Many employers have at some time or another harboured a suspicion that employees may be abusing their use of work facilities, such as surfing the net during work time, making personal phone calls or sending personal e-mails.
The law is clear: an employer may not listen in on an employee's calls or access personal e-mails without the employee's permission. Both the Data Protection Act 1998 (DPA) and the Regulation of Investigatory Powers Act 2000 (RIPA) expressly forbid such activity, other than in extremely narrow circumstances, such as the pursuit of a criminal investigation.
Recent cases have also confirmed that 'telephone tapping' constitutes a breach of an individual's human rights. However, what many employers may be less clear about is the extent to which personal use of work telephones and computers can be monitored in other, less intrusive ways.
According to a recent decision given by the European Court of Human Rights (ECHR), a college breached an employee's right to privacy by monitoring the extent of her personal internet usage, e-mails and telephone calls. Ms Copland was awarded damages of €3,000 and €6,000 in court costs and expenses as a result of her success.
The European Convention for the Protection of Human Rights and Fundamental Freedoms ('the Convention'), which the UK has now implemented in the form of the Human Rights Act 1998 ('the HRA'), provides that:
'Everyone has the right to respect for his private and family life, his home and his correspondence.' (Article 8(1))
'There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.' (Article 8(2))
The acts complained of by Ms Copland occurred prior to 1999. Consequently, the HRA, which came into force on 2 October 2000 and enables claims for breaches of Convention rights to be brought in the UK, was not in force. At that time, therefore, Ms Copland had to bring her claim at the ECHR in Strasbourg. Were her claim to arise now, she could pursue her allegations under the HRA through the English courts.
The College's suspicions
Ms Copland was the personal assistant of the College Principal. During her employment, her telephone, e-mail and internet usage was subjected to monitoring to ascertain whether she was making excessive use of College facilities for personal purposes. The monitoring of telephone calls included analysis of College telephone bills, showing telephone numbers called, the dates and times of the calls and their length and cost. The monitoring of internet usage took the form of analysing the websites she visited, the times and dates of the visits and their duration. E-mail monitoring took the form of analysis of Ms Copland's e-mail addresses and dates and times at which her e-mails were sent.
Significantly, there was no policy in force at the College regarding the monitoring of telephone, internet or e-mail use by employees. On discovering what had taken place, Ms Copland alleged that the monitoring activity amounted to an interference with her right to respect for private life and correspondence under Article 8.
According to case law, telephone calls from business premises attract rights of privacy and fall within the recognised notions of 'private life' and 'correspondence'. It followed logically that e-mails and internet usage should be similarly protected.
The ECHR found it to be of particular significance here that Ms Copland had been given no warning that her communications and internet usage would be monitored. Accordingly, she would have had a reasonable expectation of privacy. The Court therefore concluded that the collection and storage of personal information relating to Ms Copland's telephone, e-mail and internet usage, without her knowledge, amounted to an interference with her right to respect for her private life and correspondence, in breach of the Convention.
The Court reasoned that the fact that the data might have been legitimately obtained by the College (in the form of telephone bills) was no bar to finding an interference with rights guaranteed under the Convention and that the storage of personal data relating to the private life of an individual also fell within the application of the Convention. It was irrelevant that the data held by the College was not disclosed or used against Ms Copland in disciplinary or other proceedings.
Furthermore, the ECHR had to consider whether the College had a defence to this finding and whether it could argue that the 'interference' was 'in accordance with the law'. However, no such defence was found to be available. This was because Ms Copland's complaint related to activities that pre-dated the introduction in the UK of regulatory controls against such monitoring and the interception of telephone calls (such as RIPA and the Telecommunications (Lawful Business Practice) Regulations 2000).
This decision confirms that the protection of human rights applies to telephone calls made from a place of work and also to e-mail and internet usage in a work setting. That finding is perhaps unsurprising. However, a particularly interesting finding in this case is that the ECHR held that the mere storage of data relating to an employee's telephone, e-mail and internet activities was covered by the Convention.
Since Ms Copland's case arose, a number of safeguards against intrusions into individual privacy have been implemented in the UK. RIPA, for example, now prohibits the interception or monitoring of communications 'in the course of transmission', such as listening in on telephone calls, unless the person has given consent or special circumstances apply. Even in the limited circumstances where consent can be avoided, an employer must make all reasonable efforts to inform an employee that interception may take place.
The College had clearly not obtained Ms Copland's consent to monitor her communications. Nor had it put in place any policy or informed her of the possibility that her communications would be monitored. Therefore, even had RIPA been in force at the material time, it is unlikely to have affected the decision of ECHR in this case.
Data protection legislation, too, has been significantly revised since Ms Copland's case. The provisions of the DPA (which came into effect on 1 March 2000) would no doubt have been considered by ECHR, had the facts of Ms Copland's case occurred later. The DPA imposes various obligations on those who collect, make use of or store personal data, collectively referred to as 'processing' data. An important aspect of these obligations is that the individuals about whom data is collected give their consent or, in the limited circumstances where consent is not required, are aware that their data is being processed.
Impact on institutions
Although public sector employees like Ms Copland can now sue their employer directly under the HRA (in the High/county courts but not employment tribunals), the same right does not extend to private sector workers. A private sector employee cannot bring a claim against an employer, alleging that the employer has breached a right to privacy under HRA. Any such claim would need to be couched in terms of an alleged breach of RIPA or DPA.