Monitor - at your own risk

In March the results were released of a poll concerning employers’ monitoring and analysis of employees’ “online footprints”. Conducted by polling company YouGov, the poll questioned the extent to which businesses would “Google” the names of applicants for jobs and of current employees, as well as looking at their online activities on social networking sites such as MySpace and Bebo. Although not fully publicly available, the main reported findings, discussed below, suggest that employers’ monitoring of personal activities on the internet is prolific. But to what extent is such monitoring unlawful?

Uncertain limits

There are many ways for employers to monitor employees’ activities within the workplace. Use of computer systems is easily traceable and usually this can be carried out lawfully. The same may be said for video surveillance, GPS tracking (e.g. for delivery drivers), remote listening (e.g. in call centres) and even credit referencing (e.g. the financial sector). Some employers take more intrusive approaches, for a variety of purposes. Drug and alcohol tests are routine, some public sector employers are requesting and analysing details of their employees’ sexual orientation (for equality monitoring), and there are even reports of one employer utilising a high-tech system to monitor employees’ toilet habits, to ensure high standards of hygiene and thus a safe place of work (“How can your boss monitor you?”, 12 March 2004, www.bbc.co.uk).

There is obvious good reason to regulate employees’ activities in the workplace, and the law affords the means for employers to do so, through measures including the Data Protection Act 1998, Human Rights Act 1998, Access to Medical Records Act 1998, Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Information Commissioner’s Employment Practices Code, and OFTEL Guidance on the Recording of Telephone Calls at Work. The extent to which employers may lawfully monitor employees’ activities away from the workplace and outwith working hours is far more debatable. The frequency and extent of monitoring has led to debate and concern that employers’ activities are becoming too intrusive and employees’ privacy is in danger.

Tracking footprints

Traditionally, the scope of an employer monitoring an employee’s activities away from the workplace would typically involve some form of covert physical surveillance, such as in McGowan v Scottish Water, EATS/0007/04, unreported or Jones v University of Warwick [2003] 3 All ER 760 (CA). A new way to investigate personal activities of employees or potential employees can include looking at their “online footprint”: analysing information that can be accessed on the internet. This is not tracing the sites visited by employees on company computers during working hours; rather it is searching out personal material posted online for non-work related reasons, such as information uploaded to blogs (online diaries), or pages on sites such as MySpace and Bebo, or elsewhere.

The popularity of online communities is staggering. Their use and capability is ever-increasing and according to studies, over two-thirds of users are adults. Whilst users largely intend to use their Bebo or MySpace website for personal reasons, employers are putting the information to good use and for other reasons. As reported by YouGov in a poll commissioned by business networking firm Viadeo, one fifth of the 600 employers polled admitted to using the internet to check out prospective candidates. This affected over half of the decisions made, with 15% of employers rejecting prospective employees because of their “online footprint”. One quarter of all human resource managers polled allowed their decision making to be thus influenced, and regularly used the internet to “Google” the names of employees. If the information is publicly available, can there be invasion of privacy?

A foreign principle

There is no legislative measure specifically concerned with privacy, far less privacy in the workplace and employee monitoring. The possibility of creating a freestanding legal right to “privacy” was considered and dismissed by the Younger Report of 1972 (Cmnd 5012). Instead, the law is drawn from more general sources. Of course, the Human Rights Act is available and article 8, the right to privacy, is most readily cited where disputes over “privacy” are concerned.

In the same decade that the UK rejected the possibility of legislation, the subject rose to prominence after article 8 was successfully relied on before the European Court of Human Rights (ECtHR) in Klass v Germany (1978) 2 EHRR 214. Since then, article 8 has been pled before UK courts in support of employment disputes, with varying degrees of success. Halford v United Kingdom [1997] IRLR 471 was the watershed case for the topic of workplace privacy, where Ms Halford successfully argued that her article 8 right to privacy had been infringed by her employer eavesdropping on her personal telephone line at her place of work. Since Halford, workplace practice has changed, and although a number of cases have been taken in which article 8 has been relied on, it has invariably been without success.

The tendency of the courts has been to distinguish the European jurisprudence. In Avocet Hardware plc v Morrison, EAT/0417/02/DA, unreported, the Halford principle requiring a warning that monitoring may take place, to avoid invading privacy, was rejected by the Court of Appeal, who said it was implicit in working in a call centre that monitoring would take place. Equally, decisions have been inconsistent with the tenor and direction of European authorities. For example, in Pay v Lancashire Probation Service, EAT/1224/02/ LA, unreported, material posted on internet sites was said to be in the public domain and therefore not protected by article 8. However, this approach to article 8 and “privacy” is firmly at odds with decisions such as Niemietz v Germany (1992) A 251-B.

