Private life at work: how far can an employee’s right to privacy restrict your ability to investigate suspected misconduct at work?

A recent case before the European Court of Human Rights (Barbulescu v Romania) involved an employee who was dismissed for using his work computer to send personal messages to his brother and fiancée during work time. He was aware that personal use of the company’s computer systems was strictly prohibited, but challenged the fairness of his dismissal on the basis that his employer had breached his fundamental human right to privacy by monitoring his work computer. The European Court of Human Rights has ruled that, in this case, the employer’s monitoring was an unlawful violation of the employee’s fundamental right to private and family life. 

In this article we look at the key issues and give some practical guidance to employers on how to avoid a disproportionate infringement on the right to privacy that could taint an otherwise fair disciplinary process.

Does the decision mean employers can no longer monitor employees?

No, this doesn’t mean that employers can no longer monitor employees’ communications. However, it should prompt employers to revisit their policies and practices on monitoring employees’ communications and, more broadly, how they go about conducting disciplinary investigations that might impact an employee’s privacy.

What is an employee’s right to privacy?

Employees have a human right to a private and family life, both in and out of the workplace. It is the UK, as a member of the European Convention, which is required to take positive steps to protect this right, not employers generally. Private sector employers should nevertheless take the right into account as regards their employees. This is because an employment tribunal, as itself part of the British state, must ensure (as far as possible) that the law is interpreted consistently with Convention rights. 

Accordingly, where an employee is dismissed on the basis of evidence which was acquired by interfering with his right to private and family life, such as via covert surveillance, his dismissal will be unfair unless that interference was justified and proportionate.

For example, in McCann v Clydebank College, the College instructed agents to secretly monitor the claimant, an employee who was off work on sick pay, on suspicion that he was carrying out other jobs whilst purportedly unfit to work. The agents, who monitored the claimant’s home and place of work, produced video evidence which confirmed the employer’s suspicion. The claimant was therefore dismissed for gross misconduct. A Scottish employment tribunal dismissed his claim that the dismissal was unfair, finding the use of surveillance to be justified and proportionate in its degree of interference with the claimant’s rights. The EAT upheld that finding.

Employers therefore need to be careful not to take things too far in their pursuit of evidence to confirm a suspicion of employee wrongdoing. 

Though the EAT has very recently confirmed that there is no such thing as an “excessively thorough” investigation, in every case where an employee’s privacy might be jeopardised, employers should carry out an impact assessment before taking action, considering whether any less invasive means can be used to investigate the employee’s conduct. 

Otherwise, there is a significant risk that an employment tribunal will uphold a finding of unfair dismissal on the basis that the employee’s right to privacy was infringed, even where the investigation produces evidence that justifies dismissal for gross misconduct.

What if personal email use is expressly prohibited?  

In Barbulescu itself, the employee’s personal communications were not monitored in order to find evidence of wrongdoing. Rather, Mr Barbulescu’s personal use of an email account, created especially for the purposes of his employer’s business, was itself wrongdoing. There was an IT usage policy in place which clearly prohibited personal use of the company’s IT facilities, and the breach of this policy led to his dismissal. Despite his being in clear contravention of the policy, the ECHR noted that Mr Barbulescu was not expressly informed that the content of the communications sent via the company’s IT systems would be monitored. 

Though the Romanian Court of Appeal had found that this did not provide any reason to render the dismissal unlawful, the ECHR held (by a majority of 11 to 6 judges) that, by having no legal means to take into account the violation of Mr Barbulescu’s right to a private life and correspondence, the state of Romania had failed to protect the human rights of its citizens. 

In the UK, by contrast, legislation such as the Data Protection Act 1998 regulates to a specific degree the extent to which employee personal data may be processed lawfully. The legislation is supported by the Employment Practices Code, a document produced by the Information Commissioner, which deals specifically with workplace monitoring. However, there are nevertheless some key takeaways to be gleaned from the judgment in Barbulescu.  

Key practical points for employers

• An employee has a right to a private life and correspondence wherever he has a "reasonable expectation of privacy". Where an employer wishes to monitor an employee’s actions, the first step to ensuring that it is lawful to do so is to take action to remove that expectation. This might simply involve a notice, such as the now commonplace "smile, you’re on CCTV".
• Where employers monitor email and internet use, they must make it clear to employees the extent to which monitoring will occur, i.e. that both traffic and content may be reviewed by the employer, and in what circumstances.
• As employee monitoring must be proportionate in achieving the aim of promoting and protecting the employer’s business, it is important that the employer is able to justify the extent to which monitoring is carried out. It may not be enough to justify the invasion of employee privacy as a general means of ensuring that the workforce maintains productivity (this appears to be the case in Barbulescu).   
• Where an employer wishes to put in place an outright ban on personal use of company IT systems, we recommend that the rationale for such a ban is communicated to employees in the IT policy. A ban may be justified, for example, on security grounds.
• A less extensive restriction may deal with an employer’s concerns about security. For example, employers often prohibit the use of online email accounts such as Gmail and Hotmail on the basis that they carry a greater risk of virus or malware infections. 

Employers should only sparingly use intercepted employee communications as evidence of wrongdoing, especially where less invasive evidence can be procured which alone could justify disciplinary action.