The Information Commissioner's Office has issued a Code of Practice on monitoring at work that restricts businesses' ability to monitor their employees' communications. The Code is the third in a four part document being developed by the Information Commissioner's Office, the Employment Practices Data Protection Code, to explain the impact of data protection legislation on employment. The other parts of the Code deal with recruitment and selection, general record keeping issues and use of medical information. The first two parts of the Code have been issued in near final form; the final part, on medical information, has yet to be issued.
This part of the Code applies where an organisation carries out systematic monitoring of its employees. This means that it applies to the use of CCTV, automatic email scanning, reviewing voicemails and maintaining logs of websites visited by employees. It will also apply if employers carry out surveillance of employees who claim to be off work sick.
The starting point for the Code on monitoring at work is that it will usually be intrusive for employers to monitor their workers' communications: workers are entitled to a degree of privacy at work. The Code does not completely outlaw monitoring of workers. However, in order to comply with the Code, employers will need to be clear about the purpose of monitoring and will need to be satisfied that the monitoring will be justified by real benefits to the organisation. Employers will also, in almost all circumstances, need to advise workers that monitoring is taking place.
Employers will need to carry out impact assessments before setting up any new monitoring arrangements and will need to review current monitoring to see if the monitoring delivers a sufficient business benefit to outweigh the intrusion into workers' privacy. Where particularly intrusive forms of monitoring are to be used, this is likely to mean that employers should document their impact assessment so as to be able to justify their decisions in the event of any complaint to the Information Commissioner's Office.
As well as these high level principles, the Code on monitoring at work and the Supplementary Guidance that accompanies it contain many detailed action points for employers. So, for example, it is not sufficient for employers simply to include a statement in an employee handbook that monitoring may take place. Instead, it will be necessary for employers to notify employees of the circumstances in which monitoring may take place, the nature of the monitoring, how information obtained will be used and the safeguards that are in place in relation to the monitoring. This information must be kept up to date and the Code suggests that it might be appropriate to remind workers of the monitoring policy from time to time. There are also words of caution in the Code for those employers who purchase off-the-shelf monitoring systems; these systems may not be compliant with data protection legislation (especially if they have been developed by non-European suppliers who are not familiar with a European data protection regime). It is the responsibility of the employer to select a compliant monitoring package; in the event that a complaint is made to the Information Commissioner's Office, it will be no defence for an employer to say that it was using an off-the-shelf product.
There is no automatic sanction for failure to comply with the Code. Although the Commissioner's Office has published the Code to explain the application of the Data Protection Act 1998 to monitoring at work and to promote good practice in this area, the Code has no specific status under the Act. However, if an individual complains to the Information Commissioner's Office, the Office is likely to assume that an organisation that does not comply with the Code is in breach of the Data Protection Act 1998. It is also likely that employees will raise breaches of the Code in employment tribunal proceedings.
The Information Commissioner's Office has consulted at length before issuing this part of the Code. Previous versions of this part of the Code were severely criticised for over-emphasising employees' rights to privacy without recognising the legitimate business needs for monitoring. Previous drafts of this part of the Code were also criticised for their excessive length. The Information Commissioner's Office has made changes to the monitoring at work Code to reflect these concerns. It is now softer and recognises that there may be legitimate business reasons for monitoring and that employees should expect monitoring in many situations. This part of the Code has also been re-organised so as to be more easily digestible. It now runs to 46 pages of widely-spaced type and is accompanied by Supplementary Guidance aimed primarily at large organisations. The Commissioner's Office has also published an extremely condensed 7 page version of the Code on monitoring at work as guidance to small businesses. Although this cannot cover all of the points in this part of the Code, it will probably be a useful starting point for all businesses, irrespective of size.
We will be issuing more information about the Code as and when the remaining parts are finalised. If you would like more information about the Code please contact Ruth Boardman or Hazel Grant in our Information Technology Group or Ian Hunter in our Employment Practice.