Personal and private

It is clear from that decision that a narrow approach is wrong when defining “private life” further to article 8, as “it would be too restrictive to limit the notion of an inner circle in which the individual may live his own personal life as he chooses and to exclude therefrom entirely the outside world not encompassed within that circle. Respect for private life must also comprise to a certain degree the right to establish and develop relationships with other human beings” (para 29). Privacy in article 8 is much wider than may be thought, according to the European authorities: it includes “the physical and moral integrity of the person, including his or her sexual life” (X and Y v Netherlands (1985) A 91, para 22), the quality of private life as affected by the amenities of the home (Power and Rayner v United Kingdom (1990) A 172, para 40) and the right to establish and develop relationships with other human beings (Niemietz v Germany, para 29), including determination of an individual’s identity (Mikulic v Croatia, 7 February 2002, paras 51-55). All of these are potentially relevant to privacy, in terms of having a personal life away from the workplace.

The UK courts have upheld actions fortified by article 8 arguments, such as in Douglas v Hello! Ltd [2001] 2 All ER 289 (CA) and Campbell v MGN Ltd [2004] UKHL 22 (an intrusion occurring in a public place; the Scottish case of X v BBC 2005 SCLR 740 (OH) is also notable in this regard). The principle observed is similar to the judgment of the ECtHR that the right of privacy is “the right to live as far as one wishes, protected from publicity” (X v Iceland (1976) DR 5, 86), provided that in the circumstances a legitimate expectation of privacy exists (Brüggeman and Scheuten v Germany (1977) DR 10; N v Portugal (20 February 1995); Friedl v Austria (1995) A 305-A). The extent to which a legitimate expectation of privacy exists in the employment relationship, however, is a matter of considerable debate.

The Information Commissioner is of the view that an expectation of “privacy” does exist concerning material posted on the internet and social networking sites, in the context of the employment relationship. Consequently, an employer’s monitoring of such information could become intrusive and unlawful. This view, expressed to the writer in researching a separate paper on this topic, is formed from an analysis of the Data Protection Act and the Employment Practices Code, because in collecting the information online, the employer is processing and retaining data. It also makes practical sense in that information may be publicly accessible on the internet, but it still needs to be searched out and retrieved. The Commissioner’s forthcoming practice note on social networking sites is eagerly anticipated.

Je blog, tu blogs…

In a recent case in France concerning online activities, an industrial tribunal ruled in late March that the writer of an anonymous blog had been unfairly dismissed from her post with accountants Dixon Wilson in Paris. The firm discovered that Catherine Sanderson, the blogeuse, had posted on her web-log www.petiteanglais.com entries about working for them in Paris, although they were not named or readily identifiable, other than the site containing a picture of Ms Sanderson. They took the view that her actions, in publicising information online about her place of work, were disloyal and the cause of difficulties with colleagues. The tribunal disagreed, awarding Ms Sanderson approximately one year’s wages (which she can add to the reported £500,000 secured through a two-book deal signed following her dismissal).

The French courts may not be the appropriate forum for litigation for Scots-based employment relationships, but it should be remembered that for public sector workers recourse could be had outwith Scotland, to the ECtHR. Lynette Copland, an employee of Carmarthenshire College in Wales, obtained a judgment from the court dated 3 April 2007 against the UK Government (the college’s funder) that Ms Copland’s right to privacy under article 8 had been infringed by the college’s near-constant monitoring for 18 months of her emails, websites visited and correspondence on college equipment, unbeknown to her.

Risky business

If, as is apparent, the right to privacy can be infringed by an employer’s actions in the workplace, employers must be cautious in venturing into monitoring of employees’ actions in their personal life, even if conducted in the public domain. It is very questionable that “private” and “privacy” mean simply behind closed doors or away from the public eye, as the decision of the EAT in Pay suggests. There is, it is submitted, a considerable risk that employers could find trouble in conducting online monitoring of personal activities, no less by falling foul of the data protection principles and potentially invading the employee’s privacy. The message is clear to employers: when following in the online footprints of individuals, tread carefully.

Bruce A Caldow is a partner in Harper Macleod LLP, Glasgow