Workplace Monitoring Code of Practice Finally Published

UK Information Commissioner Richard Thomas today published the third part of the Employment Practices Data Protection Code, 'Monitoring at Work'. The code provides guidance for employers on monitoring employees' internet and e-mail use.

The Code is based on the Data Protection Act 1998 and should be followed by every employer.

The 1998 legislation places responsibilities on any organisation to process personal data that it holds in a fair and proper way. Failure to do so can amount to a criminal offence.

The general position is that, while the Act does not prohibit the monitoring of employees, it does place restrictions on the way that this may be carried out. Other legislation does, however, lay down rules about the interception of communications. The Code is intended to aid compliance with the Data Protection Act; it does not address compliance with other laws – which makes it difficult for an employer to navigate the monitoring minefield.

As for the Code itself, it contains guidance and is not legally binding, it contains the benchmarks that the Commissioner will use when deciding whether or not to enforce the Act. Consequently, organisations should consider its contents very carefully.

Essentially, the Act provides that the “adverse impact” of the monitoring on employees must be justified by the benefits. The Code recommends that this is best carried out by an “impact assessment”. Such an assessment must consider:

- The purposes behind the monitoring;
- Any likely adverse impact on the employee(s) or others – such as customers;
- Alternatives to monitoring, or to the type of monitoring suggested;
- The obligations that will arise; and
- Whether the monitoring is justified.

In considering any likely adverse impact the employer must take into account:

- The likely intrusion into employees’ private lives
- The extent to which the employee will be aware of the monitoring
- Who will see the information, which may be sensitive
- The impact on the employment relationship
- The impact on other professionals – for example solicitors – who may have confidentiality issues
- How the monitoring will be perceived – will it be seen as "oppressive” or “demeaning”?

The Code makes good practice recommendations to ensure compliance with the 1998 Act. In summary these are:

Managing data protection - Identify the person with compliance responsibility, and set in place a mechanism to check that procedures are being carried out.

The general approach to monitoring - Monitoring is intrusive and employees are entitled to keep their private lives private. Monitoring should take place for a clear, justified purpose, and employees should be aware that it is taking place.

Monitoring electronic communications - Create a policy on the use of such communication tools and let employees know what it is. Make sure that the Regulation of Investigatory Powers Act, and the Lawful Business Practice Regulations, which govern interception of e-mails, telephone calls etc, are complied with.

Video and audio monitoring - Let employees, and all others who may be caught on camera, or on tape, know when this is being carried out, and why.

Covert monitoring - Should be authorised by senior management, and strictly targeted. Only to be used for suspected criminal activity, where notification would hinder the detection of the activity.

In-vehicle monitoring - Develop a policy on private use for work vehicles, and let employees know about it.

Monitoring through information from third parties - Let employees know what sort of checks are going to be made, and why.

The Commissioner commented:

"The fundamental message is that, where monitoring does take place, employees should be made aware of its nature and extent and the reasons for carrying it out. Only in exceptional circumstances will it be appropriate for employers to monitor their employees without their knowledge.”

"In reality," he continued, "there are few circumstances in which covert monitoring is justified."

Do you have a policy on data protection in the workplace?
The Data Protection Policy and Management Guide, Version 1.0 (£34.99, ISBN 1-900648-33-4) is available as an electronic download from the Workplacelaw Network website - www.workplacelaw.net/eshop - or by calling 0870 777 8881. 10% discount available to members of the Workplacelaw Network, BIFM, RICS, IFMA or RIBA. Please quote ref. 1440 when ordering.
This document is for general guidance and research purposes only, and does not purport to give professional advice. Please check the date at the top of the article; the Workplace Law Network retains historic articles for general research.