Employer's guide to monitoring communications data
While companies are within their rights to monitor employee communications, they must be cautious that they are acting in the correct manner and have the correct permission from employees to monitor their communications. This guide will explain how and when monitoring is appropriate.
Types of monitoring
The main ways of monitoring employee communications are by checking emails, internet use and telephone use. When monitoring email use content, destination and numbers of emails are usually checked. For internet use, websites visited and browser history is usually examined. Duration and content of phone calls may also be examined.
Spot checks may also occur, although these usually examine communications statistics across a company rather than checking one individual’s usage.
The law relating to monitoring communications
The Telecommunications Regulations 2000 allow employers to monitor employees without the employee having given their consent first. However, the monitoring must carry out one of the following purposes:
- If an employer believes that the employee is doing something they shouldn’t
- If an employer believes that the employee may be involved in criminal activity
- If an employer is are acting in the interest of national security
- To maintain the standards of communications systems (e.g. detecting viruses)
- For quality control, business continuity or regulatory compliance purposes
- If the employer must monitor business transactions.
However, employers must always take reasonable steps to inform their employees that their communications may be monitored. Employers must also take note of the Data Protection Act 1998 (DPA) – intercepting emails would be considered a form of data processing and therefore be regulated by this act.
Lucy Pakes, Senior HR advisor, PicassoHR, told inspiresme.co.uk: “Employers often think that they have the right to read any personal electronic communications conducted by employees on a work computer. The Telecommunications Regulations 2000 and the Data Protection Act 1998 greatly restrict employers’ rights in this area and great care must be taken to avoid potentially expensive court claims.”
The employer must consider whether intercepting emails would be an unnecessary invasion of privacy and should:
- Spot check communications rather than monitoring them continuously
- Only monitor high-risk areas whenever possible
- Monitor traffic data instead of email content
- Automate monitoring wherever possible to avoid content becoming available to third parties
Communication monitoring policies
According to the Code of Practice relating to the DPA, one of the primary benchmarks that employers must meet is to establish an electronic communications policy, which must be communicated to employees. This is in direct line with the DPA’s rules.
If an employer does not introduce a policy, they may have trouble with employees when it comes to acceptable use of the internet at work. In the past there have been cases where employees have been able to claim unfair dismissal when they have been fired for looking at what would widely be considered inappropriate material at work, due to the fact that the employer has not introduced a communications policy.
A policy should:
- Be in writing and be clearly communicated to all employees
- Describe acceptable use of email and the internet
- Specify prohibited uses and access areas
- Explain what, if any, monitoring of electronic communications will take place
- Describe privacy rules in relation to other employees and the employer’s right to monitor
- Explain when dismissal will be appropriate in the case of breaking the guidelines
Lucy Pakes added: “Employers should also make sure all employees are aware of the policy and what it means in practice. The policy should be discussed with new employees during induction and managers should be trained to know what they can and can’t do in terms of monitoring."