Why being the staff monitor may not be such a good job
Why being the staff monitor may not be such a good job.
Why are you talking to me about Data Protection again? We chatted about that a few months ago.
Quite right – but this is new. What we spoke about before was the impact of part 1 of the Employment Practices Data Protection Code (‘the Code’), issued by the Information Commissioner under s51 of the Data Protection Act 1998 (‘the Act’). I told you then that Part 3 of the Code, dealing with the monitoring of staff, was being revised. Well, now it’s newly out, and I thought you ought to know about it.
So what’s this lot all about? What are you calling ‘monitoring’?
It can be lots of things. Obviously, you want to check from time to time that your staff are up to scratch in what they’re doing, and also you’ll want to monitor the conditions in which they work to ensure they’re safe and secure. These days, of course, it can go a lot further, and you can check up on their e-mails, voice mails, and internet usage. You can record their ‘phone calls, and you can film what they’re up to on CCTV. You can even track where their cars are!
Are you saying this new Code means I can’t do any of that?
No. The Code doesn’t outlaw monitoring as such – but what it does say is that you have to have a good reason for doing it; you have to control the way in which it’s done; and you have to be open with the staff as to the sorts of monitoring you’re carrying out, and why. What it is really aimed at is not so much one-off situations, as where you’re undertaking monitoring systematically.
How do I go about it, if I want to do it?
Well, first off, you’ve got to get your own set-up in order. You need to have clear lines of responsibility, from a senior person downwards. Think carefully about what sorts of monitoring you may already be doing, and what you want to do. Check that your registration is adequate for all of that (which you can do off the website www.dpr.gov.uk ). Then you’ve got to decide whether any particular form of monitoring can be justified.
What do you mean, ‘justified’? Are you seriously telling me that, if I take a management decision that I think we need it, that’s not enough?
Not unless you’ve gone through the right mental processes in getting to that decision, and can justify it later. You have to carry out a balancing exercise between the benefits to the firm, and the burdens to the staff, so you need to do what they call an ‘impact assessment’, and that means going through five stages
- Identifying the purpose the exercise is designed to achieve, and what benefits it will bring
- Recognising what adverse impact it may have
- Thinking about what alternative methods you could use to achieve the same end
- Considering the obligations which will flow from a decision to proceed, such as the requirement to notify details of the exercise and handle the information properly
- Finally, reaching your decision as whether the monitoring can be justified.
The one I’m having trouble getting my head round there is ‘adverse impact’. What sort of things do you mean?
Any sort of monitoring is going to be intrusive in some way or other. You have to consider how great that intrusion may be, and how much it may affect workers’ private lives, not just their roles within the workplace. How much data will have to be seen by others in the firm, who really don’t need to know it, but will see it when collecting the data? What impact may the monitoring have on others, when communicating with the worker, who may have legitimate expectations of privacy, such as their doctors, lawyers, or trade union representatives? Think also of how it will affect the relationship between you and the staff, when you tell them what you are going to do.
Assume I decide to go ahead. How do I set about it?
First off, set up your management systems. We’ve already talked about clear lines of responsibility. That may not be easy, because you are likely to need cross-disciplinary input, for instance from the IT department to set things up, and help from Human Resources – alright, Personnel to you – to process the information once you’ve got it. If you’re going to monitor against a standard, or a policy or procedure, you need to make sure that is up-to-date and accurate, and that everyone knows what it is and how they can access it to check the position. It’s best to consult the staff about what you’re proposing, if you can. Train those staff who will be responsible for implementing the monitoring, not just in how to go about it within acceptable parameters, but also as to what their legal responsibilities are when handling data, with regard to things like confidentiality and security. (That way, you’ve got a better chance of getting off the hook if someone in the process gets it actionably wrong when exceeding their authority, and you can show they were taught the correct approach.)
Right , so I’ve done all that. Then I can go ahead?
Not quite. First you have to inform the staff what you are going to do. That’s not just a vague indication, but a clear statement as to what sort of monitoring you are going to do, what your reasons are, and when you’re going to be doing it. And you have to be realistic as to what you say. If you tell them that no private calls are allowed, and that you’ll be checking to see that the rule is observed, but then turn a Nelsonian blind eye for a few months, before picking up on one individual, you won’t be able to rely on your procedure. Make sure in particular that staff know the consequences that may follow from any breach of the rules you are monitoring. The whole idea is that the environment should be as transparent as possible.
And if I find that the blighters are in breach? What then?
