The issue of the use and surveillance of electronic communications and CCTV in the workplace raises important issues regarding data privacy for both the employer and employee.
These data privacy issues, in particular, affect the surveillance of electronic communications and CCTV at work. This document gives an overview of the current rules in place regarding data privacy and surveillance and explains the rights and entitlements of both the employer and employee.
While the Data Protection Acts 1988 and 2003 (pdf) set out the rights and entitlements of citizens regarding the issue of data privacy, the issue of surveillance of electronic communications in the workplace is not specifically legislated for. The European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (SI 535/2003) introduced provisions relating to the confidentiality of communications.
However, under Article 29 of the European Directive 95/46/EC, a working group of Data Privacy Commissioners produced a Working Document - WP55 (pdf) on the issue of surveillance of electronic communications in the workplace. The views expressed in the working document are largely in line with the opinions of the Data Protection Commissioner.
While employees have a legitimate expectation of privacy in the workplace, this right must be balanced with the rights and interests of the employer. (In particular, the employer's right to run their business efficiently and above all, to protect themselves from any liability or harm an employee's actions may create.) These rights and interests constitute legitimate grounds that may justify appropriate measures to limit the worker's right to privacy. Examples of these could include:
However, balancing different rights and interests requires taking a number of principles into account, in particular, proportionality. It should be clear that the simple fact that a monitoring activity or surveillance is considered convenient to serve the employer's interest would not solely justify any intrusion into a worker's privacy.
Employers must provide workers with a readily accessible, clear and accurate statement of policy with regard to email and internet use, including the use of social media, in the workplace. This should clearly describe the extent to which the employees can use communication facilities, either owned by the company or personal remote devices such as smartphones, for personal or private communications. For example, the policy may place a limitation on the duration and times of use.
On the website of the Data Protection Commissioner (DPC) you can find guidance notes on monitoring staff which include the DPC office policy on email and internet use for use as a template.
The working document of the working group of Data Privacy Commissioners recommends that the internet use policy should contain, at the minimum, the following elements:
If surveillance or monitoring of communications use is to be carried out, the reasons and purposes for which this will be undertaken must be made clear to employees. Where an employer has allowed the use of the company's communications facilities for private use by employees, such private communications may be subject to some surveillance, for example, to ensure adequate virus checking. Details of surveillance measures to be undertaken must be clearly identified, for example, what type of surveillance and how and when it will be done.
All these issues should be addressed and included in the employer's policy.
In the event of a breach of internal electronic communication use, the employer must have set out enforcement procedures in the company policy. In addition, the employer must have clearly set down the opportunities given to employees to respond to breaches of policy. From a practical point of view, it is strongly advised that the employer immediately informs the worker of any misuse of electronic communications that is detected, unless important reasons justify the continuance of the surveillance. Employees can be informed through software such as pop-up warning windows.
Before implementing any e-mail monitoring policy in the workplace, employers must ask themselves:
The monitoring of e-mails should, if possible, be limited to traffic data on the participants and time of a communication rather than the contents of communications if this would be sufficient to allay employers concerns. No covert e-mail monitoring is allowed by employers, except in a case where specific criminal activity has been identified and the surveillance is required to obtain evidence and subject to the respect of legal and procedural rules. For example, if the employer or police suspects that an employee is using workplace e-mail and the internet contrary to the provisions of the Child Trafficking and Pornography Act 1998.
If access to an e-mail's content is absolutely necessary, the employer should take into account the privacy of people outside the organisation receiving the e-mail as well as those inside. The employer, for instance, cannot obtain the consent of people outside the organisation sending e-mails to its workers. The employer should make reasonable efforts to inform people outside the organisation of the existence of monitoring activities to the extent that these people could be affected by them. An example could be the insertion of warning notices regarding the existence of the monitoring systems, which may be added to all outbound e-mails from the organisation.
Any personal data from or related to an employee's e-mail account or his or her use of the internet that is legitimately stored by an employer must be accurate and up to date and not kept for longer than necessary. Employers should specify a retention period for e-mails in their central servers based on their business needs and have procedures in place to ensure that retention period is not exceeded. The employer must put in place appropriate technical and organisational measures to ensure that any personal data it holds is secure and safe from outside intrusion.
All usage of CCTV other than in a purely domestic context must be undertaken in compliance with the requirements of data protection legislation. As CCTV infringes the privacy of the persons captured in the images there must be a genuine reason for installing such a system. If installing such a system, it is required that the purpose for its use be displayed in a prominent position.
Employers may use CCTV to monitor the workplace for various reasons. If CCTV is installed in a workplace, the employer should use signage to inform employees of the location of the cameras and to explain the purpose for which they are installed. Under the Data Protection Acts, if your employer informed you that the CCTV cameras were installed to prevent, for example, theft from the workplace, the CCTV footage cannot be used for another purpose such as recording the entry and exit of employees from the workplace.
If you feel that your employer’s monitoring and surveillance has breached data protection legislation you may make a complaint to the Data Protection Commissioner – see address below.
If you have a question relating to this topic you can contact the Citizens Information Phone Service on 0761 07 4000 (Monday to Friday, 9am to 8pm) or you can visit your local Citizens Information Centre.