Learning Center
Plans & pricing Sign in
Sign Out

monitoring employees emails


									Data Protection Act and Monitoring Internet and E-mail Use

Q. Are there any Data Protection implications to the monitoring of employee
internet and e-mail use?

A. Yes, because monitoring in this way involves the recording of personal
information on workers. The Data Protection Act does not prevent an employer from
monitoring its employees’ internet and e-mail use. It simply requires that such
monitoring is carried out fairly, lawfully and in a manner consistent with Article 8 of
the European Convention on Human Rights, which creates a right to respect for
private and family life and for correspondence. Broadly speaking, the Act requires
that any adverse impact on workers is justified by the benefits to the employer and

Equally, in some circumstances, monitoring internet and e-mail use may be an
important component in protecting systems processing personal information from
damage or unauthorized access (e.g. scanning e-mails for worms and viruses).
Securing personal information from loss, damage and unauthorized use and disclosure
is an important part of compliance with the Data Protection Act.

Part 3 of the Information Commissioner’s Employment Practices Data Protection
Code ‘Monitoring at Work’ is an authoritative source of guidance in this area.

Q. What steps need to be taken to ensure monitoring of internet and e-mail use
complies with the Act?

A. Internet and e-mail monitoring should not be deployed simply because a useful
tool has come to light, or it is perceived to be a ‘good idea’. It should be deployed as
a business response to a particular need or risk, and by someone with appropriate
authorization to make such decisions on behalf of the organization. The key steps to
follow in making the decision to monitor internet and e-mail use are specified below:

Step One- Policy

Ensure workers are aware of the rules about using internet and e-mail. If there is no
clear policy on internet and e-mail in place, then one should be put in place. If there
is a policy in place, check that it is being implemented consistently e.g. a policy which
forbids personal e-mails but in practice permits a low volume of such e-mails is
misleading to staff.

Step Two- Risk Assessment

Perform either a formal or informal risk assessment to decide if or how to carry out
monitoring of internet and e-mail use. An impact assessment involves:

1. Clearly identifying the purposes behind the monitoring arrangement and the
benefits it is likely to deliver.

2. Identifying any likely adverse impact of the monitoring arrangement (on both
workers and others who may be affected by it e.g. external enquirers).

Key issues to consider here include the impact on the worker-employer relationship
and other legitimate relationships such as between trade union members and their
representatives; as well as the impact on any professional obligations of
confidentiality e.g. doctor/ patient.

3. Considering alternatives to monitoring, or different ways in which it might be
carried out.

Key issues to consider here include targeting monitoring to high risk areas only;
limiting monitoring to employees on whom complaints have been received; using
spot checks or audits rather than continuous monitoring; monitoring using automated
software. In relation to e-mail monitoring, the feasibility of simply analyzing e-mail
traffic rather than monitoring the content of messages should be considered, and the
risk that monitoring the content of messages may potentially breach any obligations of
confidentiality e.g. doctor/ patient, given adequate weight.

4. Taking into account the obligations that arise from the monitoring, in particular
informing workers about the monitoring, and handling information collected on
workers through monitoring securely and in accordance with the Act.

5. Judging whether monitoring is justified, in particular that it is a proportionate
response to a real risk, and that workers are being treated fairly.

Step Three- Inform

Once the decision has been taken that monitoring of internet and e-mail use is
justified and is to be deployed, all workers and other potential users of the internet and
e-mail systems must be informed about it. Failure to make all reasonable efforts to
inform users about a potential interception of their e-mail could put the organization
in breach of the Telecommunications (Lawful Business Practice) (Interception of
Communications) Regulations 2000.

Workers need to be informed about:
   The circumstances in which monitoring may take place
   The nature of the monitoring
   How information obtained through monitoring will be used
   The safeguards that are in place to minimize any intrusion on their privacy.

Workers should be reminded about the monitoring arrangements periodically, and
informed about any significant changes to them.

Step Four- Implement Safeguards

Where the monitoring arrangements necessarily involve workers (e.g. IT staff) in
having access to personal information to which they were previously not authorized,
these workers must receive appropriate training in confidentiality, security and the
Data Protection Principles.

Steps should be taken to ensure that any personal information collected as a result of
monitoring internet and e-mail use may be retrieved and provided to a worker making
a subject access request under the Data Protection Act. A retention schedule for
personal information collected as a result of monitoring internet and e-mail use should
also be drawn up and enforced.

Where workers are permitted to use internet and e-mail for personal purposes, they
may have a reasonable expectation of privacy in their use of internet and e-mail in
their ‘private’ capacity. Furthermore, a worker may require a degree of privacy
during their e-mail communications for genuine business reasons e.g. when e-mailing
an occupational health adviser about a health problem. Workers should therefore be
encouraged to label all personal or private messages as such in the subject header.
Accessing the contents of e-mails labelled in this way should be avoided wherever
possible. Such e-mails should only be accessed where there is a pressing business
need and with workers first having been informed that such access is possible.

24 February 2004


To top