Asheeta RegidiSep 06, 2017 16:52:02 IST
The highest court of appeal of the European Court of Human Rights on Tuesday restricted an employer’s right to monitor its employee’s workplace communications. The ruling given in Bărbulescu v. Romania overturned the ruling of a lower Court that the monitoring was reasonable in the context of disciplinary proceedings. The case involved the dismissal of an employee based on a week’s chat transcripts with his brother and fiancée on personal matters.
The recognition of a fundamental right to privacy, and the expected data protection law in India has private companies worried about the implications for them. While this decision of a European Court can hardly be expected to have a direct impact on workplaces in India, it draws the attention to practices such as employee monitoring and surveillance. Employers and employees alike need to be aware of surveillance which is and isn’t valid.
Privacy protections to employees under current laws
Under current privacy laws in India, employers are required to adopt reasonable security practices to protect sensitive personal data of employees, which is in their possession. This applies to a limited category of data like medical records, financial records, biometric information, etc. If a loss results to an employee due to lack of these security practices, the employee will be entitled to compensation under Section 43A of the Information Technology Act, 2000.
The forthcoming data protection law can be expected to have further implications for the collection, use and storage of employee data, including their communications.
Impact of the fundamental right to privacy on the workplace
In the meanwhile, the recognition of a fundamental right to privacy by the Supreme Court can have implications for the privacy practices of employers. As discussed in a previous article, a fundamental right may be enforceable against private persons under certain circumstances. These include the enforcement of a fundamental right against private persons, issued in a matter of public interest. The Vishakha guidelines on sexual harassment are evidence of a fundamental right being enforced against workplaces in general.
It is thus very much possible for an employee to take an employer to court for practices which violate his fundamental right to privacy.
Workplace surveillance is legal
Employees must remember that it is unlikely that workplace monitoring and surveillance will in itself be prohibited. Globally, such practices, whether for the enforcement of discipline or for the protection of business interests, are generally considered to be valid. It is crucial, however, that the surveillance be reasonable, and that the employees be aware of the surveillance.
The European Court, for instance, describes the need to strike a balance between the employee’s right to respect for his private life, and the employer’s right to ensure the smooth running of the company. The general idea is to establish where employees can reasonably expect to have privacy, such as on their personal devices, and where they cannot, such as on work devices.
Suggestions for safeguarding privacy in the workplace
In the absence of specific guidelines, it is advisable for employers to safeguard privacy in the workplace. At the same time, employees need to be aware of what practices are reasonable and what are not.
With a focus on employee surveillance and monitoring of communications, some precautions which employers can take can be derived from the European Court’s judgment on the issue, as well as the general privacy principles outlined in Justice A.P. Shah’s report on privacy:
Notice: Notice is the most important factor when conducting employee surveillance and monitoring. Employees need to be adequately informed of the fact or possibility of the surveillance, the nature and extent of the surveillance, and the use the information collected can be put to.
This includes but is not limited to notice at the time of hiring and privacy policies displayed prominently in the workplace. One of the reasons behind the European Court’s decision in Bărbulescu v. Romania was that the employee had not received adequate prior notice of the fact of the surveillance.
Consent: Taking employee consent in writing is important for employers to protect themselves. However, notice being the most important factor, consent without proper notice to the employee may not be adequate. Despite contractual consent, the employee must be adequately informed of factors like the nature and extent of the monitoring. For example, if the employee uses his personal device for work, to what extent is the personal device monitored?
Degree of intrusion: The extent of monitoring and degree of intrusion are important factors. It is crucial to establish a difference between monitoring the flow of communications, such as whether the mail was sent to a professional or personal contact, and accessing the actual content of the communications, i.e., actually reading the message. An employer may be justified in actually reading the content of a business email, but not a personal mail. If a less invasive form of surveillance is possible, it is to be preferred.
For example, the European Court considered the reading of the employee’s personal chat transcripts as violative, even if the chatting was done on a work device.
Justify the intrusion: The employer must have legitimate reasons to justify the need for and extent of workplace surveillance. A greater degree of intrusion, such as the need to access the content of the communication will need weightier justification.
Consequences: The employee must be informed of the consequences for him, such as the possibility of termination of employment on finding private communications in work hours.
Use of collected data: Employees must be informed of the use the data collected can be put to, for example, will the data be archived, will the data be erased after the employee leaves employment, etc.
Employee safeguards: Employees must be provided with adequate safeguards against employer monitoring, such as preventing access to actual content.
BYOD: In the era of BYOD, it is a good practice to require separate devices for work and private purposes. This will also establish where the employee can reasonably expect an intrusion of his privacy and where he cannot.
Note: The suggestions outlined here are of a general nature and are not to be construed as legal advice.
Asheeta Regidi is a lawyer and author specializing in cyber law, and a certified information privacy professional.
Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.