Category Archives: data protection

ECHR Ruling: Employers Can Read Employees’ Private Messages

laptop and mail 100125686 ECHR Ruling: Employers Can Read Employees Private Messages

Source: Free Digital Photos/Renjith Krishnan

In a landmark case the ECHR (European Court of Human Rights) have deemed that employers can read employees’ private messages whilst they are work.  This has implications for UK employees who use Facebook, Twitter and other social media platforms to communicate with family and friends during their working day and highlights the increasing blur between workplace privacy as working hours become longer.

The case was taken by a Romanian engineer who messaged his partner on a private messaging platform.  His employment was terminated by his employer who had a policy in place that banned staff from its employees making use of company resources for personal use.  The employer had accessed his private messages on Yahoo as he also used this medium for work-related messages.

The ECHR decision goes to the heart of the employment contract with the implied term that in exchange for wages an employee commits the whole of their time to the employment for which they are being paid.

Some legal experts have warned that even after work hours have ended an employee should not use private messaging platforms for personal use with company smartphones, tablets or laptops.

Many employees may now assume that their employer could monitor their online activities whilst in work and should seriously consider what they do in this regard, however, it is important to note that in order to undertake monitoring of online activities, a policy should be in place that clearly states that this may or will take place.  If there is no policy in an employee handbook for example, employers should now consider the need to establish this.  An existing policy should be reviewed in accordance with this development.

A statement referring to online activity monitoring should ideally be included in an IT and/or internet use policy.  An employment practices code linked to the Data Protection Act 1998 published by the Information Commission gives useful guidance on this matter.  In the light of this ruling, the Information Commission may need to review its own guidance now.

In a policy the employer should be clear about the purpose of monitoring including the nature, extent and who will be doing the monitoring.  With larger companies it would expected that it would be done by the IT department but small businesses would need to identify who would undertake the activiiy.  The benefits of online monitoring should be included in the policy and ideally an impact assessment done to establish the risks.  Monitoring should not be excessive and should only be done to meet a clearly defined purpose otherwise employees will develop mistrust of their employers intentions which is not conducive to a harmonious working environment.

Individuals who are undertaking the monitoring should be provided with training that includes maintaining privacy and confidentiality if accessing personal information.  These individuals should have clear written guidelines in this regard.

If monitoring is to enforce company rules a link to the disciplinary policy should be stated with the procedure clearly explained along with sanctions for non-compliance.

Employees should be made clearly aware that the policy is being implemented or exists and has been reviewed. New employees should be informed as part of an induction procedure. Ideally an employer should get explicit written consent to monitoring in writing by implementing a consent form.



Data Protection Reform Delayed

The European Council has announced that EU data protection reforms will not be implemented until 2015.  The General Data Protection Regulation, which was originally expected to be finalised by May 2014, will introduce a single data protection framework throughout the EU.  It was previously anticipated that the data protection reforms would be finalised before the European Parliamentary elections in May next year.

The Data Protection Act was first introduced into the UK in 1984 and covered the use of paper records.  In 1998 it was updated to include records held on computer.  There are eight legal principles which organisations have to abide by when processing personal information which can include names, addresses, date of birth, bank details, etc.

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The Information Commission website provides  independent advice and guidance about data protection and freedom of information.

The plan is to modernise the data protection legislation across the EU.  David Cameron has sought to avoid a deadline being brought in as the government fears the implementation of the new legislation will damage business due to increased costs, but has now agreed to the date of 2015 as a compromise. Data protection law will be implemented consistently across all member states.



Data Protection Rules to Change

The EU has decided that the UK is being too lax in implementing data protection law therefore later this year there are going to be some key changes that will take place.  Companies with 250+ employees must employ a data protection officer whose role will be to ensure they deal with personal information of staff and customers correctly.
The Information Commission has also stated it will ensure that:
People will have easier access to their own data, and will find it easier to transfer it from one service provider to another.

Users will have the right to demand that data about them be deleted if there are no “legitimate grounds” for it to be kept.

Organisations must notify the authorities about data breaches as early as possible, “if feasible within 24 hours”.

In cases where consent is required organisations must explicitly ask for permission to process data, rather than assume it.

From May 2012 organisations that break the rules will face severe penalties – up to £500,000 for companies that are guilty of breaches.

Individuals who fail to notify the Information Commission that they are processing personal information may be fined up to £1,000.