ECHR reverses decision on workplace “snooping” giving greater protection to employees
The impact for UK employers of the ECHR decision last week in relation to Mr Barbulescu’s right to a private life and communications is essentially that workplace monitoring is not a care free matter; a return to greater caution is required. Policies should not be so restrictive as to “reduce private social life in the workplace to zero”. Employers should ensure, firstly, that they have a good business reason to monitor an individual’s communications at work, secondly, that they have provided adequate warning that such communications might be monitored in the workplace and, thirdly, that if personal communications are identified, employers should adopt the least invasive measure with regards to monitoring.
Mr Barbalescu had not been informed by his employer of the nature and extent of the monitoring it would undertake, nor that the content of his personal emails might be accessed. As part of it’s investigation into him, however, his employer had accessed and read intimate messages sent by him to his fiancé and brother. The ECHR found that this approach interfered with Mr Barbalescu’s Article 8 right to a private life.
The ECHR made clear that employers must give adequate notice to employees of any policy warning employees of workplace monitoring. Such policy should not only explain why the monitoring is necessary, but detail how the monitoring might take place and to what extent. In Mr Barbulescu’s case, for example, it wasn’t clear that personal emails accessed by the employer would also be read. Only in exceptional circumstances would an employer need to do so; without serious consideration as to whether reading the email was necessary, the monitoring would be disproportionate and unjustified, breaching the Convention rights.
Employers need to strike a balance between the employee’s right to private life against the right to monitor email use in order to protect its business. The balance of convenience should not automatically lie with the employer. The UK’s Information Commissioner has already established that an employer should carry out an “impact assessment” before venturing into private data at work. This would include considering any likely adverse impact of the monitoring on the employee, considering alternatives to monitoring and judging whether the monitoring is justified.
The decision provides guidance for UK Courts determining allegations of data breaches by employers as well as breaches of other statutory provisions binding UK employers including the Regulation of Investigatory Powers Act 2000. Irrespective of a Brexit, decisions of the ECHR will continue to impact UK courts.
This article was written by Emma Bartlett. For more information please contact Emma on +4402074276450 or at firstname.lastname@example.org.
News & Insights
Uber data breach highlights notification obligations and GDPR impact
The incident provides a useful reminder of the current laws and imminent changes relating to data breaches.
Processing employee data under the GDPR
The new EU Data Protection Regulation (GDPR) will take effect in the UK from 25 May.