Your Thoughts: Sending Private Messages at Work

Your Thoughts: Sending Private Messages at Work

In a case that has, for a decade, surpassed people’s understanding of European human rights and employment law, the tables have now turned.

Last week the European Court of Human Rights (ECHR) ruled that a Romanian man, Mr Bogdan Mihai Barbulescu, should not have been sacked for sending private messages on Yahoo messaging on his work computer in 2007.

Mr Barbulescu’s employer used surveillance software to monitor his computer activity and found him sending private messages, allegedly of ‘intimate nature’, on company time, using company equipment. A Romanian court ruled in 2016 that the company was within its rights to fire him.

The ECHR has now decided that the man’s privacy was not ‘adequately protected’ and the decision cannot be appealed.

Beverley Sunderland, Managing Director, Crossland Employment Solicitors:

This decision reinforces the need for employers to first of all consider why they need to monitor an employee’s emails and what they are trying to protect. The usual reasons for looking at work emails is to ensure that employees are complying with their contracts and their regulation obligations and this is likely to be a legitimate reason. However, to even have the right to look at work emails, the employer must warn employees in advance that this is what they are doing and why.

Although it may be that ensuring an employee is actually working when they are at their desk is a legitimate reason, reserving the right to look at all emails, including private ones, on a work computer is unlikely to strike the required balance between the right to a private life and legitimate interests. A better way would be to tell employees that they should only access private emails or websites during breaks and that their use of the internet would be monitored in terms of time – but not the actual sites or emails. Then, if an employee is on the internet all day, they can be taken to task for this. An alternative way, bearing in mind most employees have smart phones these days, would be to block access to private email accounts and the website on their systems, rather than retaining the right to go into private emails and read them.

It is worth remembering that even though we are leaving the EU, the rights of the European Court of Human Rights are not affected and they will continue to have jurisdiction over the UK even once we have left the EU.

Jo Sellick, Managing Director, Sellick Partnership:

It seems to me that there is still confusion in this particular case about how aware the employee was regarding the fact his employer was monitoring personal conversations, and that is one of the reasons why the ECHR has reversed the original ruling. Aside from the legal implications of this decision, it is important to consider the impact that this kind of ruling has on a firm’s employer brand. Business owners must take a line on where they stand regarding personal communications during working hours and they should ensure this is well communicated to the workforce as part of a clear company policy. If you do decide to monitor all of your employees’ communications during working hours you must have good reasons for doing so and the entire workforce must know that this could potentially happen to them.

From a recruiter’s point of view, I am concerned about the damage to a firm’s employer brand and reputation if members of staff discovered they were being monitored without any prior knowledge. Modern technology makes it easier than ever before to delve into a person’s private life, whether through tracking their devices during working hours or through trawling through a prospective candidate’s social media accounts before they even start working for you. But that does not mean it is the right thing to do. Decide on your position when it comes to these kinds of activities and make sure that your actions fit your company’s ethos and codes of conduct.

From an employee’s perspective, a level of caution is always advisable, whether that’s sense checking any public social media activity to ensure it doesn’t contradict your professional persona, or applying a filter to your conversations during working hours. It would also be worth familiarising yourself with your employer’s policy for monitoring communications during working hours so that it does not come as a surprise to you if they are indeed tracking your conversations. You will then be in a good position to decide whether you are comfortable with that working environment and stance.

Emma Bartlett, Partner, Charles Russell Speechlys:

The impact for UK employers of the ECHR decision of 5th September in relation to Mr Barbulescu’s right to a private life and communications is essentially that workplace monitoring is not a care free matter; a return to greater caution is required. Policies should not be so restrictive as to “reduce private social life in the workplace to zero”. Employers should ensure, firstly, that they have a good business reason to monitor an individual’s communications at work, secondly, that they have provided adequate warning that such communications might be monitored in the workplace and, thirdly, that if personal communications are identified, employers should adopt the least invasive measure with regards to monitoring.

The ECHR would expect adequate notice to be given to employees of any policy warning employees of workplace monitoring. Such policy should not only explain why the monitoring is necessary, but detail how the monitoring might take place and to what extent. In Mr Barbulescu’s case, for example, it wasn’t clear that personal emails accessed by the employer would also be read. Only in exceptional circumstances would an employer need to do so; without serious consideration as to whether reading the email was necessary, the monitoring would be disproportionate and unjustified, breaching the Convention rights.

The ECHR would expect an employer to strike a balance when considering the employee’s right to private life against the employer’s right to monitor email use in order to protect its business. The balance of convenience should not automatically lie with the employer. The UK’s Information Commissioner has already established that an employer should carry out an “impact assessment” before venturing into private data at work. This would include considering any likely adverse impact of the monitoring on the employee, considering alternatives to monitoring and judging whether the monitoring is justified.

The decision provides guidance for UK Courts determining allegations of data breaches by employers as well as breaches of other statutory provisions binding UK employers including the Regulation of Investigatory Powers Act 2000. Irrespective of a Brexit, decisions of the ECHR will continue to impact UK courts.

The ECHR determines applications by any person, group or one or more of the contracting states which allege a breach of human rights. Decisions of the Court can be appealed to the Grand Chamber of the ECHR.

