From the August print magazine.
How do employers comply with data protection laws and yet investigate wrong-doing? Monitoring staff – especially covertly – has been rather a grey area, despite the Data Protection Act.
A security or fraud manager may want to observe staff – examine logs of websites visited to check that staff are not downloading pornography, say; or videoing workers outside the workplace, to collect evidence that they are not in fact sick; or asking credit reference agencies to check that staff are not in financial difficulties. But what of the right to privacy under the Human Rights Act? The Information Commissioner’s Office (ICO) has already released a code in four parts – covering recruitment and selection (such as pre-employment vetting), employment records, monitoring at work (such as staff use of telephones, the internet, and e-mail) and worker health. In June, the ICO released the code in one 91-page document. In general, this code advises good-housekeeping, and that employers document whatever they are doing – assess why a manager has to gather data about staff, and let staff know, whether in a hand-book or a staff intranet.
No definition
Part three, for instance, came out in 2003 and was featured in our August 2003 edition. As we reported then, the code does not offer definite answers: for a start, the code admits ‘there is no hard-and-fast definition of monitoring’. The code recommends ‘impact assessment’ – ‘any adverse impact of monitoring on individuals must be justified by the benefits to the employer and others’. In other words, is the monitoring a proportionate response to the problem it seeks to address?
Impact assessment
The code says: “Making an impact assessment need not be a complicated or onerous process. It will often be enough for an employer to make a simple mental evaluation of the risks faced by his or her business and to assess whether the carrying out of monitoring would reduce or eradicate those risks.” The code does not judge particular circumstances. Instead, the code describes what an impact assessment should take into account: are there adverse impacts (would the monitoring be ‘oppressive or demeaning’?); and are there alternatives (can monitoring be ‘targeted’, can there be spot-checks instead of continuous monitoring?). The code does give core principles, such as ‘It will usually be intrusive to monitor your workers.’ Hence: ‘Wherever possible avoid opening e-mails, especially ones that clearly show they are private or personal.’ Workers should be told of monitoring, ‘unless (exceptionally) covert monitoring is justified’. And, work out who ought to do monitoring – security or personnel, or line managers?
Covert
The same goes for CCTV and audio monitoring: do an impact assessment. What about covert monitoring – when telling staff would give the game away? The code says monitoring covertly is only for ‘exceptional circumstances’: “Senior management should normally authorise any covert monitoring. They should satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice and that notifying individuals about the monitoring would prejudice its prevention or detection.” And no covert monitoring in places where workers would genuinely and reasonably expect to be private – such as toilets. Even then, there may be exceptions if there are ‘serious’ crimes, but ‘there should be an intention to involve the police’.
Private investigator
If a private investigator is employed to collect information on workers covertly make sure there is a contract in place that requires the private investigator to only collect information in a way that satisfies the employer’s obligations under the Act.
Drug testing
As for drug and alcohol testing, the code advises: “Very few employers will be justified in testing to detect illegal use rather than on safety grounds. Testing to detect illegal use may, exceptionally, be justified where illegal use would: breach the worker’s contract of employment, conditions of employment or disciplinary rules, and cause serious damage to the employer’s business, for example by substantially undermining public confidence in the integrity of a law enforcement agency.”
You can download the guidance:
