Personal internet use at work- where do you stand?
It is extremely common for employees to use their work computers for personal reasons such as checking their personal email account, making online purchases and accessing social media. For employers, allowing employees personal use can cause issues such as unnecessary exposure to viruses and issues regards confidentiality and security. Below are a few different considerations for an employer when approaching personal internet use at work.
Right to private life
The right to a private life extends to the workplace and therefore employees have an expectation of privacy when at work. In fact, the Human Rights Act 1998 (“HRA”) suggests that employees have a right to undertake personal errands (such as making brief important telephone calls) throughout the day (so long as this is not impacting on the employee’s work).
It is worth bearing in mind that the HRA only applies to public authorities, such as local authorities and publicly funded schools, and public or private bodies performing public functions. This could include private hospitals providing care on behalf of the NHS and privatised utility providers.
A company policy regarding email and internet use at work is important. The policy should set out the disciplinary consequences of a breach which will:
- Ensure that employees have clear guidelines as to acceptable use;
- Minimise the risk of the company becoming vicariously liable for the acts of employees; and
- Ensure that the company can lawfully discipline employees for use in contravention with the policy.
If the consequences of breaching the policy are not made clear to employees, the dismissal for internet-related offences could be unlawful.
Enforcing a company policy on internet use can be difficult; the majority of employers therefore monitor employees’ use of the internet and their emails. This in turn creates a number of further considerations for employers.
1.European Court of Human Rights’ decisions
In Copland v United Kingdom, a Welsh college had monitored an employee’s emails, internet usage and telephone calls over a prolonged length of time in the 1990s. It was held that the employer was in breach of the employee’s right to privacy and that even monitoring the date, length of telephone conversations and numbers dialled would give rise to a breach of privacy.
In the more recent case of Barbulescu (2017), the employee was dismissed for breaching the company policy that work computers could not be used for personal reasons. The employer produced copies of this personal correspondence during the disciplinary procedure to evidence the dismissal.
The European Court of Human Rights (“ECtHR”) held that the employer had breached the employee’s right to privacy because the employer had not forewarned of potential monitoring and potential access to the content of employees’ communications. Indeed, specifically, the ECtHR confirmed that any employee monitoring must be proportionate in achieving the aim of promoting and protecting the employer’s business.
2.Data protection legislation- the General Data Protection Regulations (“GDPR”)
Monitoring employees at work involves processing personal data which is regulated by the GDPR. The Information Commissioner’s Office, which oversees the implementation of the GDPR, has published guidance to assist employers with meeting the requirements in the workplace. The Employment Practices Code, although does not prevent employers from monitoring employees in the workplace, recommends a number of steps be undertaken by employers to ensure compliance with the GDPR. These include:
- Undertaking a Data Protection Impact Assessment which should identify the purpose of monitoring, any adverse impact and whether it is justified;
- Considering and recording the legal grounds for processing the personal data;
- Informing employees of potential monitoring by way of a policy;
- Using information obtained for the purpose for which monitoring was undertaken; and
- Ensuring personal data is secure.
What you can do as an employer
When monitoring employees in the workplace, consideration should be given to both the Information Commissioner Office’s rules and the Human Rights Act 1998.
In practice this means:
- You can monitor employees’ emails at work but this must be undertaken carefully and with consideration to both GDPR rules and the Human Rights Act 1998;
- You should follow the recommendations of the ICO which suggest steps to be taken prior to undertaking monitoring;
- It is recommended that you implement a company policy regarding personal use of the internet at work; and
- If emails are personal, do not open them unless you either consider that there is a real risk of serious harm to the business or you have provided prior notice to the employee in advance that the content may be viewed.