How can an employer allow managers to monitor internet usage, without breaching any data protection principles? Esther Smith and Martin Brewer provide some legal advice.
We have been asked whether the IT department can make available to managers access to internet monitoring within the workplace, therefore allowing them to view internet usage by their staff. I have read several articles on internet usage policies, but nothing covers the Data Protection Act (DPA), and whether this could be deemed as breaching such an act.
Esther Smith, partner, Thomas Eggar
There are various pieces of legislation that cover the issue of monitoring employees, including the DPA, but also the Regulation of Investigatory Powers Act and others.
Without going into immense detail about the various pieces of legislation, the general principle is this: An employer can monitor email and internet use for the purposes of upholding internal policies and procedures (so this would be your internal internet and email use policy, and your disciplinary policy) and for training purposes (as with the call centre type situations).
However, you should be informing employees of the fact that you will be monitoring, and why, so that employees are aware. If you do not have an internal policy regarding the use of the communication systems you ought to put one in place and ensure that it provides that the employer will monitor.
If you comply with these guidelines there will be no breach of the data protection principles.
Esther Smith is a partner in Thomas Eggar’s Employment Law Unit. For further information, please visit Thomas Eggar.
* * *
Martin Brewer, partner, Mills & Reeve
The DPA does not prevent monitoring but you must consider, and be able to justify, the adverse effects of monitoring on employees against the benefit to you as the employer.
The information commissioner uses the term ‘impact assessment’ to describe the process of making a decision about monitoring. An impact assessment needs to consider such things as the purpose of the monitoring, any adverse impact on staff, alternatives to monitoring and justification for it.
There are two other important things to bear in mind. First, if you allow reasonable personal use of the internet, during lunch breaks for instance, staff will have a reasonable expectation of privacy about that unless you tell them otherwise. Thus staff should know that their internet use may be monitored. Second, you need to decide how you will collect, collate and store the information and who will have access. Here you will need to take advice on the effects of the DPA because handling the data is ‘processing’ for the purposes of the DPA.
* * *