A question which I am regularly asked by employers is how much they can monitor their employees’ personal messages on a work related internet messaging account.
This issue has been sharply put back into the focus of employers’ minds following the recent European Court of Human Rights decision in Barbulescu v. Romania (Application Number .61496/08)  ECHR 742.
Mr Barbulescu was an engineer in charge of sales with his employer. He was asked by his employer to set up a Yahoo Messenger account to deal with client enquiries. The company did, however, have a strict policy which prohibited any personal use of its IT equipment and a note was circulated by the company reiterating that.
The notice contained the following statement,
“Come to work to deal with company and professional matters, and not your own personal problems! Don’t spend your time using the internet, the phone or fax machines for matters unconnected to your work or duties… The employer has a duty to supervise and monitor employees’ work and to take punitive measures against anyone at fault! Your misconduct will be carefully monitored and punished!”
Interestingly though, neither the policy nor the notice stated that the content of communications would be monitored or intercepted.
The notice and policy were published on 3 July 2007. On 13 July 2007, Mr Barbulescu was told that his employer had monitored his Yahoo Messenger communications over the course of a week and that it considered he had used it for personal purposes in contravention of their IT use policy. As expected, Mr Barbulescu’s response was that he had only used it for professional purposes.
His employer then produced a 45-page transcript of his messenger communications over the week in question and that included text messages which he had had with his brother and fiancé during that time, and those messages contained intimate personal information.
On 1 August 2007 Mr Barbulescu was dismissed for unauthorised personal use of the internet.
Mr Barbulescu challenged this in the Romanian courts and that was unsuccessful. The court said that the employer was entitled to check that work was being done properly and that as Mr Barbulescu had been given adequate notice of the rule and that surveillance would be carried out, then, the dismissal was fair.
Mr Barbulescu brought a claim in the European Court of Human Rights against the Romanian Government on the basis that his right to privacy under Article 8 had been breached. Article 8 provides that “everyone has a right to respect for his private and family life, his home and his correspondence.”
At the first hearing, the European Court of Human Rights held that the monitoring of Mr Barbulescu’s internet usage and the use of the Yahoo Messenger communications was a proportionate interference with his Article 8 rights. The court held that it was not unreasonable for an employer to want to verify that employees are working during working hours, even where it is not alleged that the employee’s actions have caused any actual damage. In the court’s view the monitoring was proportionate.
Mr Barbulescu appealed to the Grand Chamber of the European Court of Human Rights and he was successful.
The Grand Chamber found that Mr Barbulescu’s rights had been infringed. It said that the Romanian courts had not adequately protected his right to private life in correspondence and that they had failed to strike a fair balance between the employer’s rights and those of Mr Barbulescu.
To a large extent, the decision will have little impact in the UK because unlike our European neighbours, this area of law is regulated by UK legislation and the Data Protection Act 1988.
However, in my view the decision is worth a mention because the Court sets out what I think is very useful guidance on what employers need to think about before they start to monitor their employees’ email usage.
The guidance confirms that businesses should:-
(i) Notify employees that they are monitoring their communications;
(ii) Consider the extent to which they can monitor and the amount of intrusion that that monitoring may have on an employee’s private life;
(iii) Consider if they have a legitimate reason for monitoring the communications and their content.
(iv) Consider if they can monitor by another method
(v) Consider the consequences of monitoring
(vi) Consider if there are adequate safeguards in place for the employee.
In my view, these are questions which every business should be asking itself before it thinks about a policy on monitoring its employee’s internet usage.
All businesses want to ensure that they are being protected and that their employees are there are there to do a job for them – not their online grocery shop!
If you want to check if your current IT policy is protecting you as much as you want it to or if you need to get a policy in place, then please contact me (Julie Sullivan) on email@example.com or on 01383 721621.