In George Orwell’s cult novel 1984, he describes a dystopian world of people under constant surveillance from their Government. In the modern day United Kingdom, we are protected from such intrusion by a number of laws including Article 8 of the Human Rights Act 1998, which provides for the “right to respect for his private and family life, his home and his correspondence”. But to what extent do such laws protect our private communication in the workplace? In the recent case of Barbulescu v Romania, the European Court of Human Rights considered this point - and the ruling may surprise you.
Between 2004 and 2007 Mr Barbulescu was employed by a private company in Romania as an engineer in charge of sales. In order to more easily assist clients, the employer installed the instant messaging client, Yahoo Messenger, onto Mr Barbulescu’s work computer. The employer’s IT policy was clear that no private internet communications were allowed on company computers or IT systems.
During an 8 day period in July 2007, the employer monitored Mr Barbulescu’s Yahoo messenger account and noted that he had been using the service to send private messages to friends and family. Following this discovery, the employer investigated the matter further and uncovered a series of private messages sent and received by Mr Barbulescu ranging from sensitive health information to discussions about his sex life. Rather peculiarly, at some point during the investigation process, and for reasons that remain unexplained, the employer released the text of the Yahoo messages to Mr Barbulescu’s work colleagues who discussed the details of the rather private matters publicly. Following a disciplinary meeting, Mr Barbulescu was subsequently dismissed from his role for breaching the employer’s IT policy.
Following unsuccessful appeals in the Romanian court system, Mr Barbulescu took his case to the European Court of Human Rights (ECtHR), claiming a breach to his Article 8 rights. The ECtHR had to consider whether Mr Barbulescu’s expectation of privacy had been breached by his employer reading his private messages on a work computer.
After much deliberation, the ECtHR decided that in instances such as this, where a strict IT policy was in place and where that policy is brought to the attention of the employee, it would not be unreasonable for an employer to access an employee’s account, especially as the account was accessed on the assumption that it contained only business information. The ECtHR went further however, explaining that it was not unreasonable for an employer to want to verify that employees are working during working hours and, in certain instances, this may be ascertained through review of such communication. Finally, the court commented that as the monitoring was limited in scope to Mr Barbulescu’s Yahoo Messenger account and did not include his private email accounts or similar, the monitoring involved was proportionate and did not breach Mr Barbulescu’s Article 8 rights.
What does this mean for you or your business?
First of all, ignore the newspaper headlines stating that this case gives employers an unfettered right to snoop on an employee’s private email accounts and messages. Nowhere in the ECtHR judgment does it state this is the case and such misleading headlines are confusing to both employers and the general public.
Here in the UK, employers remain bound by the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000, which limit an employer’s powers to monitor employees’ private communications. These statutory powers are just a couple of the many differentials that come in to play should you be faced with such a scenario in the UK. Furthermore, whilst the old argument that only public bodies are expressly subject to the Human Rights Act, private companies ultimately are not exempt from such regulation as the national courts and tribunals must interpret UK law in light of the Act.
In our experience it is extremely rare for an employer in the UK to forbid any type of personal messages on a work IT system. In such instances, accessing clearly private messages would likely constitute a breach of Article 8 as previous cases have shown (see Halford v UK and Copland v UK for further details). The judgment given in Mr Barbulescu’s case is very fact specific and we do not recommend employers rely on this judgment without taking legal advice first.
What do you need to be doing now?
As a business it is vital to have good IT and Social Media policies in place. Not only will they assist you in disciplinary matters, but they also provide employees with clear guidance as to how and why their emails may be monitored. Such policies should not simply be drafted and forgotten about, instead they should be clearly brought to your employees’ attention and you should have a clear paper-trail to evidence this.
Should your business wish to undertake monitoring of staff emails and/or messages, consideration should be given to the following:
- why exactly you want to undertake monitoring;
- the extent to which you are going to be doing it;
- what steps you can take to achieve a balance between employee privacy and business protection (you should carry out an impact assessment); and
- how to comply with your data protection obligations whilst carrying out this monitoring.
The Information Commissioners Office has released an Employment Practices Code to assist employers in situations where sensitive data can be a hot topic. The code can be found by following the link below, with the relevant code on monitoring found from page 64 onwards.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.