Data Protection,Workplace,Privacy,Employment Contract- Myles & Co. Solicitors.

Surveillance of electronic communications in the workplace -Information
In a time of unprecedented technological change, many employees working in Ireland have access to e-mail and the Internet at work. Primarily, these facilities are provided by the employer to facilitate work practice; but some employers also allow employees use e-mail and Internet access for limited personal use. However, the issue of the use and surveillance of electronic communications in the workplace raises important issues regarding data privacy for both the employer and employee.
These data privacy issues, in particular, affect the issue of surveillance of the use of electronic communications at work. This document gives an overview of the current rules in place regarding data privacy and surveillance and explains the rights and entitlements of both the employer and employee.
In 1995, the European Commission produced a Data Privacy Directive (95/46/EC), which sets out that Member States of the European Union shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data. This Directive was then in turn interpreted into Irish law through the Data Protection Amendment Act, 2003. While the Data Protection Acts 1988 and 2003 set out the rights and entitlements of citizens in Ireland regarding the issue of data privacy, the issue of surveillance of electronic communications in the workplace is not specifically legislated for. (In other words, the monitoring by the employer of e-mail and Internet use by workers is not currently explicitly covered by Irish data protection law). The European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 2003 (SI 535/2003) introduces provisions relating to the confidentiality of communications.
However, under Article 29 of the European Directive 95/46/EC, a working group of Data Privacy Commissioners was established to examine the issue of surveillance of electronic communications in the workplace. In addition, this group evaluated the implications regarding data privacy for employees and employers. This Working Group then produced a comprehensive reasoned opinion (PDF) on this issue . While the issue of surveillance and monitoring of electronic communications has not yet been tested in the courts in Ireland, the views expressed in the reasoned opinion are largely in line with the opinions of the Data Protection Commissioner in Ireland.
While employees in Ireland have a legitimate expectation of privacy in the workplace, this right must be balanced with the rights and interests of the employer. (In particular, the employer's right to run their business efficiently and above all, to protect themselves from any liability or harm an employee's actions may create). While a monitoring policy may be considered convenient to service the employer's interests, it must be clear that the employer's interest cannot justify an intrusion on an employee's privacy.
Obligations on employers - statements of policy
Employers must provide workers with a readily accessible, clear and accurate statement of policy with regard to e-mail and Internet use in the workplace. This should clearly describe the extent to which the employees can use communication facilities owned by the company for personal/private communications. For example, the policy may place a limitation on the duration and times of use.
If surveillance or monitoring of communications use is to be carried out, the reasons and purposes for which this will be undertaken must be made clear to employees. Where an employer has allowed the use of the company's communications facilities for private use by employees, such private communications may be subject to some surveillance, for example, to ensure adequate virus checking.
Details of surveillance measures to be undertaken must be clearly identified, for example:
Who in the workplace has responsibility for surveillance? How is it undertaken? What type of surveillance is carried out? When will surveillance take place?
All these issues should be addressed and included in the employer's policy.
In the event of a breach of internal electronic communication use, the employer must have set out enforcement procedures in the company policy. In addition, the employer must have clearly set down the opportunities given to employees to respond to breaches of policy. From a practical point of view, it is strongly advised that the employer immediately informs the worker of any misuse of electronic communications that is detected, unless important reasons justify the continuance of the surveillance. Employees can be informed through software such as pop-up warning windows.
Employers may find it useful to consult with worker representatives (i.e., trade unions) before introducing worker-related policies.
Monitoring of e-mail systems
The employer must be clear about their e-mail and Internet policies and these policies must be clearly communicated to employees. No covert e-mail monitoring is allowed by employers, except in a cases where specific criminal activity has been identified and the surveillance is required to obtain evidence and subject to the respect of legal and procedural rules. (For example, if the employer or police suspects that an employe is using workplace e-mail and the Internet contrary to the provisions of the Child Trafficking and Pornography Act 1988.
Before implementing any e-mail monitoring policy in the workplace, employers must ask themselves:
Whether the workers know that the e-mail will be monitored Whether the monitoring is necessary. Could the same results be achieved with traditional methods of supervision? Whether the proposed processing of personal data is fair to employees Whether the monitoring is in proportion to the concerns it tries to address.
The monitoring of e-mails should, if possible, be limited to traffic data on the participants and time of a communication rather than the contents of communications if this would be sufficient to allay employers concerns.
If access to an e-mail's content is absolutely necessary, the employer should take into account the privacy of people outside the organisation receiving the e-mail as well as those inside. The employer, for instance, cannot obtain the consent of people outside the organisation sending e-mails to its workers. The employer should make reasonable efforts to inform people outside the organisation of the existence of monitoring activities to the extent that these people could be affected by them. An example could be the insertion of warning notices regarding the existence of the monitoring systems, which may be added to all outbound e-mails from the organisation.
Privacy in the workplace
Employees in the workplace in Ireland have a legitimate right to a certain degree of privacy in the workplace. However, their right to privacy must be balanced with the legitimate rights and interests of the employer. (For example, the right of the employer to run their business efficiently and effectively and to protect himself or herself from any harm the worker's actions may create).
These rights and interests constitute legitimate grounds that may justify appropriate measures to limit the worker's right to privacy. The clearest example of this would be those cases where the employer is victim of a worker's criminal offence.
However, balancing different rights and interests requires taking a number of principles into account, in particular, proportionality. It should be clear that the simple fact that a monitoring activity or surveillance is considered convenient to serve the employer's interest would not solely justify any intrusion in into a worker's privacy. Before being implemented in the workplace, any monitoring measure must pass a list of tests, which are extensively detailed in this working document.
Accuracy and retention of personal data relating to e-mail or Internet use
Any personal data from or related to an employee's e-mail account or his or her use of the Internet that is legitimately stored by an employer must be accurate and up to date and not kept for longer than necessary. Employers should specify a retention period for e-mails in their central servers based on their business needs and have procedures in place to ensure that retention period is not exceeded.
The employer must put in place appropriate technical and organisational measures to ensure that any personal data it holds is secure and safe from outside intrusion.
Internet use policies
The report of the working group of Data Privacy Commissioners recommends that the any Internet use policy should contain, at the minimum, the following elements:
The employer must set out clearly to employees the conditions under which private use of the Internet is permitted as well as specifying material that cannot be viewed or copied. These conditions and limitations must be explained to employees. Employees need to be informed about the systems implemented both to prevent access to certain web sites and to detect misuse. The extent of such monitoring should be specified, for instance, whether such monitoring may relate to individuals or particular sections of the company or whether the content of the web sites visited is viewed or recorded by the employer in particular circumstances. Furthermore, the policy should specify what use, if any, will be made of any data collected in relation to who visited what web sites. Employees should be informed about the involvement of their representatives, both in the implementation of the policy and in the investigation of alleged breaches.
(http://www.oasis.gov.ie/).

If you wish to obtain legal advice in relation to an employment law matter, please click on the link to Fill Out the Employment Law Form

Contact us by e-mail info@my-solicitor.net,

Or click on the book a call image (above left) , and we will call you.