Here’s a question raised with us recently by
a reader of Employ!
“I’m the Managing Director of an SME
with employees based across three locations;
we also have sales representatives who work
mainly from home. The business is heavily
reliant on its IT and communications systems
for not only bringing new work to the
business but also interacting with our
customers and managing their orders.
Although I’ve invested in putting in
place contracts of employment and have
introduced restrictive covenants in the
sales representatives’ contracts, I’m
concerned that our business may be exposed
if employees misuse and abuse the systems.
So I’m considering starting to monitor
the use of IT and communication systems, but
I don’t know if this is something that I am
legally allowed to do – what is your advice?
We understand the reasons why you would
like to consider implementing monitoring of
employee IT and communications systems - and
there are a number of other reasons why
companies such as yours may wish to monitor
and record employees using email, telephone
or web browsing.
Your employees are representatives of
your business and any illegal or otherwise
questionable use of such systems could lead
to embarrassment for the company, lead to a
damaged reputation and/or loss of custom.
Further, if not adequately checked, the use
of these systems may lead to potential
liability, for example, copyright
infringement or employee negligence. Also,
you need to ensure that confidential
information and trade secrets are not being
There is a considerable amount of
legislation that needs to be considered.
Firstly, under the Regulation of
Investigatory Powers Act 2000 (“RIPA”), it
is an offence to monitor or record
communications in order to make the contents
of the communications available while being
transmitted to a person other that the
sender or intended recipient.
The Telecommunications (Lawful Business
Practice) (Interception of Communication)
Regulations (2000) (“LBP Regulations”) sets
out when communications can be monitored or
recorded, such as for establishing the
existence of fact, ascertaining compliance
with regulatory or self-regulatory practices
or ascertaining or demonstrating the
standards which are achieved or ought to be
achieved by staff.
As an employer, you must ensure that you
have made all reasonable efforts to inform
every user of the relevant system that
communications may be intercepted.
Monitoring IT and communications in the
workplace is also likely in involve the
processing of personal data and is therefore
subject to the Data Protection Act 1998.
Under the DPA, the processing of personal
data must be “fair” and “lawful”. To be
“fair”, employers should inform employees
of, for example, the method by which
monitoring will take place and the purpose
for which the information is being
processed. You do not necessarily need the
employee’s consent to carry out the
monitoring but unless you do so, you will
need to have some legitimate reason.
So, what measures do you need to think
about to help you comply if you introduce
monitoring of employee’s use of IT and
- Personal data must be obtained only
for specified lawful purposes and must
not be processed in a manner which is
incompatible with those purposes.
- The employees should understand:
> How and why the monitoring takes
> The circumstances in which it will
> The information that will be collected
and how it will be used; and
> Who the information will be disclosed
to. These details should be contained in
an appropriate communications policy.
- You should be proactive in ensuring
that the employees are aware of the
- The data collected should be
adequate, relevant and not excessive for
the purposes for which it is processed.
- Practical example - in relation to
the monitoring of emails, it is more
likely to be proportionate if you
monitor the subject headings of emails
rather than the contents of emails.
- There should be appropriate
technical and organisational measures to
protect the personal data from
unauthorised or unlawful processing and
accidental loss, destruction or damage.
The Information Commissioner’s Code
recommends that an Impact Assessment is
undertaken to demonstrate that the correct
balance exists between allowing staff to
enjoy privacy in the workplace and ensuring
that the interests of the company’s business
Whilst the Code states that there is no
need for the Impact Assessment to be a
formal or complicated exercise, it is
advisable that an assessment is carried out,
recording the process undertaken and its
findings, and writing up the conclusions
found. This will assist for evidential
purposes if required.
It is important that you have a
communications policy in place which
adequately informs your employees about the
monitoring activities and that employment
contracts ensure that employees provide
their consent to such activities where
necessary. If you would like us to assist
you with the communications policy, then we
would be happy to do so.
If you have any queries in relation to
this problem or a question that you would
like to ask the team and share with our
other readers, please send it to us and we
would be delighted to use it in a future
edition of Employ!