· Features

The truth behind the headlines: it's still not legal to snoop on staff

Contrary to some reports, the case does not set a precedent for employers to monitor, carte blanche, employees' private messages

Employment law rarely makes front page news. But a recent decision by the European Court of Human Rights (ECtHR) on workplace monitoring has captured the attention of the global press, with many reports suggesting that employers now have free rein to monitor employees' personal emails and private messages.

Contrary to the headlines, however, the decision of Barbulescu v Romania does not quite give employers the green light to snoop on their staff. It follows established principles on individuals' rights to privacy in the employment context, with the decision a healthy reminder of the need for well-drafted policies to allow the monitoring and review of employees' personal use of company IT systems.

The case involved Bogdan Mihai Barbulescu who was employed by a private company in Romania. At the request of his employer he set up a Yahoo Messenger account so that he could respond to client enquiries. During a period of monitoring the employer uncovered personal use of the Yahoo account, in breach of company regulations that expressly prohibited the use of company computers for personal purposes. He was subsequently dismissed.

Following unsuccessful challenges to his dismissal in the Romanian courts, Barbulescu appealed to the ECtHR, alleging that the dismissal breached his right to respect for his private life and correspondence under Article 8 of the European Convention on Human Rights. The ECtHR considered whether Barbulescu had a reasonable expectation that his communications would not be monitored, and if so, whether his employer could only interfere with his privacy if it had a legitimate reason and the interference was no more than necessary.

While the ECtHR accepted that there had been an interference with Barbulescu's 'private life' and 'correspondence' within the meaning of Article 8, it concluded that there had been no violation of the Article since his employer's monitoring had been limited in scope and was proportionate in the circumstances. The EctHR held that is not unreasonable for an employer to want to verify that its employees are completing their professional tasks during working hours. Barbulescu's employer had accessed his Yahoo account in the belief that it contained work-related messages, since it had been set up on the business' request for that purpose, and its access to the account was therefore legitimate.

So does this case have a far-reaching impact in the UK? Despite what the headlines may say the answer is no. Contrary to some reports, the case does not set a precedent for employers to monitor, carte blanche, employees' private messages on social media or other forums. The level of workplace monitoring an employer can legitimately carry out is restricted by the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000. The Information Commissioner's Employment Practices Code also includes guidance and good practice recommendations. For example, where monitoring is to be carried out, an impact assessment should be undertaken, and employers should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by this.

Employers should always ensure employees are aware of any monitoring and make clear whether personal use of company equipment is allowed. This should all be set out in a policy, linked to the disciplinary policy if required. Any such policy should be transparent and implemented consistently, and monitoring should be limited to that which is proportionate. With a clear policy in place, the legitimacy of an employer's actions will then depend on whether it strikes a fair balance between the employee's right to privacy and the employer's right to protect its business.

Imogen Finnegan is an employment practice senior associate at international law firm Mayer Brown