Eye spy – Monitoring employees’ IT conduct in the era of home working

Employee monitoring software designed to capture employees’ IT activity working from home has become increasingly popular according to a recent report from the BBC.  This software promises to better ‘manage’ teams working remotely, and ensure accountability by taking screenshots of employees’ desktops at set or random intervals.  The proliferation of employee monitoring software is an apparent response to employer fears that employees working from home will be less productive and will ‘shirk’ their responsibilities. 

Monitoring entails legal risks

So what should employers wishing to monitor their employees’ digital activity while at home look out for?  There are a number of legal risks that employers should be aware of.  In general terms, they comprise:

  • The lawfulness or ‘fairness’ of using information obtained by monitoring employees’ digital activity while at home in a disciplinary or dismissal context; and 
  • Risks associated with breaching an employer’s duties owed to an employee.

Employees have a qualified right under Article 8 of the European Convention on Human Rights to respect for their private and family life, home and correspondence.  That right has been incorporated into UK law by the Human Rights Act 1998.  In an employment context, the Court of Appeal has noted that the Article 8 right is to be considered when assessing whether an employee’s dismissal is unfair.  But the right is not absolute, and if employers take steps to ensure their monitoring of employee activity at home is lawful, including by eliminating any reasonable employee expectation of privacy in relation to communications while ‘at work’, the product of that monitoring may be used in a disciplinary or dismissal context.  

Employees have some expectation of privacy, even in the workplace

This conclusion is not without its risks.  In a 2017 appeal decision of the Grand Chamber of the European Court of Human Rights (Bărbulescu v Romania), a Romanian employer’s monitoring of Mr Bărbulescu’s Yahoo Messenger account used on the employer’s IT systems infringed the Article 8 right.  A majority of the Court noted that the employer's internet usage policy was not sufficiently robust to ensure that Mr Bărbulescu had no reasonable expectation of privacy because the employer had not put Mr Bărbulescu on notice as to the extent and nature of the monitoring that his employer would conduct of his communications.

Employers can limit the right to privacy by clear notification

In a 2019 decision, the European Court of Human Rights (Garamukanwa v United Kingdom) agreed with the UK Employment Appeal Tribunal that Mr Garamukanwa had no reasonable expectation of privacy in connection with materials seized from Mr Garamukanwa’s phone by police and later handed to the employer concerning Mr Garamukanwa’s alleged harassment of a colleague.  This was because he had been put on notice as to the employer’s potential use of that material in a disciplinary investigation. 

Beware the use of intrusive software

These decisions do not sit squarely with the European Union’s guidance provided in connection with GDPR compliance.  The Article 29 Data Protection Working Party Opinion 2/2017 on data processing at work notes that employers would not be justified in implementing IT monitoring software because of the risk that such technology would be disproportionate in nature.  In addition, the employer “is very unlikely to have a legal ground under legitimate interest”.  That opinion is significant because it expressly considers monitoring of employee keystrokes, mouse movements, screenshot capturing (either randomly or at set intervals), logging of applications used (and how long they were used for), and the remote enabling of webcams to collect footage.  

Take precautionary steps

So what should employers do to minimise their risk of falling foul of Article 8 and the GDPR?  The UK Information Commissioner’s Employment Practices Code recommends that employers:

  • Undertake a data protection impact assessment to demonstrate that the correct balance has been struck between workers’ privacy in the workplace (including at home) and the interests of the business.  That assessment should identify the purpose of monitoring and the benefits likely to be delivered, identify any adverse impact on workers, consider alternatives to monitoring, consider the obligations arising from monitoring, and judge whether the monitoring is justified.
  • Develop robust policy guidance for employees which set out the circumstances in which monitoring may take place, the nature of that monitoring, how the information through monitoring will be used, and the safeguards in place for workers subject to monitoring.
The importance of preserving trust and confidence

One of the conclusions reached by a data protection impact assessment may be that intrusive forms of monitoring employees’ IT activity at home may not be justifiable.  Certainly one of the key risks associated with a poorly designed employee surveillance programme could be that employees allege that they have been constructively dismissed. Beware the accusation that the surveillance amounts to conduct which is calculated or likely to destroy or seriously damage the relationship of trust and confidence between employer and employee.