This article was written by Lucy Bone for the Practical Law Employment Blog and has been reproduced with the permission of the publishers. For further information visit www.practicallaw.com or call 020 7542 6664.
Two recent decisions of the European Court of Human Rights (ECtHR) have considered how the privacy rights of employees can be protected during covert disciplinary investigations. Here we explain those cases and the guidance that can be taken from them.
Barbulescu v Romania  IRLR 1032 considered the investigation of an employee’s personal emails. Mr Barbulescu’s employment contract forbade any personal use of the employer’s computer system. Contrary to this, Mr Barbulescu had used a Yahoo Messenger account intended for client communications for personal messages. When asked about this, he lied and stated that he had used Yahoo Messenger only for work purposes. The employer then produced a 45 page transcript of messages sent to his brother and fiancée, including messages of an intimate nature and messages addressing medical issues. That transcript was read by numerous colleagues involved in the disciplinary process.
In September 2017, the Grand Chamber of the ECtHR held that this was disproportionate and a breach of Mr Barbulescu’s Article 8 right to privacy.
The ECtHR confirmed that “private life” within the meaning of Article 8 is a broad term, not susceptible of exhaustive definition, and held that the concept of private life may include professional or business activities and activities taking place in public. It expressly ruled that emails sent from work are protected under Article 8, as well as information derived from monitoring an employee’s internet use.
Stating that “proportionality and procedural guarantees against arbitrariness are essential”, the court set out factors to be taken into account when reviewing measures taken by employers:
In Lopez Ribalda v Spain, heard by the ECtHR in December 2017, supermarket cashiers were suspected of theft. The employer set up cameras which it told the employees about, and additionally put in place hidden cameras. The camera footage showed the cashiers stealing and was relied on by the employer first to dismiss them, and later as evidence to justify their dismissals to the Spanish employment tribunal. The employees contended that their Article 8 right to a private life was infringed by both the video surveillance itself and its use by the employer in deciding to dismiss them.
The ECtHR readily found that covert video surveillance was a “considerable intrusion” into the employees’ private lives, as it was a recorded and reproducible documentation of their conduct at work which, being contractually obliged to go to work, they could not evade.
The ECtHR took into account that the data obtained from the cameras entailed the processing of personal data, thus engaging data protection legislation and the requirement to obtain consent. The fact that the employees had a right to be informed of the existence and purpose of the video surveillance under the data protection legislation meant that they also had a reasonable expectation of privacy for the purposes of Article 8.
In ruling that covert surveillance was not a proportionate means of protecting the employer’s legitimate aim of preventing theft, the ECtHR took several factors into account:
Implications for employers
Neither decision imposes a ban on monitoring or even covert surveillance. Although investigating misconduct is a legitimate aim, both cases show clearly that even criminal misconduct will not justify excessively intrusive investigations.
Good policies are, as ever, the starting point. Policies should address internet usage, potential monitoring, any surveillance measures and the employee’s rights. Employers who have CCTV or other recording systems should have a clear policy explaining the nature and extent of recordings and the employee’s rights. It is always helpful to provide employees with a point of contact for any queries.
Note that, once the GDPR is introduced on 25 May 2018, employers will not be able to rely on blanket contractual consents to the processing of personal data. Instead, employers will have to justify processing on other grounds, including the legitimate interests of the business.
There are several points to be extracted from these judgments for employers embarking on an investigation in relation to suspected misconduct:
Further guidance can be obtained from the Information Commissioner’s Employment practices code.