With the introduction of more developing technological advances every day, data protection and privacy have become ever more increasingly important issues, not least in the employment context. In a similar vein, employers are entitled to protect their business and implement certain measures to do so, which recently has included certain types of monitoring, including of employee’s computer systems, social media and even extending to surveillance in the workplace.

A recent report in the Guardian covered technology increasingly used in US businesses to monitor employees' keystrokes, web-browsing patterns, postings on social media and messaging apps.  One business was reported to take photos of employees every 10 minutes through webcams to ensure workers are not slacking off.

This may be acceptable in the US but what is the position here?  Article 8 of the European Convention on Human Rights provides for everyone to have the right to respect for private and family life.  The independent human rights campaigning organisation, Liberty, state that people in the UK today are becoming increasingly concerned about becoming a “surveillance society”, so it is important that these issues are addressed in the workplace and that employees are informed about how and why monitoring is carried out, if at all.

Indeed, how far can an employer go to protect its business before potentially violating employees' human rights under Article 8?

The European Court of Human Rights recently had to consider this in the case of Lopez Ribalda & Ors v Spain. While not a UK case, this judgment could highlight some guidance for employers as to how future cases may be treated in Europe and domestically.

In this case, a supermarket had installed surveillance cameras to address suspected thefts. Some cameras were visible, and were aimed to monitor and detect customer theft which the employees were aware of. However, other cameras were concealed and were aimed at recording theft by employees, particularly at the cashiers. These were not disclosed to the employees, and resulted in several dismissals.   Covert images were taken and relied upon to show that employees were stealing items and helping co-workers and customers to also steal items from the store. Many of these dismissed employees admitted involvement, but later claimed that their employer had breached their rights under Article 8 in addition to various data protection rights.

Initially, the Spanish court held that the measures used by the supermarket were justified, appropriate, necessary and proportionate, and stated that no other equally effective means of protecting the employer’s rights would have interfered less.

However, on appeal the European Court of Human Rights (ECHR) concluded that the employees' Article 8 rights had in fact been infringed, and that video surveillance had been a significant intrusion on their private lives. The ECHR stated that employers have to strike a fair balance between the employees' Article 8 rights and the employer’s interest in protecting its business and property. In this case, it was concluded that the supermarket had not struck this balance.

This follows on from an ECHR decision in December 2017 in the case of Antovic and Mirkovic v Montenegro which concerned the use of video surveillance in the public lecture theatre at Montenegro University to "protect safety of property, people and students".  The cameras recorded lectures and data was kept for a year.  However, the University was required by the Personal Data Protection Agency there to remove the cameras as there were no legitimate grounds for collecting the data - there was no evidence that safety was an issue but the domestic court did not find that Article 8 had been violated.  The ECHR did not agree, ruling that although the University was in the public sphere, business and professional activities are encompasses in the notion of private life.

Compliance with Data Protection Laws

Remember, in order to comply with data protection laws in the UK, employees must be “explicitly, precisely and unambiguously” informed of the existence of a personal data file, and how their data will be held and used. The individual is also entitled to be told why the data is being held and the recipients of the data.

Employers should also be aware of the implementation of the General Data Protection Regulations (“GDPR”) on 25 May 2018, which will be brought into UK law by the Data Protection Bill. The GDPR will implement a single legal framework across the EEA and impose more duties on data controllers, particularly employers, on how they hold and use data and inform the data subjects of its use. The GDPR will also extend the criteria for valid consent. Employers will need to ensure that they are able to rely on a lawful basis for processing data, and also ensure that sufficient privacy policies are in place to enable employees to be clear on their rights.

If you do implement some form of employee monitoring in your workplace, ensure that employees are aware of this and how any information obtained through the process will be used. Be wary of installing any covert surveillance or monitoring devices and think about reviewing your privacy policies and conducting a data protection audit to ensure that your company will be GDPR compliant by its implementation.

This article was written with Becky Minear, Trainee Solicitor