The Employment Practices Data Protection Code: Monitoring at Work
Understanding the legal constraints of the Data Protection Act (DPA) and its implications in the field of employment and industrial relations is a growth area. It affects everyone - employers, employees, workers, trade unions and their members. The Information Commissioner (a post established by the Data Protection Act) has now issued a new statutory code of practice setting out his views as to how employers can comply with the DPA. It is not legally enforceable, but can be used as evidence in the courts and tribunals.
The Employment Practices Data Protection Code has four sections: recruitment and selection (part 1); employment records (part 2); monitoring at work (part 3); and medical information (part 4). Copies of the Code are available from the Information Commissioner's website at www.informationcommissioner.gov.uk.
Legal Compliance
The Code emphasises that employers must comply with the following legal regimes when monitoring at work:Â 
 the DPA, which covers "data processing" in general  EC Directive 95/46 EC on data protection  the Human Rights Act 1998 and Article 8 of the European Convention on Human Rights - the right to respect for private and family life in the correspondence  the Regulation of Investigatory Powers Act 2000 (RIPA) and the Lawful Business Practice (Interception of Telecommunications) Regulations 2000 (LBPR).
According to the Information Commissioner, the DPA provides that "any adverse impact on workers is justified by the benefits to the employer and others". We do not believe that this statement of the law is correct in terms of compliance with Article 8, under which any interference with the right to respect for private life and correspondence must be in accordance with the law, peruse a legitimate objective, be necessary in a democratic society and proportionate.
Definitions and Coverage
The Code covers "personal information", which is information that:  relates to a living person  identifies an individual, or which tends to identify an individual when added to other information, the organisation either already has or is likely to acquire (see section 1 of the DPA).
The Code applies to information processed in relation to job applicants and former applicants (successful and unsuccessful), as well as current and former employees, agency, casual and contract staff.
Section 3: Monitoring at work
The Code distinguishes between two types of monitoring - systematic (ie of all, or a group of workers as a matter of routine) and occasional (monitoring on a short term basis in response to a particular need).
Impact Assessments
To justify monitoring at work, Section 3 states that employers should carry out impact assessments involving:  identification of the purpose of the monitoring and the likely benefits  identification of the likely adverse impact of the monitoring  considering alternatives to monitoring and the different ways it may be carried out  taking into account the obligations that arise from monitoring  judging whether monitoring is justified.
Section 3: Good Practice
The "good practice recommendations" cover seven areas:  managing data protection  general approach to monitoring  monitoring electronic communications  video and audio monitoring  covert monitoring  in-vehicle monitoring  monitoring through information from third parties.
"Core principles" to be observed are:  it will usually be intrusive to monitor workers  workers have a legitimate expectation that they can keep their personal lives private - including in the workplace  employers wishing to monitor workers need to be clear about the purpose and satisfied that the monitoring is "justified by real benefits"  workers should be aware of the nature, extent and reasons for any monitoring unless (exceptionally) covert monitoring is justified  in any event, workers' awareness will influence their expectations.Â
Other relevant principles include:  consideration "preferably using an impact assessment" whether the benefits of a particular form of monitoring outweigh the adverse impact  give workers a clear understanding of the form of monitoring to be carried out and why (except in the case of covert monitoring)  covert monitoring should only be carried out where there are grounds for believing that criminal activity or "equivalent malpractice" are being carried out and notifying individuals about monitoring would prejudice its prevention or detection  identification of the persons responsible for data protection compliance  identification of managers authorised to implement monitoring; in the case of covert monitoring, these should be senior managers  assessment of the personal information held by an employer  retaining the minimum amount of personal information necessary for monitoring purposes  not using personal information for any purpose other than that for which the monitoring was introduced, unless it is in the worker's interest to do so or it reveals activities that "no employer could reasonably be expected to ignore"  where the purpose of the monitoring is to ensure compliance with rules and standards, those rules and standards must be readily available to workers  consultation with workers and/or trade unions "or other representatives" about "the development and implementation of employment practices and procedures that involve the processing or personal information about workers."Â
The most frequently asked questions relate to monitoring electronic communications.
Monitoring Electronic Communications
This section covers all electronic communications, such as telephone calls, fax transmissions, e-mails and internet access.
Most importantly, employers should establish a policy on the use of electronic communications' systems and communicate it to workers. Employers should consider including the following features in that policy:  setting out clearly the circumstances in which workers may or may not use the employer's telephone system, email system and Internet access for private communications  make clear the extent and type of private use that is allowed, for example restrictions on overseas telephone calls or limits on the size and/or type of email attachments  in the case of internet access, specify clearly any restrictions on material that can be viewed or copied; a ban on "offensive material" is unlikely to be sufficiently clear  giving examples of the sort of material that is considered offensive - such as material containing racist terminology or nudity  advise workers about the general need to exercise care, about any relevant rules and about what personal information they are allowed to include in communications  make clear what alternative means of communications can be used - for example the confidentiality of communications with the company doctor can only be ensured if they are sent by internal post  clear rules for private use of the employer's communication equipment when used from home or away from the workplace  an explanation of the purposes for which any monitoring is conducted, the extent of the monitoring and the means used  an explanation of the sanctions to be enforced if the policy is breached.
The supplementary guidance sets out what the employer should consider in an impact assessment of e-mail monitoring which, together with the recommended items for inclusion in the communications systems use policy, could be useful in negotiations with employers:  can monitoring of traffic, and not content of messages, be used? If not, can the traffic record be used to narrow the scope of content monitoring?  is it possible to use an automated monitoring system, for example, to detect viruses or sizes of attachments?  will monitoring breach client or worker confidentiality?  are there secure transmission lines, not subject to monitoring, for example, for occupational health or trade-union related communications?  can workers mark communications as "personal"?  what effect would adjustments to the system make?  can monitoring be confined to external rather than internal e-mail?  can emails marked "personal" be excluded from monitoring?  are workers authorised to use the mail system for personal purposes?  do workers have access to separate personal email accounts?  are systems for recording information about email use reliable?
As well as observing the core and other general principles set out above, employers also need to:  ensure that workers are aware of the extent to which the employer receives information about the use of telephone lines in the homes, or mobile phones provided for personal use  wherever possible, avoid opening emails, especially ones that clearly show that they are private or personal  ensure that those sending emails to workers, as well as workers themselves, are aware of any monitoring and the purpose behind it  if it is necessary to check the email accounts of workers in their absence, make sure that they are aware that this will happen  inform workers of the extent to which information about their internet access and emails is retained in the system and for how long.
Employers also need to be satisfied that any "interception" in the course of monitoring will meet the requirements of Regulation of Investigatory Powers Act (RIPA) and the Lawful Business Practice Regulations (LBPR). Broadly, under RIPA, it is unlawful to intercept telecommunications except with the worker's consent or where the communication is connected with the operation of the communication system itself.
There are however further authorised business purposes contained in the LBPR which allow interception. Helpful guidance is contained in the Information Commissioner's supplementary guidance.
Two important points to note are:  "interception" occurs "in the course of transmission" - it does not therefore include access to stored emails that have already been opened by the intended recipient  the DPA operates independently from RIPA and the LBPR - just because interception may be allowed under RIPA or the LBPR does not mean that any "data processing" involved complies with the DPA.
Sanctions
There are no specific sanctions for a failure to abide by the Code. But, under the DPA, an aggrieved worker whose claim is upheld has a right to compensation from the data controller, including, in certain circumstances, for distress as well as being able to complain to the Information Commissioner, seeking an enforcement notice.