Insider user monitoring is an important component of the corporate security and even an obligatory requirement for some industries where various compliance standards are applied. But while there are no particular issues with the third-party provider monitoring (see for example, our post on How to audit insurance application and service providers), the legal aspects of employee monitoring are not so clear, especially in European countries.
Currently in the EU legislative system, there are no special regulations governing all aspects of the process of electronic monitoring of the usage of corporate computers by employees. In this regard, all the issues related to electronic monitoring and employee privacy are taken to decide based on the provisions of the European Convention on Human Rights, Labor law, EU Data Protection law and in particular Directive 95/46/EC regarding the processing of personal data wholly or partly by automatic means.
Working Party of the European Commission (Article 29 Working Party, hereinafter - Working Party) has developed recommendations to guarantee the respect for human rights while employee monitoring. In general, these recommendations have been duplicated in many ways at the level of EU member states. For example, in Belgium, there was signed the National Collective Agreement number 81 on the protection of employee privacy in relation to the electronic online communications monitoring. In Norway and Luxembourg, the national authorities for the personal data protection proposed similar recommendations.
The recommendations of the Working Party
These recommendations can be summarized to the following:
The employer must provide the employee with clear and accessible information on the policies regarding the use of corporate computers.
The relevance of this recommendation is confirmed by the decision in the case of Halford v. United Kingdom, where it was established that an employee that used a corporate phone for personal reasons, had a legitimate reason to expect privacy of her calls, as she was not warned about the possible monitoring of telephone conversations by the employer.
At the same time, the decision in the Florez case (Spain) demonstrates that in certain circumstances covert monitoring can be justified.
In this case the defendant, who eventually won an action, fired its employee because of systematic visiting the Internet game website during working hours. Catalonian High Court found that monitoring of the employee’s corporate PC without his knowledge did not constitute a breach of his right to privacy because of the existence of reasonable grounds to believe that an employee seriously breached his obligations.
2. Continuous automatic monitoring of specific employees (for example, by recording user sessions) is in admissible.
In this regard, it is necessary to provide selective monitoring, recording only the minimum amount of information required for the employer.
For example, the complete recorded session, during which the employee was communicating with friends in social networks, will be evaluated as an excessive interference into his private life. In turn, records of irrelevant sites visiting with accompanying metadata (like duration) are quite acceptable measures.
3. Employer should respect the right to secrecy of correspondence of employee and his interlocutor, who may be unaware that their dialogue is monitored by third parties.
Based on the above principle, the court in Onof v. Nikon case has found that viewing personal employee’s e-mail is a violation of human rights, even if employer has directly prohibited using of a corporate computer for private purposes. Thus, monitoring of the correspondence can be justified in a very limited number of cases (if there is a system security threat or the specific employee is involved in the illegal activities affecting the interests of the employer).
4. Information obtained by the employer must be used solely for the corporate security purposes (for which it was collected), as well as carefully protected from unauthorized access. Audit trails should not be stored longer than 3 months.
Currently technical features of "Ekran System" make it possible for the users to comply with all the requirements mentioned above in order to ensure protection of human rights while conducting the monitoring.
In our White Paper block, you can find more details about the European legal risks and recommendations for employee workplace surveillance.