) of the monitoring and the specific benefits it is likely to bring. Determine whether the likely benefits justify any adverse impact, preferably by using an impact assessment, which may range from having a few moments' thought about the issues to a detailed analysis. Always use the least intrusive method (for example, do not open e-mails marked "personal", and do not read emails, unless strictly necessary). |
|
√ |
If monitoring is to be used to enforce rules and standards, make sure these rules are clearly set out in a policy, which employees are made aware of, and which also refers to the nature and extent of any associated monitoring. |
|
√ |
Tell employees what monitoring is taking place and why, and keep them aware of this (for example, by way of a policy in a staff handbook), unless covert monitoring is justified. |
|
√ |
If sensitive data (such as information relating to an employee's health) are collected in the course of monitoring, ensure that a sensitive data condition is satisfied under the Data Protection Act 1998. |
|
√ |
Keep to a minimum those who have access to personal information obtained through monitoring. Subject them to confidentiality and security requirements and ensure that they are properly trained where the nature of the information requires this. |
|
√ |
If information gathered from monitoring might have an adverse impact on employees, present them with the information and allow them to make representations before taking action. |
|
√ |
Ensure that the right of access of employees to information about them that is kept for, or obtained through, monitoring is not compromised. Monitoring systems must be capable of meeting this and other data protection requirements. |
|
X |
Do not use personal information collected through monitoring for purposes other than those for which the monitoring was introduced unless: |
This article, by the Employment Department, first appeared in the July 2007 issue of PLC magazine and is reproduced with the kind permission of the publishers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
