Tim O’Callaghan is a partner in Druces LLP, specialising in advice to the fashion and luxury goods business. In this month’s column, he assesses how far businesses can go in monitoring their staff before they enter an unlawful territory.
As reported by Lingerie Insight recently, at the heart of a case against MJM by an ex-employee/director is the allegation that a listening device (“bug”) had been planted into the employee’s plant pot to record his conversations.
This has led to many questions from my clients as to the extent to which employees may be lawfully monitored, and what crosses the line into unacceptable surveillance and “stalking”.
I am sure that my readers do not seek to exercise a Stasi-like, all encompassing monitoring of employees and their behaviour as that would offend, amongst other things, against employees’ human dignity.
Yet whilst bugging an employee’s plant pot may seem to be the zenith of corporate paranoia, an increasing number of employers are considering some form of employee monitoring, and in this day and age, when any employee can potentially spend their lives at their desk polishing their LinkedIn profile without doing anything productive, it is a concern that needs to be recognised.
The current prevalence of social media and the fact that most people in this country under the age of 30 have an online presence either via Facebook, Twitter, Linkedin or perhaps a blog, means that employers have a resource unlike any they have ever had before to investigate the background of employees and potential employees. So, what is and what is not lawful?
Protection from discrimination starts during the recruitment process. Therefore, if an employer gains information on a candidate’s sexuality or religious beliefs, for example, via the Internet, on a blog, social networking site, or similar, and rejected a candidate on that basis, the rejected candidate may be able to bring a successful discrimination claim if the basis for rejection became known.
Of course, most employers would provide a different reason; however, if the candidate were to make a data subject access request which led to the production of an incriminating email, then the employer would potentially be in difficulties.
By way of example, you may want to assess the likelihood that a female job applicant may become pregnant in the near future, as that would mean that maternity rights apply etc. You look at the applicant’s Facebook page and find that she expresses a wish to her friends that she has a child soon. As a result, and fearing having to find a replacement for maternity cover, you do not recruit her.
Have you committed an unlawful act? If the reason for not proceeding with the application process is the likelihood of pregnancy, then yes, you will have committed an unlawful act and will potentially expose yourself to a claim.
The same risk of a discrimination claim applies if an employer uses social media to find out about a current employee, and relies on that information to the employee’s detriment.
The UK data protection regime regulates the “processing” of personal data. Processing is widely defined to include activities such as consulting, using, holding and deleting the data. Personal data includes expressions of opinion and must be information which relates to that individual in a biographical sense.
Where an employer consults and records online information to find out more about a candidate, it is processing that candidate’s personal data.
Obligations relating to processing personal data become more onerous where sensitive personal data is processed. Sensitive personal data includes information about a person’s sexuality, race, and political or other beliefs, which is just the sort of information that typically might be found on an individual’s social media profile.
However, as the employee has made the information public by posting it online, the additional layers of protection that relate to sensitive personal data do not apply.
The Information Commissioner’s Office (ICO) has produced best practice guidance on background checks in its Employment Practices Data Protection Code (the Code). The Code recommends that:
1. The employee or candidate is informed of the background searches and checks that the employer proposes to undertake.
2. The employee or candidate is given the opportunity to comment on the accuracy of the results of any search or check.
3. The employer ensures that any searches or checks are proportionate, both in relation to their intrusiveness when balanced against the nature of the risks which the role entails, and the point in the recruitment process when the check is undertaken. Checks should therefore be undertaken as late as possible in the process, and not performed on all candidates.
4. Where the review of online profiles occurs during employment, the employer should conduct an impact assessment and ensure that the monitoring is adequate, relevant and proportionate to the risk identified.
Viewing social media to glean certain types of information about a candidate is unlikely ever to be proportionate, or justified: it is difficult to see how gathering information about, for example, sexual orientation, would ever be justified by the nature of the risks identified in the performance of a specific role.
However, viewing a profile for extremist views or to test a candidate’s trustworthiness, may be justifiable at the point before the employer offers the role.
It seems that placing a recording device in an employee’s plant pot to record conversations will rarely be justified and if employers and potential employers want to gather information on staff they should do so in a way that is both proportionate and transparent.