Mr Barbulescu’s case, determined by the ECHR in January 2016, was widely reported in the UK press as giving a charter to employers to snoop on employees’ private emails. The 2016 decision indicated a broader approach could be taken to workplace monitoring, albeit that the employer still had to provide warning to its employees that it would monitor email use and the monitoring needed to be proportionate.

Having appealed to the Grand Chamber of the ECHR for a final determination, Mr Barbulescu was successful. The ECHR concluded that Mr Barbulescu’s human rights had been breached and his right to private life and communications had not been adequately protected by the national state.

Phil Beckett, MD, Alvarez & Marsal:

Whilst the new ruling is a change for an employee’s right to privacy, it does not address another issue at play here – how employees use employer technology. Whilst every employee has a right to privacy, they do need to consider how they’re using said technology, supplied by their employer, and what the consequences could be; as they could unwittingly be putting their organisation at risk.

This case focused on the fact that a member of staff was emailing on work time, and how because of this, the company sacked him. The wider issue, in my view, is the merging of the personal and the business world, and the additional risks that brings into the business domain – through simple access as well as shared credentials and data.

Employees now use multiple devices (laptops, tablets, phones) all of which carry hefty data histories. What’s more, nearly every employee has a personal phone, which comes into the workplace day in, day out. These devices are exposed to high volumes of data which aren’t logged by businesses, effectively meaning rogue data could be floating around unmonitored. With devices increasingly syncing browsing histories – accessing a personal email account on a work computer could lead to work-sensitive browsing data going home with the employee.

This presents firms of all sizes across every sector with a problem: how can the data coming in and going out of the business be tracked? The truth is, it is becoming a near-impossible challenge for firms to track and control data without stringent and immovable rules about how employees utilise technology. Whilst I don’t condone tracking employee behaviour in every situation, it certainly does help trace potential data threats.

For many firms, data is an afterthought at best, with mismanagement common. Data can no longer be overlooked in terms of legal threats – businesses track money that goes in and out and report on it, so it’s time to treat data the same. Whilst the majority of employees can be trusted and would not dream of jeopardising their employer, they may be doing it unwittingly as it’s frighteningly easy to send home documents, share confidential information with others or breach data laws. With the General Data Protection Regulation (GDPR) looming ahead of us next year, legal teams need to think about the wider argument, and where the right to privacy ends and confidentiality begins.

Mark Bland, Partner, Percy Hughes and Roberts Solicitors:

Who would have thought that the case of a Romanian engineer called Bogdam Barbulescu, who was sacked in 2007 for inappropriate use of his Yahoo Messenger account would 10 years later have a significant impact on UK Law.

The European Court of Human Rights has now handed down the decision which despite Brexit votes, will still impact on our Law.

The main issue at stake, in this case, was the conflict that exists between an individual’s right to a private life (protected by The Human Rights Act) and an employer’s right to ensure that workplace rules are being followed. The Courts said that an employer ‘cannot reduce private social life in the workplace to zero. Respect for private life and for the privacy of correspondence continues to exist, even if these may be restricted in so far as necessary’.

The crucial point in the case was that the employer monitored the employee’s account covertly without having warned him beforehand that they might do so. Consequently, the reading of his private correspondence was ruled to be a breach of his right to a private life.

The lesson to be learned by employers is that they must tell employees beforehand that their email and other work-related accounts may be monitored. This warning should be included in all IT policies. Provided that employees are on notice that their accounts may be monitored, then they cannot subsequently complain about intrusion into their private life when they are monitored.

The case highlights the increasingly blurred lines that now exist between work and free time and the use of social media in the workplace.

Dan Begbie-Clench, Partner, Doyle Clayton:

The recent European Court of Human Rights judgment in Barbulescu confirms what many UK employers already practise, but with a twist. It does not prevent employers from monitoring employees’ communications or taking disciplinary action based on what they find, but the ECHR decision does suggest that the nature and content of employers’ prior warnings about monitoring will be reviewed more closely.

Employers do not have free rein to monitor employees’ purely personal communications. This has not changed, and employees are still entitled to expect a degree of privacy even when communicating via work equipment or systems. However, employers can still lawfully monitor employees’ communications if they have good reason – for example, to ensure that the business is running smoothly and that employees are doing their jobs properly – subject to various considerations and constraints.

Despite not dramatically changing the legal landscape, the ECHR’s decision contains some nuances about the constraints under which employers operate when monitoring communications. The case turned on the ECHR’s finding that the employer had not given the employee proper advance warning that it would monitor his communications, and in particular had not told him that the content of his messages would be read. As such, the employer breached his right to privacy when it accessed and read his personal messages.

In the UK we have long understood that employers should give prior notice to employees that their communications might be monitored. The ECHR noted that an employer should explicitly warn employees about certain matters including that communications may be monitored, about the extent of the monitoring (including whether the content of messages will be read) and when it may occur, and the employer should have legitimate reasons to justify monitoring. In many cases, employers will only need to monitor internet/email traffic generally and will have no legitimate interest in the content of the messages themselves, in which case they should limit themselves to monitoring the former.

Many UK employers’ policies warn employees that monitoring will occur, but do not go so far as to set out all of the matters discussed in the ECHR’s judgment. To avert a similar situation, employers would be well-advised to review their policies and contractual terms to ensure that they are up-to-date and reflect these points. Failing to do so might breach employees’ privacy.

We would also love to hear more of Your Thoughts on this, so feel free to comment below and tell us what you think!

Leave A Reply