TABLE OF CASES Barbulescu v Romania (2017) ECHR 754 Bloomberg LP v

TABLE OF CASES

Barbulescu v Romania (2017) ECHR 754

Bloomberg LP v ZXC (2022) UKSC 5

Campbell v Mirror Group Newspapers (2004) UKHL 22

David Murray v Big Pictures Limited (2008) 3 WLR 1360

Doolin v DPC (2020) IEHC 90

Kennedy v Ireland [1987] IR 587

Kennedy v Veolia Transport Ireland UD 240/2006

Lopez Ribalda and Others v Spain (2019) ECHR 752.

McCann v Clydebank College UKEATS/0061/09/BI

McGowan v Scottish Water (2004) IDS Brief 771, EAT

WM Morrison Supermarkets PLC v Various Claimants (2020) UKSC 12

TABLE OF LEGISLATION

Constitution of Ireland

Data Privacy Act 1998

European Convention On Human Rights (ECHR)

General Data Protection Regulation 2018

Regulation of Investigatory Powers Act 2000

Telecommunications Regulations 2000

Data Protection In The Workplace

In the modern world where technological advancement is proliferating, privacy is becoming a major concern, especially in the workplace. Employers exercise control in using technology to collect, process, store, and use employee data. To some degree, employers have significant resources and tools for limiting the extent of privacy of their employees at the workplace, such as including stipulations in the contract that define the extent and limitations on the privacy that employees can enjoy at work, and the installation of CCTV cameras. Employers are now resorting to data-driven technologies that extend to monitoring employees’ activities, and data analytics that monitor employee behavior and performance at the workplace.

The emerging data processing approach in human resource management including the utilization of surveillance at the workplace has a significant impact on privacy concerns of employees. At some point, employees are often confronted with some degree of anxiousness involving the scope of control that employers have over their privacy at the workplace considering that the employer has the right to encroach over their privacy if the employees are informed about the nature and extent of the surveillance enforced by the employers while they are at work. This concern of the employees is legitimate since employers may exercise the right to collect information from their employees at the workplace when there is an employment relationship between the parties, as the organization needs the information to gauge the performance, motivation, and integrity of their employees at work while having the ability to deter theft, fraud, unproductivity, and unethical or illegal behavior from its workforce.

The installation of a surveillance system for instance to monitor the activities of the employees at the workplace is held legally permissible if the employees are informed of the nature and extent of the use of the data and information captured using the CCTV cameras. While it may be apparent that the employer for the most part can determine the extent of privacy that its employees may enjoy at the workplace, it cannot be said that their right to control over the matter is absolute. It is noteworthy that the right of employers to control the degree of privacy that their employees will enjoy at work has limitations. These limitations are laid down by the constitution, legislations, and jurisprudence that are designed to balance the right of employers to limit and control the privacy enjoyed by their employees at the workplace and the right of every employee to their privacy.

Article 40.3.2. of the Irish Constitution for instance guarantees the protection of every citizen’s right against unjust attack, injustice, and to vindicate their life, person, good name, and property rights. It protects an individual’s dignity as held in the case of Kennedy v Ireland where it upholds this protection by holding that the individual’s right to freedom and dignity cannot be secured when there is a deliberate and conscious intrusion over his communications. Article 8 of the European Convention On Human Rights (ECHR) provides that the right to protection in the processing of personal data form of an individual extends to the right to respect for private and family life, home, and correspondence.

While the employer’s right to impose surveillance and data processing from the workplace being necessary for a legitimate business purpose is acknowledged under the laws in Ireland, such as giving employers the right and authority to monitor employees’ emails, the same is not an absolute right. The Data Privacy Act 1998 and the Regulation of Investigatory Powers Act 2000 impose limitations and parameters within which the employers may exercise the right to monitor private correspondence such as emails of their employees. These regulatory legislations require employers to disclose to the employees the methods employed in monitoring their communications, the information gathered, and how such information will be processed.

The case of Barbulescu v Romania emphasizes the importance of adhering to these requirements by employers. The dismissal of an employee on grounds that it violated the company’s policy against using its IT equipment for personal use, such as when the employee used the same in personal communications causing a breach of organizational policy, was considered a violation of the employee’s right to privacy for the reason that the employer failed to explain and disclose to the employee the extent of the monitoring of his communications. It therefore emphasizes that the right of the employer to control and manage its employees’ data and information, including the right to monitor and access communications of its employees cannot be an absolute right that can trample upon the constitutional rights of an individual for freedom, dignity, and privacy.

