On 5 September, the highest body of the European Court of Human Rights (ECHR) restricted employers’ power to monitor the private messages of their employees. The ruling overturns a lower court’s decision to back an organisation that sacked one of its employees for using an instant messaging app for personal reasons.
At the time, the ECHR found that workplace monitoring was allowed because employers were justified in wanting to verify “that employees were completing their professional tasks during work hours”. But in a review, the court concluded that the organisation hadn’t adequately protected the employee’s right to privacy.
The decision comes just months before the EU General Data Protection Regulation (GDPR) takes effect, and will have a big effect on how organisations prepare for the new law.
So what’s allowed?
The ECHR’s ruling doesn’t ban workplace monitoring altogether, but it sets very clear guidelines on the extent to how and when monitoring is allowed and organisations’ requirements for doing so.
Before any surveillance can take place, organisations must create a policy that lets employees know the circumstances of monitoring and their expectations of fair use. The ECHR’s ruling is clear that some personal use must be tolerated, saying: “[A]n employer’s instructions could not reduce private social life in the workplace to zero”.
As private communication meets the definition of personal data (as described in Article 4 of the GDPR), organisations must prove that they have a lawful ground to collect and monitor this information.
Many people have mistakenly thought this means getting consent, but not only is consent hard to get and keep, the GDPR says an employee cannot give consent to an employer because of the inherent imbalance of power. In other words, consent can’t be “freely given” if the data subject faces a potential negative effect from not consenting. It’s reasonable to expect that an employee might fear for their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.
Organisations should therefore seek one of five other lawful grounds for processing data. The most appropriate ground will probably be legitimate interests, although the rules for this are still murky.
One thing that the ECHR’s judges make clear is that organisations should be as deliberate and as unobtrusive as possible in their monitoring. Under no circumstances are employers justified in using exhaustive or automated monitoring methods (such as spyware) to look through an employee’s browser history and workplace communications on the off-chance that they’ll find evidence of misuse.
Employers should also refrain from methods that leave no trace of their monitoring, such as physically sitting at the employee’s computer and looking through their private communications.
The bottom line is that, should employees overstep their right to a social life at work, organisations shouldn’t have to dig too deep to find evidence of that. If you think this is too strict, remember that they had the same rules in The Wire.
Keeping it legal
Organisations’ monitoring policies should form part of their information security management system (ISMS), the best practice for which is described in ISO 27001.
That documentation should cover why monitoring is needed – such as to prevent theft or improper use of data. It should also differentiate between the use of personal and work communications. Organisations will probably have more leeway in monitoring work correspondence, but they also have an obligation to make sure employees aren’t using personal accounts excessively or with disregard to security policies (by downloading suspicious attachments, for instance).
Similarly, organisations have an obligation to make sure employees aren’t emailing confidential work documents via personal email accounts. This is clearly a security vulnerability and should never happen – even if it’s apparently common practice for White House staff.
Work-sanctioned instant messaging proves a tricky middle-ground between private and personal communications. Even if employees primarily use the app for work, communication will almost certainly spill over into personal conversation at times – just as inevitably happens in face-to-face communications. Organisations are entitled to conduct some level of monitoring, but the nature of the tech creates a dangerous temptation to store excessive and unnecessary personal information.
Although you probably have a team preparing your organisation for the GDPR, everyone in your organisation who handles personal data also needs to know their obligations.
Staff awareness training should be an essential component of your GDPR compliance framework. Our GDPR Staff Awareness E-learning Course provides an introduction to the GDPR, outlines the six principles for collecting and processing personal data and gives advice on how to apply these principles.