GLD Vacancies

Staff surveillance: data protection

Scrutiny 2 iStock 000011392270XSmall 146x219A council recently gave an undertaking to the Information Commissioner after it unlawfully conducted surveillance on an employee. Ibrahim Hasan looks at the case.

Increasingly affordable surveillance technology means that more and more employers are turning to surveillance to catch errant or work shy employees. But confusion still reigns as to which legislation applies and what can be done lawfully.

If employee surveillance is conducted by a public authority and involves covert techniques or equipment, it is easy to assume that Part 2 of the Regulation of Investigatory Powers Act 2000 (“RIPA”) applies. However, the Investigatory Powers Tribunal has ruled in the past that not all covert surveillance of employees is regulated by RIPA (See C v The Police and the Secretary of State for the Home Department (14th November 2006, No: IPT/03/32/H), discussed in our previous post on employee surveillance.)

All employers, whether in the public or the private sector, have to respect their employees’ right to privacy under Article 8 of the European Convention on Human Rights. This means that the surveillance must be carried out in a manner that is in accordance with the law and is necessary and proportionate (see Copland v UK (3rd April 2007 ECHR).

During the course of the surveillance, the employer will inevitably be gathering personal data about employees. Consideration therefore has to be given to the provisions of the Data Protection Act 1998 (DPA). Compliance with the DPA will also help demonstrate that the surveillance is human rights compliant since protection of individuals’ privacy is a cornerstone of the DPA.

The Information Commissioner’s Office’s (ICO) Employment Practices Code, which covers surveillance of employees at work. The code covers all types of employee surveillance from video monitoring and vehicle tracking to email and internet surveillance. Whilst the code is not law, it will be taken into account by the Information Commissioner and the courts whether deciding whether the DPA has been complied with.

In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.

The council’s decision to authorise the surveillance was based on anecdotal evidence and was begun only four weeks into the employee’s sickness absence. No other measures were taken to discuss the employee’s absence before the decision to deploy covert surveillance. The surveillance report, which was produced by a private company, was never used. The ICO determined the council did not have sufficient grounds to undertake the surveillance, especially at such an early stage of the employee’s absence.

The council has undertaken that, in future, it will carry out an impact assessment, (as required by the code) in every case of employee surveillance. This will consider whether the adverse impact of the surveillance on the employee(s) is justified by the benefits to the employer and others. Such an impact assessment must also:

  • clearly identify the purpose(s) behind the surveillance and the benefits it is likely to deliver,
  • identify any likely adverse impact of the surveillance,
  • consider alternatives to surveillance or different ways in which it can be carried out
  • take into account the obligations that arise from the surveillance, and
  • judge whether the surveillance is justified.

This assessment is best done in writing using a “Non-RIPA” surveillance form (Our RIPA Policy and Procedures Toolkit contains such a form).

Furthermore the council agreed some general principles which are useful for all employers to note when deciding to conduct covert surveillance of employees:

  • Senior management should authorise any covert monitoring. In doing so they must satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice (i.e. serious but non-criminal employee misbehaviour, such as fraudulently claiming sick pay) and that notifying individuals about the monitoring would prejudice its prevention or detection.
  • Such covert monitoring should only be used in exceptional circumstances, as it will be rare for covert monitoring of employees to be justified.
  • Ensure that any covert monitoring is strictly targeted at obtaining evidence within a set timeframe and that the covert monitoring does not continue after the investigation is complete.
  • Do not use covert audio or video monitoring in areas which workers would genuinely and reasonably expect to be private.
  • If a private investigator is employed to collect information on workers covertly make sure there is a contract in place that requires the private investigator to only collect information in a way that satisfies the employer’s obligations under the Act.
  • Check any arrangements for employing private investigators to ensure your contracts with them impose requirements on the investigator to only collect and use information on workers in accordance with your instructions and to keep the information secure.
  • Ensure that information obtained through covert monitoring is used only for the prevention or detection of criminal activity or equivalent malpractice.
  • Disregard and, where feasible, delete other information collected in the course of monitoring unless it reveals information that no employer could reasonably be expected to ignore.

Employee surveillance is a legal minefield. RIPA may not always apply but compliance with the DPA and the Employment Practices Code will ensure that it is human rights compliant and that adverse headlines are avoided.

Ibrahim Hasan is a solicitor and director of Act Now Training. This article first appeared in the Act Now Blog.
42BR Midpage Employ