If you’re a regular reader of this blog, you’re probably interested in cloud, tech and data. You might have moved (or be thinking of moving) your business IT into the cloud or you might be a provider selling cloud services. Depending upon how you’ve implemented the cloud solution, you’ll have good control over how your staff use IT. You can control what data they can access and share and what software they use. Some businesses take this a step further and actively snoop monitor their staffs’ communications. If you do this, you may need to adjust your policies to take into account a recent decision the European Court of Human Rights (PDF).

Mr Bărbulescu worked as a salesman in Romania. His employer notified all staff they couldn’t use business IT equipment for personal use. They also told them they had a system for monitoring use of IT and that personal use would be viewed as misconduct.

His employer asked him to set up a Yahoo messenger account which he did. The employer found he was using it extensively for personal purposes, in breach of the IT policy. They confronted him with a transcript of his communications, including his personal communications. Mr Bărbulescu had sent the majority of the messages using his work Yahoo! Messenger account. Mr Bărbulescu’s employer dismissed him for breaching its IT policy. He challenged his dismissal and brought his case all the way to the Grand Chamber of the European Court of Human Rights. He claimed that his employer and the Romanian courts had not protected his right to privacy under the European Convention on Human Rights.

The Grand Chamber acknowledged that employers have a legitimate interest to ensure their business runs smoothly. They also said employers have a “right to engage in monitoring, including the corresponding disciplinary powers, in order to ensure the smooth running of the company.”

Nevertheless, the Grand Chamber agreed with Mr Bărbulescu that his employer and the Romanian courts had not protected his privacy: “an employer’s instructions cannot reduce private social life in the workplace to zero. Respect for private life and for the privacy of correspondence continues to exist, even if these may be restricted in so far as necessary.”

The Grand Chamber held that the employer had breached Mr Bărbulescu’s right to privacy because they didn’t inform him of the nature and extent of the monitoring in advance. Nor did they tell him about the possibility that they might access the actual content of his communications.

Thus, as an employer, you have only a qualified right to monitor your staff. You should make sure you cover these points if you monitor your staff.

Update your policies

You should review and update your policies to ensure they are robust enough to allow you to monitor your employees’ communications. The ICO’s Employment Practices Code recommends you carry out an impact assessment before you monitor employees. You should identify the purpose of the monitoring, its benefit, the adverse impact on employees and whether there are less intrusive means of achieving the aim. For example in this case, the employer should have considered whether it could have achieved its aims without actually accessing the content of Mr Bărbulescu’s messages.

Be careful when you access communications

You should only access employees’ communications where:-

1. you can show you have a legitimate reason for the intrusion and can show what you are trying to protect
2. you have issued a clear notice to employees setting out the nature and extent of your monitoring, including whether you may access the content of messages as well as message flow
3. you clearly tell your staff they must not mix business and personal communications and what could happen if they do
4. you have made it clear that you will use the results of monitoring for disciplinary action or other limited purposes

Don’t forget other laws too

Remember, existing UK legislation, including the Data Protection Act (and from 25 May 2018, the General Data Protection Regulation) and the Regulation of Investigatory Powers Act, regulate your power to monitor employees’ private communications. They also provide employees with more effective remedies than attempting to rely directly on the European Convention. Finally, remember the European Court of Human Rights is not the same as the European Court of Justice so Brexit won’t directly affect this decision.

Use personal accounts for personal comms

Obviously, given the ubiquity of smartphones, staff should make sure they use personal accounts for personal communications, particularly if the employer intends to monitor communications.