Two recent decisions of the European Court of Human Rights (ECtHR) have considered how the privacy rights of employees can be protected during covert disciplinary investigations. Here we explain those cases and the guidance that can be taken from them.
Barbulescu v Romania  IRLR 1032 considered the investigation of an employee’s personal emails. Mr Barbulescu’s employment contract forbade any personal use of the employer’s computer system. Contrary to this, Mr Barbulescu had used a Yahoo Messenger account intended for client communications for personal messages. When asked about this, he lied and stated that he had used Yahoo Messenger only for work purposes. The employer then produced a 45 page transcript of messages sent to his brother and fiancée, including messages of an intimate nature and messages addressing medical issues. That transcript was read by numerous colleagues involved in the disciplinary process.
In September 2017, the Grand Chamber of the ECtHR held that this was disproportionate and a breach of Mr Barbulescu’s Article 8 right to privacy.
The ECtHR confirmed that “private life” within the meaning of Article 8 is a broad term, not susceptible of exhaustive definition, and held that the concept of private life may include professional or business activities and activities taking place in public. It expressly ruled that emails sent from work are protected under Article 8, as well as information derived from monitoring an employee’s internet use.
Stating that “proportionality and procedural guarantees against arbitrariness are essential”, the court set out factors to be taken into account when reviewing measures taken by employers:
- Whether the employee has been notified of the possibility of monitoring and its nature.
- The extent of monitoring and the degree of intrusion into the employee’s privacy.
- Whether the employer has provided legitimate reasons to justify monitoring and accessing the content of communications, with the latter requiring more weighty justification as it is more intrusive.
- Whether less intrusive methods could have been used.
- The consequences of monitoring for the employee and the use made by the employer of the results of monitoring, in particular whether the results were used to achieve the declared aim.
- Whether the employee was provided with sufficient safeguards, which should ensure that the employer cannot access the actual content of communications unless the employee has been notified in advance.
In Lopez Ribalda v Spain, heard by the ECtHR in December 2017, supermarket cashiers were suspected of theft. The employer set up cameras which it told the employees about, and additionally put in place hidden cameras. The camera footage showed the cashiers stealing and was relied on by the employer first to dismiss them, and later as evidence to justify their dismissals to the Spanish employment tribunal. The employees contended that their Article 8 right to a private life was infringed by both the video surveillance itself and its use by the employer in deciding to dismiss them.
The ECtHR readily found that covert video surveillance was a “considerable intrusion” into the employees’ private lives, as it was a recorded and reproducible documentation of their conduct at work which, being contractually obliged to go to work, they could not evade.
The ECtHR took into account that the data obtained from the cameras entailed the processing of personal data, thus engaging data protection legislation and the requirement to obtain consent. The fact that the employees had a right to be informed of the existence and purpose of the video surveillance under the data protection legislation meant that they also had a reasonable expectation of privacy for the purposes of Article 8.
In ruling that covert surveillance was not a proportionate means of protecting the employer’s legitimate aim of preventing theft, the ECtHR took several factors into account:
- All staff were subject to the surveillance and not merely those most likely to be responsible for the thefts.
- The surveillance took place over a prolonged period;
- The surveillance had not been carried out in accordance with the data protection principles.
- Less intrusive means were available, as the aim of preventing further thefts could still have been achieved if the employer had informed the employees in advance of the installation of cameras and of their personal data rights.
Implications for employers
Neither decision imposes a ban on monitoring or even covert surveillance. Although investigating misconduct is a legitimate aim, both cases show clearly that even criminal misconduct will not justify excessively intrusive investigations.
Good policies are, as ever, the starting point. Policies should address internet usage, potential monitoring, any surveillance measures and the employee’s rights. Employers who have CCTV or other recording systems should have a clear policy explaining the nature and extent of recordings and the employee’s rights. It is always helpful to provide employees with a point of contact for any queries.
Note that, once the GDPR is introduced on 25 May 2018, employers will not be able to rely on blanket contractual consents to the processing of personal data. Instead, employers will have to justify processing on other grounds, including the legitimate interests of the business.
There are several points to be extracted from these judgments for employers embarking on an investigation in relation to suspected misconduct:
- Each case needs to be considered on its own merits. Note that the GDPR requires appropriate organizational methods to ensure that the data protection principles are followed. Employers should develop protocols for monitoring and surveillance measures, ensure managers involved are recording steps taken and provide for senior managerial oversight.
- Employers should be wary of proceeding to monitor or investigate without having a clear reasonable basis for suspecting misconduct.
- When considering the scope of an investigation, the employer should determine the aims of the investigation and what steps need to be taken to support those aims. There may be significant differences in the scope and approach of:
- investigations into identifying those responsible for ongoing conduct;
- investigations to establish past conduct by an already identified employee; and
- investigations into how the conduct of numerous employees can be improved or redirected in the future.
- Monitoring should be restricted to only those employees in relation to whom reasonable suspicion arises. Record the reasons why each employee is suspected before embarking on any investigation or surveillance.
- Employers should consider the impact of monitoring from the employee’s perspective and the possibility that it could intrude on their privacy.
- Consider whether there are less intrusive steps that could be taken. The more intrusive the steps to be taken, the more those reasons need to be compelling.
- Employers must follow the data protection principles in handling the evidence obtained from investigations. Personal data should be stored in a secure manner, and only viewed and shared to the extent necessary for the identified purpose of the investigation. The GDPR requires a record to be kept of how data has been processed.
- Evidence collected from monitoring or surveillance should only be used for its intended purpose and should be deleted or destroyed once that purpose has expired.
Further guidance can be obtained from the Information Commissioner’s Employment practices code.