Employee monitoring and surveillance: Barclays calls ‘time’ on its time-tracking of employees
Employee monitoring and surveillance can be a thorny issue. Some monitoring of employee activity may be required for reasons of security or to protect an employer’s resources from abuse. However, while an employer may justify a monitoring measure on the basis of economic imperative, it could also be viewed by its employees, the public or the courts as unjustified snooping.
Indeed, Barclays bank announced last month that it was scrapping a system that tracked the time employees spent at their desks, following a backlash from staff. Its activity-monitoring system analysed the time an employee spent using various computer applications. Warnings were then sent to the employee and their manager if they spent too long on breaks.
Technological advances and innovations make it easy for employers to keep tabs on employees. Yet there is no data privacy law in the UK specifically governing the monitoring and surveillance of employees at work. This can make it difficult to determine the lawfulness of any intrusions arising from an employer’s surveillance measures. That said, some guidance can be found in the regulatory frameworks that overlap the issue, as well as in the jurisprudence of the European Court of Human Rights and the common law.
In the first instance, the duty of trust and confidence implied into an employee’s employment contract may be relevant. Reading the contents of emails which are clearly personal without good reason would arguably constitute a breach of this duty and violate an employee’s right to privacy. This, in turn, could lead to a claim for unfair or constructive dismissal from an affected employee.
The European Convention on Human Rights is also likely to be relevant. The Human Rights Act 1998 incorporates the Convention into UK law, and courts and tribunals must therefore interpret all legislation consistently with the relevant Convention rights, so far as is possible. For example, when construing whether an employee was unfairly dismissed under the Employment Rights Act 1996.
The European Court of Human Rights has developed a test of ‘reasonable expectation’ to assess privacy violations in the workplace under Article 8 (respect for private and family life). The test, simply put, is whether an employee had a reasonable expectation that their privacy would be respected and protected when at work.
The Court’s application of this test in certain surveillance cases should highlight to employers the importance of monitoring and surveillance clauses in employment contracts, which accurately set an employee’s privacy expectations. However, the test was given an interesting twist by the Court in its 2017 decision in Barbulescu v Romania (61496/08).
In Barbulescu, the employer warned its employees repeatedly that they were prohibited from using their work computers for personal purposes and that misconduct would be “monitored and punished”. Its employees therefore had no reasonable expectation of privacy when using their work computers.
The Court ultimately left open the question of whether the employer’s restrictive regulations left the applicant with a reasonable expectation of privacy. Yet, while acknowledging the applicability of the reasonable expectation test, the Court nonetheless held that the employee’s Article 8 right was breached when his employer dismissed him for sending personal messages from his work computer.
Barbulescu may be viewed as a victory for privacy by some, but what actually emerged from the case is a more muddled principle. That being that an employee’s right to privacy is defined by his or her reasonable expectation of privacy in the workplace, albeit an employer “cannot reduce private social life in the workplace to zero”. In other words, when an employee cannot reasonably expect privacy in the workplace, the test for an employer’s interference isn’t that of ‘reasonable expectation’ at all. The Court’s judgment thereby complicates matters for employers considering monitoring and surveillance technologies, not least when drafting employment terms around such.
Returning to Barclays, its scrapped surveillance system doesn’t neatly fit the fact pattern of Barbulescu, as the employer in Barbulescu actually read the personal communications of the employee concerned. The Court thus focused its Article 8 analysis on the employee’s private life and how the employer’s interference would prevent the employee from establishing and developing personal relationships.
The technology that Barclays implemented monitored employees’ activities, rather than providing a window onto their personal correspondence. However, this software can also technically report details of the websites that employees visit, and this may be enough to bring such surveillance techniques within reach of the approach taken in Barbulescu—particularly if this information is used to restrict an employee’s access to the Internet and inhibit the development of their ‘social identity’.
Notwithstanding this, the data that Barclays captured was able to be analysed and reported at the level of an individual employee. As such, it was information relating to an identified or identifiable natural person. That is to say that it was ‘personal data’ in the terms of the General Data Protection Regulation (GDPR), and Barclays processing of it was thereby subject to the GDPR.
The GDPR does not prohibit an employer from monitoring its employees per se. However, it imposes a duty on an employer to ensure, among other matters, that there is a lawful basis for its processing of any personal data it obtains. The GDPR is therefore likely to be highly relevant to the lawfulness of employee monitoring measures. Furthermore, under the GDPR, employees acquire certain rights to their personal data, such as the right to rectification.
For example, if Barclays’ monitoring software recorded an employee as absent on a break when they were in fact at a team meeting, GDPR Article 5(1)(d) might kick in. This provides that “[E]very reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”. From this it becomes clear that review and rectification procedures must feature among an employer’s considerations when assessing employee monitoring technologies.
GDPR aside, employers must also be mindful of their obligation to make reasonable adjustments for some employees, and this could impact how any employee monitoring system is implemented and configured. Some employees may need more frequent or longer bathroom breaks, for example, owing to (say) disability or age. Technology that interferes with this need could lead to a claim from an employee for unlawful discrimination or for failing to make reasonable adjustments under the Equality Act 2010.
Employee monitoring and surveillance is a complex issue. While some principles for its lawful deployment can be discerned from the above, the reaction to Barclays’ system highlights that the risks of getting it wrong may be greater than just legal liability. Poorly thought through deployments can also lead to reputational damage, as well as a breakdown of trust between employers and employees.