Transparency, AUPs and covert monitoring
Transparency both meets the notice requirement and sets expectations: employees told in advance that use is monitored have less scope to claim they didn't know. But an employer cannot simply warn employees they have 'no privacy' - workers retain a degree of workplace privacy that cannot be eradicated. Employers should issue an acceptable use policy (AUP). Covert monitoring is permitted only in narrow circumstances and the WP29 said no covert email monitoring is allowed except where local law permits it.
- Informing employees in advance has historically been crucial to how courts view monitoring - failing to notify can cause the employer to lose an action against a rogue employee.
- An employer cannot argue away workplace privacy just by warning employees they have none - courts/DPAs won't accept a blanket warning.
- Issue an AUP covering expected standards for telephone, internet and email use, stating use may be monitored and how much private use is allowed.
- Courts and DPAs have held employees have a right to limited private use of employer equipment - a blanket 'no private use' ban can't override this.
- Private communications of employees should generally not be opened or monitored.
- Reminders can be delivered via pop-up boxes at logon.
- Where misuse is detected, notify the employee immediately, unless an important reason justifies surveillance without notice.
| Topic | What to disclose |
|---|---|
| Email/internet policy | Extent of permitted personal use, with limits on time/duration |
| Reasons for surveillance | Why surveillance is carried out (e.g. system security, virus/ransomware checks) |
| Surveillance details | Who? What? How? When? |
| Enforcement | How/when workers are told of breaches and given a chance to respond |
| Email specifics | Personal email account rights; access arrangements during absence; backup storage period; when emails are definitively deleted; worker-rep involvement |
The WP29 stated no covert email monitoring is allowed except in cases permitted by local law - typically where specific criminal activity has been identified. In some jurisdictions covert surveillance is not permitted at all and the police should be involved.