Employers are often reminded of their ethical duty to ensure that while their business is a priority, they must ensure a lawful monitoring system at the workplace keeping in mind transparency and fairness, and to respect the privacy of their employees. As pointed out by regulators, the data protection law does not prevent employers from monitoring their workers, but data processors must adhere to certain guidelines such as the same must be necessary and proportionate to avoid the threat of breaching the right to privacy of its workers. Employers often use contracts to bind employees to certain obligations such as obeying company policies that include data processing, workplace monitoring systems, and limitations on their right to privacy within company premises.

Employers use contracts to impose obedience on their employees. It provides certain conditions and disclosure of policies to which employees are required to adhere and provides grounds for dismissal in violation thereof. For instance, the employer may conduct a breathalyzer test on its employee as part of its company policy and dismiss an employee should it fail according to its employment contract provisions. While it is a valid exercise of employer prerogative according to the contract between the parties, the law still requires that specific procedures are done like informing the employee about the result of the test. The case of Kennedy v Veolia Transport Ireland only proves that while an employer’s rights to manage its business affairs with the right and freedom to regulate employee conduct, use personal information, and exercise the right to discipline and terminate its employees, it should be done according to regulatory procedures that will not deprive the employees of their right to understand and know the extent to which employers may intrude upon their privacy. While employers have some degree of control over the extent of the enjoyment of their employees on their privacy at the workplace, they are precluded from imposing policies that will completely deprive their workers on their right to privacy.

It is noteworthy that while the law protects the right to privacy among workers, some limitations and parameters do not make it an absolute right. The intent of legislation such as the Data Privacy Act 1988 is to give employers the right to monitor, collect, and process data and information of their workers but the same is regulated and exercised lawfully and reasonably. Employers, for instance, are allowed to install surveillance systems like CCTV cameras at the workplace if the recording is known to the employees using visible cameras. On the other hand, some federal laws allow employers to install hidden cameras but with a higher degree of burden of proof to justify the same for a legitimate business purpose.

As upheld in Lopez Ribalda and Others v Spain the installation of the hidden cameras at the supermarket in response to the management’s concern about theft from the checkout tills is justified since the employees were informed about the installation of the cameras including its purpose which is to deter theft within the employer’s property. Employees who were caught stealing from the hidden cameras were dismissed. When they filed a complaint that the installation of the hidden cameras was a violation of their right to privacy, the court explained that while they have a reasonable expectation of privacy at the workplace, the employer did not overstep on such right when they were informed that surveillance cameras will be installed to monitor theft at the workplace.

The principle of reasonable expectation of privacy also provides the limitation on an employee’s right to privacy. It defines certain conditions that allow an employer to intrude on a worker’s privacy while at work, such as the nature and purpose of the intrusion, the place where the intrusion is done, the knowledge and consent of the worker to such intrusion, the nature of the activity being monitored, and the process on how the information is obtained by the employer, as among others. It cannot, therefore, be said that the employer has the complete leeway to limit the enjoyment of employees’ privacy at the workplace because such right and authority should adhere to the principle of reasonable expectation of privacy. Employers therefore cannot arbitrarily exercise their right to limit the enjoyment of privacy of their employees.

The same principle is widely used in the courts involving issues of a breach of privacy. The David Murray case lays down the various circumstances to consider when identifying whether a person has a reasonable expectation of privacy. The court confirms that if an information is private, such as relating to a person’s sexual relationship or health, the court may reasonably determine whether the disclosure is offensive. Employers right to intrude on its employee’s right to privacy is also premised upon the principle that there is no right to unrestricted privacy.

Thus, an employee’s right to privacy is not absolute and it may be intruded upon at the workplace when an employer has justified grounds to do so, especially to protect its business, and such justification is necessary and proportionate. This is apparent in McGowan v Scottish Water wherein the act of the employer who obtained evidence using covert surveillance on its employee to establish that he was falsifying his time sheets at work is justified. The same position took place in McCann v Clydebank College where the filming of an employee without his knowledge by his employer who suspected that he was working for another job while at his workplace in breach of his employment contract is considered proportionate in the given situation. However, had the employer gone further in the said surveillance such act is no longer considered to be legitimate.

Common issues involving the right to privacy of employees consist of unauthorized access and monitoring by the employers on the employees’ telephone calls, email, and other forms of communication at the workplace. The conduct of the employer to do these is not unrestricted. The law imposes upon the employers the burden to justify the same and requires that it should be disclosed and known to the employees to be legitimate. The Telecommunications Regulations 2000 gives the employers the right and authority to monitor the communications of their employees within their private network as part of a lawful business practice done for a particular purpose. Among the legitimate conduct that employers can do includes monitoring employee emails to detect abuse at work and intercepting or recording telephone conversations to monitor and obtain evidence on certain transactions.