Don’t go off the deep end. Tell them what you’ve found, and let them have the chance to give you some explanation. Check that your system is giving correct information, and think if it is possible that you’ve misinterpreted it. Be open.
Well, there’s one consolation. I think I’ve got a particular problem with agency workers. At least I don’t have to worry about applying this to them.
Wrong! It applies to pretty well everyone in the office – temporary staff, agency staff, contract staff, even the kids on work experience. In fact, the only people it doesn’t cover, so far as I can see, are your partners – but from what you’ve told me you know all about them anyway!
You know, it’s amazing what this sort of exercise can throw up. Last time I did anything like this, I was checking for private use of the ‘phone, but I found one chap was giving away confidential information. He didn’t last long!
Not good on your part, I’m afraid. The basic rule is that you shouldn’t be doing a trawl for information generally. You should, as notified to the staff, be looking for specific data. If you find something else, you may well be in trouble if you use it. It is only if a reasonable employer could not be expected to ignore the information that you can still use it. That’s really only things like criminal activity, gross misconduct, or breaches of health and safety rules. You might have got away with it in the particular case you mention, but you’ve got to be very careful.
Well, it was a few years ago. But at least it led me to issue a policy for the use of things like e-mails and voice mails, as well as the ‘phone. I’m sure I’ve got a copy somewhere.
I wouldn’t bother looking too hard for it. It’s probably hopelessly out of date by now, and in any event unless it is properly communicated to staff you won’t be able to rely on it. Much better to do a new one.
OK. As long as it complies with this Code, that’s enough, is it?
No, I’m afraid not. It also has to comply with the snappily-titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, made under the Regulation of Investigatory Powers Act 2000. The idea is that this Code harmonises with those Regulations, but each stands in its own right. You’ll need to look at both when you’re writing your policy, and I’m sorry that I haven’t got time to deal with it all now.
I know that, but at least you could give me a steer.
It needs careful thought about the definitions involved, particularly where it gets to dealing with ‘interceptions’ of communications. For instance, if you look at an incoming e-mail before the addressee has read it, that’s an interception, but if you wait until it’s deleted or stored by him, and then look at it, it’s not. Don’t blame me, I didn’t draft it! The point is, you need a decent, accurate policy, that you can communicate clearly, and which interferes with privacy to the minimum practical extent. For instance, if e-mails are headed ‘personal’ or the like, think about whether it is sufficient for you to read just the heading, not the whole message; or if you’re going to have to access someone’s e-mail inbox or their voice mails while they’re away, make sure they know you’ll be doing so, and may inadvertently pick up some personal messages.
What about recordings? I’ve thought about getting CCTV in as we had a couple of thefts a few months ago, and I’ve considered recording clients’ calls in case there’s a complaint later.
As far as CCTV is concerned, there is a separate specific Code applying to that, but this one has some relevance. The basic principles apply – being specific, telling staff where and when you’ll be monitoring, handling the records properly etc. Privacy is again a big element, and you shouldn’t look to monitor where people will expect to be private – which may even include their own offices, if you haven’t gone open plan. As far as audio monitoring is concerned, it can be done if you pass all the normal tests, and comply as I’ve outlined, but you’ve also got to consider the third parties involved. How are you going to tell the clients you’re going to be taping their calls?
You’ve talked about telling the staff everything I’m doing. What if I really want to do it without letting them know, so I can catch them at it!
It’s everything I’ve said, only more so. The decision to engage in covert monitoring must be at the most senior level, and strictly targeted at a particular problem within a set timeframe. The same comments as above, in relation to private areas, apply. Really, you should only be looking at covert monitoring where there is a major concern about criminal activity or similar wrongdoing.
You mentioned something about cars. What’s that all about?
I’m glad you asked. This is my favourite bit. You know you can have trackers fitted now? Well, if you supply a car, and you want to know what the employee is doing with it, you can do so, if you can jump through all the hoops we’ve talked about. The only snag is that, if the employee is allowed to use it for private purposes as well, he’s supposed to have a ‘privacy button’ which allows him to switch the tracker off. I know, cloud-cuckoo land, isn’t it!
What happens if I get it wrong?
The risks are that you commit a criminal offence under the Act, and that the Courts can award compensation to any individual for any damage caused to them by a failure to comply, and also for any distress caused to them.
Where can I find out more?
The website’s your best bet, at www.informationcommissioner.gov.uk . The Code comes as one document, then there’s a Supplemental Guidance document which you’ll need as well. Happy reading.
Simon Young MBA is a solicitor and management consultant.