You may have seen reports in the press recently on the case of Mr Barbulescu v Romania lamenting the decision as a “snooper’s charter” but has this case really changed the position in the UK?
The case concerned monitoring of Mr Barbulescu’s employer’s instant messaging account and the private communications it contained which were strictly against the employer’s policy which prohibited the use of company computers for private purposes and which resulted in Mr Barbulescu’s dismissal. The case was appealed to the European Court of Human Rights as Mr Barbulescu alleged there had been a breach of his right under Article 8 of the European Convention on Human Rights to respect for his private and family life, his home and his correspondence.
The European Court decided there had been no breach of Article 8 and that Romanian Law struck a balance between the rights of employers and employees. It was not unreasonable for an employer to want to check that employees were completing professional tasks in their working hours or to monitor compliance with the policy prohibiting personal use. The employer in this case had a clear policy of which the employee was allegedly aware. Additionally, the employer did not initially look at the content of those personal emails, this happened only when the employee denied personal use of the email account in writing and the employer produced a transcript of the emails to refute this. Accordingly the employer had acted proportionately.
In the UK, legislation, including the Data Protection Act 1998, requires that monitoring of employee communications accounts be done only for objectively justifiable reasons and that any monitoring carried out is both a proportionate and a legitimate means of satisfying those reasons. Monitoring may be carried out for reasons such as quality control, to monitor whether the use of the email system or the internet is in accordance with company policy, to retrieve data lost due to technical issues, to assist in the investigation of alleged wrongdoing or to comply with a legal obligation. As monitoring will involve the processing of personal data, the eight principles of data protection must be adhered to and the Information Commissioner’s Employment Practices Code provides guidance on this, making it clear that employers should have a clear policy on what is permitted and what is not which reflects actual practice. The policy should alert employees to the fact that monitoring will take place, the reasons for this, the extent of it and how information collected through monitoring will be handled.
Article 8 is also relevant as UK Courts and tribunals must interpret the law in line with it. In Copland v United Kingdom, the European Court found that Article 8 had been infringed where there had been no IT policy in place nor had the employee been advised that monitoring may take place. However, in Atkinson v Community Gateway Association there was no infringement where the employee was aware of the policy (indeed he had written it) and the emails were accessed as part of a legitimate disciplinary investigation.
The important issue is generally considered to be whether the employee had a legitimate expectation of privacy in relation to the communications concerned and such an expectation will be limited where there is a clear policy setting out what is prohibited in relation to personal use of the employer’s electronic equipment and systems, the employee is aware that monitoring may take place and that any monitoring is carried out in line with the policy. On that basis, the Barbulescu case would have been decided in the same way in the UK courts as was determined by the European Court of Human Rights.
If you have any questions on any of the issues raised in the above article, please contact Frances Smith