Internal security breaches pose one of the greatest financial and reputational risks for business of all sizes, particularly SMEs.
The widely publicised leak of confidential memos sent from Sir Kim Darroch, former British Ambassador to the United States, along with a 2018 report that reported the total average cost of insider-related incidents over a 12 month period as $8.76 million, highlights this.
Shaun Hogan and Kate Maguire at Stevens & Bolton LLP explain that for employers to mitigate against these risks, they must appropriately monitor their employees, so that leaks might be avoided, or at least detected early on.
An employer’s motivation
Safeguarding against leaked information and security breaches is not the only reason an employer may wish to monitor its employees’ use of IT equipment. Monitoring employees can be useful to detect misconduct or criminal activity, protect company IT equipment from viruses, safeguard employees against health and safety risks, and ensure staff efficiency.
These objectives are potentially particularly relevant to SMEs, where margins are often tighter, sophisticated protection is more difficult to justify and business success hinges on carefully cultivated reputation. With fewer employees, SMEs are arguably more exposed as employees at all levels might be privy to sensitive information. A leak of confidential information to a competitor can eliminate the competitive edge that a business could have in that information, which would then seriously damage an SME’s prospects.
However, employers must operate within a complex legal framework when it comes to monitoring employees and must consider the employee relations risks. Unjustified and intrusive monitoring can negatively impact morale and job satisfaction, leading to high turnover of employees and possible reputational damage.
There is an obvious tension between an employer’s interests in monitoring employees and an employee’s interest in preserving their privacy, which is reflected in the law. The core legal principle in the context of workplace monitoring is that employees have a reasonable expectation to privacy in their personal communications, which includes workplace communications, and this should not be readily interfered with.
However, this right to privacy is not unfettered. The law acknowledges that a balance must be found between an individual’s privacy rights on the one hand and the rights and freedoms of others on the other. In a workplace context, the rights of others include the employer’s legitimate interests and concerns, such as protecting the company’s reputation and ensuring productivity.
Legal protection for employees
As well as a right to privacy, there are a number of laws in the UK which touch on an employer’s ability to monitor its employees. These include the General Data Protection Regulation (“GDPR”), the Investigatory Powers Act 2016 and the Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping Purposes) Regulations 2018.
Further, a number of unfair dismissal cases in recent years have highlighted the need for employers to take a proportionate approach to monitoring employees and to any disciplinary action taken as a consequence of that monitoring.
Monitoring employees within the legal limitations
The Employment Practices Code published by the Information Commissioner’s Office (the “Code”) covers a range of issues relating to obtaining, retaining, using and disclosing information about employees in compliance with the GDPR. The Code also provides guidance for employers about how to monitor employees whilst operating within the limitations imposed by the GDPR.
The key compliance principles in the Code state that:
- Data protection should be an integral part of employment practice, and employers should develop a culture in which respect for private life, security and confidentiality of personal information is the norm.
- Employers should carry out an impact assessment, considering whether the benefits of monitoring are sufficient to justify any adverse impact on employees and whether the means chosen to monitor are proportionate. If there is a less intrusive way to monitor, that method should be adopted.
- Businesses must take into account the obligations that arise from monitoring, and consider how employees will be notified about the monitoring arrangements, and how information collected through monitoring will be kept securely and handled in accordance with the GDPR principles.
- Employees should be made aware of the nature, extent and reasons for any monitoring, unless, in limited circumstances, covert monitoring can be justified.
- Employers should keep to a minimum those who will have access to personal information obtained through monitoring.
- Information discovered through monitoring should only be used for the purposes for which it was obtained.
In the context of unfair dismissal protection, the courts have provided the following guidance for employers who are considering monitoring and/or dismissing an employee having discovered a breach:
- It is key that employers ensure they have an IT monitoring policy in place, and bring this policy to its employees’ attention.
- Employers must exercise caution against looking at content which, on the face of it, appears to be personal rather than work-related.
- Employers should not jump to conclusions about unauthorised use of company information, as an employee could have a valid explanation. For example, the relevant use was a mistake or was in an emergency situation.
Whilst monitoring no doubt has its benefits, it also has the potential to damage employee relations and result in incredibly problematic disputes with employees, particularly when carried out arbitrarily or otherwise without fair warning.
The law relevant to monitoring employees tries to strike a reasonable balance between the two competing interests of the employer and employee. As such, there are very few hard and fast rules to follow in all circumstances.
Nevertheless, taking time to properly consider whether monitoring is necessary and how best to carry it out without being too intrusive, alongside a well-thought out IT policy that employees are aware of, will go a long way to protecting against the risks. Employee monitoring is a balancing act and, above all, should be approached with transparency.