These are permissible interceptions that employees may consider a threat or intrusion to their right to privacy and may limit their enjoyment of this right at the workplace. However, to prevent abuse, unreasonable, and illegitimate intrusion into the privacy of the employees, the employer must establish a valid purpose for doing the same, such as when complying with other regulations, to establish a fact, as a means of verification of an employee’s transaction, monitoring employee performance according to the employer’s standards, for security, to carry out an effective, smooth and efficient communication, and in detecting unauthorized use of the employer’s internal communication network. While the act of monitoring and intercepting employees’ communication is a recognized legitimate business practice even without the employees’ consent, it cannot be done without notifying the employees of how the communications will be monitored and intercepted.

Taking into account the scope of the authority of the employers to limit the extent of the enjoyment of privacy of its employees at the workplace, the case of Barbulescu v Romania proves that the employer’s right to establish restrictive policies about the privacy of the employees cannot reduce their private social life at the workplace for respect to dignity and freedom to enjoy the right to privacy should continue to exist even if the same is restricted to a certain degree as guaranteed by Article 8 of the ECHR. Therefore, employers are still burdened with the legal, ethical, and moral obligations to give respect to the right to privacy of the employees while using less intrusive measures in monitoring an employee’s communication and correspondence.

While Irish employers exercise some degree of control over the enjoyment of employees on their privacy at the workplace, there are legal obligations imposed by the General Data Protection Regulation (GDPR) 2018 on the exercise of their right to collect personal data and information of their employees. The processing of personal data must be lawful, should be done for a legitimate purpose, fair, accurate, and transparent, and should comply with the principle of minimization, limitation of storage, confidentiality, integrity, and accountability. The law imposes obligations to employers in terms of the process of collecting personal data, using, and protecting the data. It safeguards the employees’ right to access their work-related data while upholding their right to be informed on how their data will be collected, used, and protected.

Doolin v DPC emphasizes the importance of providing a specific and legitimate purpose when processing data such as those recorded in a CCTV camera. An employer is precluded from using the data obtained from a surveillance tool like the CCTV when the same is collected for a specific purpose but used for a different purpose. Doolin was subjected to a disciplinary sanction using the data collected from the surveillance camera that proved he made several unauthorized breaks at work. However, the employees were informed that the CCTV cameras would be used for health and safety and for preventing crimes, not for disciplinary investigations.

Using the CCTV recordings for a different purpose is considered improper data processing and is held to be a violation of an employee’s right to data privacy. Doolin points out that controllers of surveillance cameras must ensure that the subjects whose personal data may be recorded on the CCTV are aware of the specific purpose of the recordings and how they may be used in the workplace policy. To avoid a breach and violation of the employee’s right to privacy concerning the collection, processing, and use of their data, employers should observe the best practices of laying down data protection policy at the workplace with data protection notices to the employees and the disclosure on the purpose and use of the data collected.

Among the lawful grounds for processing personal data include the subject consent, contract, legality, and legitimate interest. Employers should observe the basic requirements when obtaining the consent of a data subject, which must be freely given, specific, and transparent. Thus, the employee should understand what data will be collected, who will collect the same, how the data will be processed, for what purpose, and the means of data collection. False and misleading representations will result in invalid consent from the data subject. When employers obtain employees’ consent following legal requirements, it can justify the collection, processing, and storage of their data, provided that consent is valid. However, it is worth noting that an employee may withdraw his or her consent at any time. Thus, the employer has no perpetual control over the collection, processing, and use of employee personal data.

The contract allows employers to collect data from employees only when it is necessary for the contractual relationship, such as when processing payroll. The legal obligation also justifies the collection of data on the employees such as when there is a need for the employer to comply with regulations and legislations about health, safety, and tax compliance. Legitimate interest as a justification for data collection and processing rests upon certain requirements such as reasonable expectations and transparency. Legitimate interest appears to be the most flexible among the legal grounds for data collection, but employers should observe the balancing test when weighing the business interest and the right to privacy of a worker. To determine the appropriateness of a legitimate purpose in data gathering, balancing assessment is the key to determining whether the reason for doing it is legitimate, necessary, and not disadvantageous to the employee.

The employer has restrictions and limitations when it comes to using and processing employee data and information. The purpose limitation principle dictates that the data processing must be done only for an explicit and legitimate purpose which is stated and disclosed to the data subject. The data minimization principle requires the data processor to collect and use the data limited to the necessity of the purpose for which it is being processed. The data processor can only store the data collected within the period that is necessary for its purpose.

While employers have the authority to collect and process data of employees, doing so carries with it the accountability of complying with regulations and guidelines enforced by legislation. Data breach has criminal liability, and the Data Protection Act 1988 does not exclude vicarious liability of the employer on the misuse of information or data breach committed by data controllers under their employment. WM Morrison Supermarkets PLC v Various Claimants laid down the rule that employers are made accountable for any data breach committed by any person under their employ and must consistently review the access and use of the personal data by its employee responsible as a data processor. Likewise, data breaches may also occur from the unauthorized disclosure of personal data to third parties without the consent of the data subject.

While employers enjoy the right to process the data of their employees at the workplace and exercise some degree of control in the extent of the enjoyment of the privacy of their employees at work, this authority is burdened with liability and accountability. Employers are required to observe strict measures in data protection to secure the data and information they hold. Reasonable steps must be taken by employers when processing and collecting employee data to avoid a data breach, which occurs when there is unauthorized access, use, or disclosure of personal information. Breaches on personal data can cause harm to the data subject and it implies civil and criminal liabilities to the employer.

Indeed, employers for the most part determine the extent of enjoyment of employees on their privacy at the workplace through its authority to collect and process personal information and implement surveillance if the employees are aware of this procedure and it does not cause harm to the employee, it cannot be said that the exercise of this authority is absolute. As can be gleaned from various case laws, employers are burdened to comply with the legislative requirements of balancing their rights under the principle of lawful business practices and the right of employees to the freedom of privacy and respect for their dignity.

European legislation and employment law are designed to regulate the rights of the employer to protect its business and the rights of the employees to data privacy. While it allows employers to intrude upon the privacy of the employees while at work, the same imposes some regulatory measures and requirements to ensure that the same is done reasonably for a legitimate purpose. Thus, laws such as the DPA 1988 protect an employee’s right to privacy at the workplace to ensure that employers cannot arbitrarily exercise their authority in monitoring employees’ activities at work and in collecting personal data and information.

Data breach and improper handling of personal information has a significant impact on an organization. Therefore, organizations must implement the highest standards of protection when performing surveillance and data processing. Employers must observe the best practices when carrying out data processing policies at the workplace as it could lead to expensive lawsuits that have a significant economic impact on an organization. Therefore, it cannot be said that employers have the absolute right to control their employees’ right to privacy in the workplace. This authority is burdened with legal, moral, and ethical obligations that protect an employee’s right to privacy in their employment. Legislative limitations are present to protect employee’s rights to privacy and against unreasonable breach of data privacy by employers.

Bibliography

Bhave D, Teo L, and Dalal R, Privacy at Work: A Review and Research Agenda For A

Contested Terrain (Sage Journal 2019).

Bloomberg LP v ZXC (2022) UKSC 5

Campbell v Mirror Group Newspapers (2004) UKHL 22

Council of Europe, European Union Agency For Fundamental Rights, Handbook on

European Data Protection Law, 2018 Edition (European Union Agency For

Fundamental Rights and Council of Europe, 2018) 17.

Constitution of Ireland

David Murray v Big Pictures Limited (2008) 3 WLR 1360

Doolin v DPC (2020) IEHC 90

Ebert I, Wildhaber I, and Adams-Prassl J, Big Data At The Workplace (Sage Journal

2021).

Jo Joyce, Purposeful Processing: Legitimate Interests and Purpose Limitation In The

Data Protection and Digital Information Bill

⟨https://www.taylorwessing.com/en/global-data-hub/2022/september—the-uks-

data-protection-and-digital-information-bill/purposful-processing-legitimate-

interests-and-purpose-limitation⟩ accessed on 4 April 2024.

Kennedy v Ireland [1987] IR 587.

Kennedy v Veolia Transport Ireland UD 240/2006

Lopez Ribalda and Others v Spain (2019) ECHR 752.

McCann v Clydebank College UKEATS/0061/09/BI

McGowan v Scottish Water (2004) IDS Brief 771, EAT

Monitoring In the Workplace: Can Employers Read Employees’ Emails?

⟨https://scraselaw.com/monitoring-workplace-employees-emails/⟩ accessed on 4

April 2024.

Protection of Worker’s Personal Data (International Labour Organization, 1977) 4.

Surveillance at Work ⟨https://www.workplacefairness.org/workplace-surveillance/⟩

accessed on 4 April 2024.

Taal A, The GDPR Challenge Privacy, Technology, and Compliance In An Age of

Accelerating Change (CRC Press, 2021) 90.

The Telecommunications (Lawful Business Practice) (Interception of

Communications) Regulations 2000 (2022)

⟨https://www.netlawman.co.uk/ia/telecommunications-regs⟩ accessed on 4 April

2024.

Thomas L and others, A Framework For Data Privacy and Security Accountability

In Data Breach Communications / Computers and Security Volume III (Elsevier, 2022)

WM Morrison Supermarkets PLC v Various Claimants (2020) UKSC 12

2