Surveillance in the workplace
The issue of the use and surveillance of electronic communications and CCTV in the workplace raises important issues regarding data privacy for both the employer and employee.
These data privacy issues, in particular, affect the surveillance of electronic communications and CCTV at work. This document gives an overview of the current rules in place regarding data privacy and surveillance and explains the rights and entitlements of both the employer and employee.
While the Data Protection Acts 1988 and 2003 (pdf) set out the rights and entitlements of citizens regarding the issue of data privacy, the issue of surveillance of electronic communications in the workplace is not specifically legislated for. The European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (SI 535/2003) introduced provisions relating to the confidentiality of communications.
However, under Article 29 of the European Directive 95/46/EC, a working group of Data Privacy Commissioners produced a Working Document - WP55 (pdf) on the issue of surveillance of electronic communications in the workplace. The views expressed in the working document are largely in line with the opinions of the Data Protection Commissioner.
Privacy in the workplace
While employees have a legitimate expectation of privacy in the workplace, this right must be balanced with the rights and interests of the employer. (In particular, the employer's right to run their business efficiently and above all, to protect themselves from any liability or harm an employee's actions may create.) These rights and interests constitute legitimate grounds that may justify appropriate measures to limit the worker's right to privacy. Examples of these could include:
- Where the employer is victim of a worker's criminal offence
- Where the employees’ use of social networking sites causes damage to the employer’s business reputation or releases confidential information
- Dealing with cyber bullying in the workplace, that is, bullying carried out on the internet and mobile phones, through social networking sites, email and texts. You can read more about bullying in the workplace.
However, balancing different rights and interests requires taking a number of principles into account, in particular, proportionality. It should be clear that the simple fact that a monitoring activity or surveillance is considered convenient to serve the employer's interest would not solely justify any intrusion into a worker's privacy.
Obligations on employers - statement of policy
Employers must provide workers with a readily accessible, clear and accurate statement of policy with regard to email and internet use, including the use of social media, in the workplace. This should clearly describe the extent to which the employees can use communication facilities, either owned by the company or personal remote devices such as smartphones, for personal or private communications. For example, the policy may place a limitation on the duration and times of use.
On the website of the Data Protection Commissioner (DPC) you can find guidance notes on monitoring staff which include the DPC office policy on email and internet use for use as a template.
The working document of the working group of Data Privacy Commissioners recommends that the internet use policy should contain, at the minimum, the following elements:
- The employer must set out clearly to employees the conditions under which private use of the internet is permitted as well as specifying material that cannot be viewed or copied. These conditions and limitations must be explained to employees.
- Employees need to be informed about the systems implemented both to prevent access to certain websites and to detect misuse. The extent of such monitoring should be specified, for instance, whether such monitoring may relate to individuals or particular sections of the company or whether the content of the websites visited is viewed or recorded by the employer in particular circumstances. Furthermore, the policy should specify what use, if any, will be made of any data collected in relation to who visited what websites.
- Employees should be informed about the involvement of their representatives, (for example, trade union representatives), both in the implementation of the policy and in the investigation of alleged breaches.
If surveillance or monitoring of communications use is to be carried out, the reasons and purposes for which this will be undertaken must be made clear to employees. Where an employer has allowed the use of the company's communications facilities for private use by employees, such private communications may be subject to some surveillance, for example, to ensure adequate virus checking. Details of surveillance measures to be undertaken must be clearly identified, for example, what type of surveillance and how and when it will be done.
All these issues should be addressed and included in the employer's policy.
In the event of a breach of internal electronic communication use, the employer must have set out enforcement procedures in the company policy. In addition, the employer must have clearly set down the opportunities given to employees to respond to breaches of policy. From a practical point of view, it is strongly advised that the employer immediately informs the worker of any misuse of electronic communications that is detected, unless important reasons justify the continuance of the surveillance. Employees can be informed through software such as pop-up warning windows.
Before implementing any e-mail monitoring policy in the workplace, employers must ask themselves:
- Whether the workers know that the e-mail will be monitored
- Whether the monitoring is necessary. Could the same results be achieved with traditional methods of supervision?
- Whether the proposed processing of personal data is fair to employees
- Whether the monitoring is in proportion to the concerns it tries to address.
The monitoring of e-mails should, if possible, be limited to traffic data on the participants and time of a communication rather than the contents of communications if this would be sufficient to allay employers concerns. No covert e-mail monitoring is allowed by employers, except in a case where specific criminal activity has been identified and the surveillance is required to obtain evidence and subject to the respect of legal and procedural rules. For example, if the employer or police suspects that an employee is using workplace e-mail and the internet contrary to the provisions of the Child Trafficking and Pornography Act 1998.
If access to an e-mail's content is absolutely necessary, the employer should take into account the privacy of people outside the organisation receiving the e-mail as well as those inside. The employer, for instance, cannot obtain the consent of people outside the organisation sending e-mails to its workers. The employer should make reasonable efforts to inform people outside the organisation of the existence of monitoring activities to the extent that these people could be affected by them. An example could be the insertion of warning notices regarding the existence of the monitoring systems, which may be added to all outbound e-mails from the organisation.
Any personal data from or related to an employee's e-mail account or his or her use of the internet that is legitimately stored by an employer must be accurate and up to date and not kept for longer than necessary. Employers should specify a retention period for e-mails in their central servers based on their business needs and have procedures in place to ensure that retention period is not exceeded. The employer must put in place appropriate technical and organisational measures to ensure that any personal data it holds is secure and safe from outside intrusion.
All usage of CCTV other than in a purely domestic context must be undertaken in compliance with the requirements of data protection legislation. As CCTV infringes the privacy of the persons captured in the images there must be a genuine reason for installing such a system. If installing such a system, it is required that the purpose for its use be displayed in a prominent position.
Employers may use CCTV to monitor the workplace for various reasons. If CCTV is installed in a workplace, the employer should use signage to inform employees of the location of the cameras and to explain the purpose for which they are installed. Under the Data Protection Acts, if your employer informed you that the CCTV cameras were installed to prevent, for example, theft from the workplace, the CCTV footage cannot be used for another purpose such as recording the entry and exit of employees from the workplace.
Where to apply
If you feel that your employer’s monitoring and surveillance has breached data protection legislation you may make a complaint to the Data Protection Commissioner – see address below.