How do employers comply with data protection laws and yet investigate wrong-doing? Monitoring staff - especially covertly - has been rather a grey area, despite the Data Protection Act.

A security or fraud manager may want to observe staff - examine logs of websites visited to check that staff are not downloading pornography, say; or videoing workers outside the workplace, to collect evidence that they are not in fact sick; or asking credit reference agencies to check that staff are not in financial difficulties. But what of the right to privacy under the Human Rights Act? The Information Commissioner's Office (ICO) has already released a code in four parts - covering recruitment and selection (such as pre-employment vetting), employment records, monitoring at work (such as staff use of telephones, the internet, and e-mail) and worker health. In June, the ICO released the code in one 91-page document. In general, this code advises good-housekeeping, and that employers document whatever they are doing - assess why a manager has to gather data about staff, and let staff know, whether in a hand-book or a staff intranet.

No definition

Part three, for instance, came out in 2003 and was featured in our August 2003 edition. As we reported then, the code does not offer definite answers: for a start, the code admits ‘there is no hard-and-fast definition of monitoring'.  The code recommends ‘impact assessment' - ‘any adverse impact of monitoring on individuals must be justified by the benefits to the employer and others'. In other words, is the monitoring a proportionate response to the problem it seeks to address?

Impact assessment

The code says: “Making an impact assessment need not be a complicated or onerous process. It will often be enough for an employer to make a simple mental evaluation of the risks faced by his or her business and to assess whether the carrying out of monitoring would reduce or eradicate those risks.  ” The code does not judge particular circumstances. Instead, the code describes what an impact assessment should take into account: are there adverse impacts (would the monitoring be ‘oppressive or demeaning'?); and are there alternatives (can monitoring be ‘targeted', can there be spot-checks instead of continuous monitoring?). The code does give core principles, such as ‘It will usually be intrusive to monitor your workers. ' Hence: ‘Wherever possible avoid opening e-mails, especially ones that clearly show they are private or personal.' Workers should be told of monitoring, ‘unless (exceptionally) covert monitoring is justified'. And, work out who ought to do monitoring - security or personnel, or line managers?

Covert

The same goes for CCTV and audio monitoring: do an impact assessment. What about covert monitoring - when telling staff would give the game away? The code says monitoring covertly is only for ‘exceptional circumstances': “Senior management should normally authorise any covert monitoring. They should satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice and that notifying individuals about the monitoring would prejudice its prevention or detection.  ” And no covert monitoring in places where workers would genuinely and reasonably expect to be private - such as toilets.  Even then, there may be exceptions if there are ‘serious' crimes, but ‘there should be an intention to involve the police'.

Private investigator

If a private investigator is employed to collect information on workers covertly make sure there is a contract in place that requires the private investigator to only collect information in a way that satisfies the employer's obligations under the Act.

Drug testing

As for drug and alcohol testing, the code advises: “Very few employers will be justified in testing to detect illegal use rather than on safety grounds.  Testing to detect illegal use may, exceptionally, be justified where illegal use would: breach the worker's contract of employment, conditions of employment or disciplinary rules, and cause serious damage to the employer's business, for example by substantially undermining public confidence in the integrity of a law enforcement agency.” p

You can download the guidance at www.informationcommissioner.gov.uk

Download PDF version Download PDF version

In case you missed it

How can the industry do a better job of promoting emerging technologies in physical security environments?
How can the industry do a better job of promoting emerging technologies in physical security environments?

By all accounts, technology development is moving at a rapid pace in today's markets, including the physical security industry. However, market uptake of the newest technologies ma...

Dahua & KITT Engineering's LED screen innovations
Dahua & KITT Engineering's LED screen innovations

About a year and a half ago, Peter de Jong introduced Dahua to Fred Koks, General Manager of KITT Engineering. Since then, Dahua, KITT Engineering, and Ocean Outdoor have complete...

Protect assets with BCD's hybrid cloud NVR solutions
Protect assets with BCD's hybrid cloud NVR solutions

Like any retail franchise, car dealerships that have multiple locations nationwide require comprehensive, reliable, and scalable video surveillance solutions to protect their busin...

Quick poll
What is the most significant challenge facing smart building security today?