ECHR Ruling: Employers Can Read Employees’ Private Messages

laptop-and-mail-100125686

Source: Free Digital Photos/Renjith Krishnan

In a landmark case the ECHR (European Court of Human Rights) have deemed that employers can read employees’ private messages whilst they are work.  This has implications for UK employees who use Facebook, Twitter and other social media platforms to communicate with family and friends during their working day and highlights the increasing blur between workplace privacy as working hours become longer.

The case was taken by a Romanian engineer who messaged his partner on a private messaging platform.  His employment was terminated by his employer who had a policy in place that banned staff from its employees making use of company resources for personal use.  The employer had accessed his private messages on Yahoo as he also used this medium for work-related messages.

The ECHR decision goes to the heart of the employment contract with the implied term that in exchange for wages an employee commits the whole of their time to the employment for which they are being paid.

Some legal experts have warned that even after work hours have ended an employee should not use private messaging platforms for personal use with company smartphones, tablets or laptops.

Many employees may now assume that their employer could monitor their online activities whilst in work and should seriously consider what they do in this regard, however, it is important to note that in order to undertake monitoring of online activities, a policy should be in place that clearly states that this may or will take place.  If there is no policy in an employee handbook for example, employers should now consider the need to establish this.  An existing policy should be reviewed in accordance with this development.

A statement referring to online activity monitoring should ideally be included in an IT and/or internet use policy.  An employment practices code linked to the Data Protection Act 1998 published by the Information Commission gives useful guidance on this matter.  In the light of this ruling, the Information Commission may need to review its own guidance now.

In a policy the employer should be clear about the purpose of monitoring including the nature, extent and who will be doing the monitoring.  With larger companies it would expected that it would be done by the IT department but small businesses would need to identify who would undertake the activiiy.  The benefits of online monitoring should be included in the policy and ideally an impact assessment done to establish the risks.  Monitoring should not be excessive and should only be done to meet a clearly defined purpose otherwise employees will develop mistrust of their employers intentions which is not conducive to a harmonious working environment.

Individuals who are undertaking the monitoring should be provided with training that includes maintaining privacy and confidentiality if accessing personal information.  These individuals should have clear written guidelines in this regard.

If monitoring is to enforce company rules a link to the disciplinary policy should be stated with the procedure clearly explained along with sanctions for non-compliance.

Employees should be made clearly aware that the policy is being implemented or exists and has been reviewed. New employees should be informed as part of an induction procedure. Ideally an employer should get explicit written consent to monitoring in writing by implementing a consent form.