Stuart Gentle Publisher at Onrec

Legal comment: EU ruling on private messaging at work

Kathryn Dooks, Employment Partner at Kemp Little said:

Are UK employers bound by the decision?

The European Convention on Human Rights ("ECHR") was implemented in the UK by the Human Rights Act ("HRA"). The HRA prevents public authorities from acting in a way which is incompatible with the ECHR (and therefore the rulings of the European Court of Human Rights, which interprets the ECHR). However, the HRA and the ECHR are not directly enforceable against private sector employers. That said, in the event that an employee brings a claim against their private sector employer (for example for unfair dismissal, having been dismissed for personal use of the employer's email system in breach of the employer's policies), the court or tribunal must have regard to the HRA and the ECHR.

Likely implications of the case in the UK?

Whilst on the face of it the case is surprising and troubling for employees (particularly as the messages were closely personal given their content), the outcome is actually broadly in line with existing English Employment Tribunal decisions in this area.

For example, in previous cases the Tribunals have found that if an employer bans the personal use of work IT and email systems and an employee is in serious breach of that policy, such employee was fairly dismissed in circumstances where employer had a clear policy which was drawn to the employee's attention and which clearly stated that breach was likely to constitute gross misconduct. The question is whether the employee has a reasonable expectation of privacy on the company email system.

Monitoring of employees' emails and instant messages is dealt with by means of three main pieces of legislation; The Data Protection Act, the Regulation of Investigatory Powers Act and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations. The Information Commissioner's Office (which oversees compliance with the Data Protection Act) also provides guidance for employers on monitoring and compliance with the Data Protection Act. The impact of this legislation and guidance is that:

  • Workers' private lives usually extend into the workplace and employees have an expectation of privacy, even where they have been informed monitoring may take place.
  • If monitoring is to be carried out, an impact assessment should be undertaken by the employer beforehand
  • The reason for the monitoring must be sufficient to justify an intrusion into an employee's private life and the method must be proportionate
  • The fact that monitoring is taking place should be brought to the employees' attention and in some circumstances consent is required to the interception of personal emails
  • Only a limited number of staff should have access to information obtained through monitoring and they should have received appropriate training. Data obtained through monitoring should be secure.
  • The circumstances under which businesses can monitor or record employee communications without consent includes to investigate or detect crime or the unauthorised use of the system.

In other words, provided employers have a clear policy which specifies that monitoring will take place, and this is drawn to the employees' attention, then in most cases monitoring of emails to some degree is likely to be permissible, although there may be circumstances under which consent is required.

The government is proposing to repeal the HRA and replace it will a Bill of Rights. In addition, the European Union is proposing a new Data Protection Regulation which is likely to come into force in 2016, so it remains to be seen what the impact of these changes will be on this area of law.