Long-time readers may recall the 2016 case of Barbulescu v Romania in which the European Court of Human Rights (ECtHR) ruled that Mr Babulescu’s right to privacy had not been breached by his employer who read private messages contained within Yahoo Messenger on his work computer. A full background of the case can be found in our February 2016 bulletin HERE.
In an extremely rare move, Mr Barbulescu appealed the ECtHR judgment to the Grand Chamber of ECtHR, the final level of appeal available to him. Rather surprisingly the Grand Chamber has found in favour of Mr Barbulescu, ruling that the Romanian courts did not strike the right balance when taking into account Mr Barbulescu’s right to privacy.
The Grand Chamber went into great detail as to how it came to its judgment, the details of which are extremely helpful to employers who monitor employees’ communications on work devices. We have picked out the main points from the 38 page judgment which should be cross referenced with your own IT policies to ensure compliance:
- Employees should be made aware at the outset of employment and on a regular basis an employer’s policy on monitoring.
- Ensure that employees are not only aware of the monitoring but also the extent of the monitoring.
- Ensure that you have legitimate reasons to carry out the monitoring of employees’ communications and reflect the same in your policy.
- An employer should consider whether any aim sought by it via monitoring can be achieved by less intrusive methods.
- Monitoring should be restricted to sight of the quantity of personal correspondence and any investigation should not be overly intrusive unless the company has a very good reason for doing so. For example, is it really necessary to read the contents of messages if you can clearly see from the sender or subject that it is a private message? If the emails evidence misconduct on the other hand, it may be necessary to read those emails.
- Should it become apparent from the sender data or subject heading data that a message is private, the employee should be given an opportunity to explain themselves before the content of the message/email is read.
We believe the reasoning provided by the ECtHR is sensible and in line with EU Data Protection Directive. Here in the UK, businesses will be aware that stricter provisions are soon to be introduced in the form of the European General Data Protection Regulations (GDPR) which will come into effect from May 2018. Sarah Lee talks more about these new regulations and the impact of them in her article this month.
What does this mean for you or your business?
As stated in our previous bulletin, it is unusual for an employer to have a blanket ban on private communication over work equipment. Employers should not, however, think that that absolves them of any requirement to have in place policies in relation to the same.
When considering abuse of IT systems by employees Courts and Tribunals will expect to see clear and transparent instructions or policies relating to a worker’s use of systems, especially in cases where actions by the employee may lead to a gross misconduct charge.
What should you be doing now?
Businesses should ensure that all relevant IT policies are up to date and comply with data protection legislation and ICO guidance on this matter. Helpful guidance such as those tips provided above should form part of any procedure where employee monitoring is being carried out. All staff should be made aware of the policy and kept updated with any changes in relation to the same.
We have put together a quick read on what you need to know about the upcoming changes to Data Protection which can be read HERE.
These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice.