Tag Archives: Employment Policies

Data Protection and Redundancy

The COVID-19 pandemic has had a considerable impact upon the economy. Government figures suggest that there have already been about half a million redundancies since the beginning of the pandemic; as the Government’s Job Retention Scheme put in place in March comes to an end at the end of this month, it is sadly inevitable that there will be further redundancies. When an employee leaves employment, whether by redundancy or not, there are data protection implications for employers that they ought to be aware of and take into consideration.

Many employers now have employees working from home when they would never have done so before. In early March, before the lockdown was put in place, many employers started kitting out their employees to enable them to work from home in line with government guidance and this continued as businesses tried to recover from the immediate aftermath of the lockdown. This will add a further dimension to the data protection considerations that employers should have in mind when making employees redundant.

When an employee is made redundant, employers have a duty to ensure that any personal data that the employee had in their possession continues to be secure. Employers should ensure that they revoke access to any IT systems that the employee had access to once the employee’s employment has terminated. If the employee is working out a period of notice then this should occur at the end of their last day; if not, it should happen as soon as is practicable after the employee’s employment has been terminated. Employers should ensure that any IT equipment that they provided is returned in case employees have stored personal data locally rather than inside the company’s system. Employers should also ensure that any printed material that the employee may have taken from the office or printed while working from home is also returned.

Where employees have been using their own devices in order to work from home things get a bit more complicated. Employers should ensure that they take steps to ensure that their former employees do not retain personal data for which the employer is the controller on their personal devices. What steps will be required will vary depending upon the circumstances. Obvious things will be around E-mail (for example, did the employee access their work E-mail on their personal phone), both in terms of existing E-mails on the system and ones that arrive after the employment has come to an end. Laptops, tablets and other computer devices which are owned by the employee may have personal data stored on them from the employee’s time working from home; this should not be overlooked.

If you’re an employee it’s also important to consider how this affects you. If you’re taking templates and styles you need to ensure that you have stripped these of all of the personal data within them; otherwise this could cause problems for you personally. Also, if you’re hoping to setup on your own or move clients/customers to any eventual new employment that you have then you should speak to your employer first. Taking personal data from an employer where you either do not have their consent, or could not reasonably believe that you would have their consent, could result in you being convicted of a criminal offence under the Data Protection Act 2018.

Working from home is likely to continue for some time and when offices do begin to re-open employees may not be flooding back into them. Employers who were previously hesitant to allow home working may now be willing to offer some degree of home working once the pandemic is over. Whether you have allowed home working for a while or whether COVID-19 has been the impetus to change working practices; a home working policy which includes data protection measures is important. Your policies relating to home working should account for how the recovery of personal data will be dealt with where an employee leaves, whether that is by redundancy or not.

Data protection considerations may seem fairly low down the agenda at the present time, but with significant financial penalties a possibility for failing to have adequate technical and organisational measures in place, it’s something that should not be ignored. When your business may already be struggling financially, an ICO investigation followed by a financial penalty is probably the last thing it needs. For employees, it is also important that you follow any relevant policies and procedures which deal with personal data at the end of your employment; there could be consequences for you personally as well if you fail to do so.

Alistair Sloan

If you would like advice or assistance in relation to the data protection aspects of redundancy or home working; or any other information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Privacy and the Monitoring of Communications in the Employment Setting

On 5th September 2017 the Grand Chamber of the European Court of Human Rights issued its decision in the case of Bărbulescu v. Romania, which considers the application of the right to a private and family life contained in Article 8 of the European Court of Human Rights to the monitoring of a person’s communications by their employer.

The background to the case is that an employee was dismissed by his employer for making use of company equipment and services (internet connection and computer) for personal purposes during working hours; in particular, he had been sending personal messages (some of which were of an “intimate nature”) to his brother and fiancée.  The company’s internal policies prohibited this use and after following the disciplinary process required by Romanian domestic law, he was dismissed.  He brought a case in the domestic courts and was unsuccessful in all of those courts.  He then brought a case before the European Court of Human Rights which ultimately ended up with the Grand Chamber issuing its decision on 5th September 2017.  The procedural background to the case is more fully set out in the Court’s judgment.

The Court stated that the relationship between an employee and their employer “is contractual, with particular rights and obligations on either side, and is characterised by legal subordination.” (paragraph 117) The court went on to state, at paragraph 118, that “labour law leaves room for negotiation between the parties to the contract of employment.  Thus, it is generally for the parties themselves to regulate a significant part of the content of their relations.”

In terms of the margin of appreciation afforded to States under the European Convention of Human Rights, the Court decided, at paragraph 119, that States “must be granted a wide margin of appreciation in assessing the need to establish a legal framework governing the conditions in which an employer may regulate electronic or other communications of a non-professional nature by its employees in the workplace.”  However, the Court went on to state, in paragraph 120 of its judgment, that “the discretion enjoyed by States in this field cannot be unlimited.  The domestic authorities should ensure that the introduction by an employer of measures to monitor correspondence and other communications, irrespective of the extent and duration of such measures, is accompanied by adequate and sufficient safeguards against abuse.”  These adequate and sufficient safeguards, the court stated at paragraph 121, “are essential.”

The Court sets out five factors which it considers domestic authorities should treat as being relevant:

  1. What notification has been given to the employee regarding the possibility that the employer might take measures to monitor their correspondence and other communications, and what notification the employee has been given regarding the implementation of these measures;
  2. The extent of the monitoring by the employer and the degree of intrusion into the employee’s privacy (a distinction should be drawn between simply monitoring the flow of communications and the monitoring of the content of the communications);
  3. The reasons the employer has provided to justify the monitoring of their communications and their actual content – greater justification will be required for monitoring the content as opposed to just the flow;
  4. Whether it would have been possible for the employer to have in place a monitoring system that was based on less intrusive methods and measures than simply directly accessing the content of the employee’s communications;
  5. The consequences of the monitoring for the employee subjected to it, and the use made by the employer of the results of the monitoring operation, in particular whether the results were used to achieve the declared aim of the measure;
  6. Whether there were adequate safeguards in place; especially when the employer’s monitoring operations are of an intrusive nature.

This case makes it clear that it can be legitimate for an employer to monitor, not only the flow of private communications made by an employee on company systems, but also the actual content of the correspondence.  However, employers do not have an unlimited right.

Employers will have to think carefully about what aims they are trying to achieve by the monitoring of communications by employees on company systems and whether their proposed method of monitoring is proportionate with that aim.  Furthermore, employees should be given clear and fair notice of what monitoring is taking place and the purpose for the monitoring.

Employers will also need to give careful consideration to the safeguards that they need to have in place with regards to the monitoring procedures they have in place and ensure that what safeguards they do have in place are adequate.  With regards to safeguards, the court specifically stated that employers should not have access to the actual content of the correspondence concerned unless the employee has been notified in advance.

The court has also said that domestic authorities should ensure that any employee whose communications have been monitored has access to a remedy before a judicial body and that judicial body should have jurisdiction to determine, at least in substance, how the six criteria set out in its judgment have been observed and whether the impugned measures were in fact lawful.

This decision doesn’t really change the law as it already operated.  The decision does not prevent employers from undertaking the monitoring of communications by their employees on the employer’s systems.  However, the decision does act as a useful reminder that the ability to conduct such monitoring activities is not wholly unrestrained.  The decision, coupled with the forthcoming applicability of the General Data Protection Regulation, may well provide a good opportunity for employers to review their policies in this area to ensure that they are compliant with the law.

Alistair Sloan

If you would like advice on a matter concerning data protection or privacy, then you can contact our Alistair Sloan on 0345 450 0123 or by completing the contact page on this blog.  Alternatively, you can send him an E-mail directly.