In the UK there are no specific privacy laws governing whether employers can monitor employees at work, employers are neither expressly allowed nor prohibited from doing so. Instead, employers find themselves navigating a complex legal and regulatory framework when it comes to monitoring their employees at work. In Brake v. Guy  EWCA Civ 235, the Court of Appeal gives some guidance on the issue of email monitoring and serves as a good reminder of what employers should consider when implementing monitoring policies.
The Claimant in Brake v. Guy brought a claim against their employer, the Respondent, for misuse of private information and breach of confidence in respect of emails sent from a shared work email address. That email address was a general enquiries shared inbox that multiple employees had access to, it was set up and operated by the Respondent. The Claimant argued that emails sent by the Claimant from the work account were private and that, in accessing and subsequently sharing those emails, the Respondent had misused private information and breached the duty of confidence. Ultimately, the Court of Appeal rejected the Claimant’s argument and upheld the initial ruling in favour of the Respondent. That decision was that there was no reasonable basis to expect privacy or confidentiality for personal emails sent and received using the work account provided by the Respondent.
The Court of Appeal judgment provides some helpful guidance for employers who wish to monitor shared email accounts. It is advisable for employers to:
- retain control over the password to that account;
- make it clear that the shared email account is for business purposes only; and
- create an individual work email account for each user of the shared email account; and
- make it clear that employees cannot expect privacy in respect of emails sent to or from any work account so, if they want an email to be private, they should not be using a work account for that email, whether shared or individual.
Taking the steps set out above will assist an employer seeking to monitor a shared business email account.
Data protection considerations
As well as the potential for employers to open themselves up to claims by employees’ alleging misuse of private information and breach of the duty of confidence, as was the case in Brake v. Guy, the other obvious and key consideration for employers is data protection under the GDPR.
Generally, an employer who wishes to monitor their employees’ emails at work must conduct data protection impact assessments (DPIAs) to demonstrate how they have struck the balance between protecting the interests of the business and allowing employees to enjoy privacy in the workplace. A DPIA involves:
- identifying the purpose(s) behind the monitoring arrangement and the benefits it is likely to deliver;
- identifying any likely adverse impact of the monitoring arrangement;
- considering alternatives to monitoring or different ways in which it might be carried out;
- taking into account the obligations that arise from monitoring; and
- judging whether monitoring is justified.
Employers must also provide sufficient information about their monitoring policy to give employees a clear understanding of:
- when information about their email/internet use will be accessed;
- why it is being accessed;
- how this information will be used; and
- to whom it will be disclosed.
In summary, the framework surrounding employers monitoring their employees at work is a complex one to navigate and employers must strike the balance between protecting their business interests and employee privacy in the workplace. Employers should be proactive in their approach to any email monitoring and must take positive steps to ensure that their employees are aware of any such policies.