Monitoring Employee Internet Use

March 26, 2008

The popularity of Internet based social networking sites has brought with it considerable difficulties for employers and a returned focus on the need for employers to understand how to monitor employee use of the Internet. For many, this will simply be a matter of seeking to prevent employees wasting time and resources. However, the risks for businesses go beyond this. Sites visited by employees during work time and using work resources can have damaging consequences for businesses, whether in terms of external reputation or damage to internal relations or otherwise.

The Law

Workplace surveillance of this kind cuts across a range of legislation including:
• the Data Protection Act 1998
• the Regulation of Investigatory Powers Act 2000
• the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the Telecommunications Regulations)
• European and UK-based human rights legislation.
In addition to any problems arising from the legislation which specifically addresses monitoring and intercepting communications, an employer’s monitoring activities may also give rise to more general problems. Such problems may include problems relating to the employer’s obligation to maintain the relationship of trust and confidence between the employer and its employee.

What emerges from these various pieces of legislation and other obligations is a basic starting point that employees are entitled to their privacy and, crucially, that this entitlement extends to a degree of privacy in the working environment. However, this right of privacy is to be balanced against the legitimate interests of the business, which means that an employer can, following due process and minding the legal parameters, carry out appropriate monitoring.

When considering the issue of how far an employer can go in such monitoring, the Data Protection Act 1998 and the accompanying Codes of Practice should be the primary source of reference. The Codes of Practice include vital practical guidance on carrying out workplace monitoring. However, it must be noted that it is the Data Protection Act 1998 itself which must be complied with. The Codes of Practice are a guide to compliance with the Act but have no higher status. It is therefore worthwhile revisiting the key principles of the Act and, in particular, the most relevant principles contained within the eight data protection principles set out in Sch. 1. These are as follows.

• Personal data shall be processed fairly and lawfully.
• Personal data shall be obtained only for specified lawful purposes and shall not be processed in a manner incompatible with those processes.
• Personal data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed.
• Personal data shall be subject to appropriate technical and organisation measures which should protect against unauthorised or unlawful processing and accidental loss, destruction or damage.
For these purposes, accessing or using electronically stored or processed information which relates to an individual (such as what Web sites they visited or what information they conveyed on such Web sites) will in all likelihood, amount to ‘Personal Data’.

The Data Protection Codes of Practice seek to take into account the provisions of RIPA and the Telecommunications Regulations. However, they are not the statutory guidance to accompany this legislation. RIPA mainly concerns the interception of communications in the course of transmission. In the world of Internet use, issues in this regard largely arise where private e-mails are opened before they have been opened by the intended recipient. For monitoring of this kind to take place most businesses are looking at having to have the consent of both the sender and the recipient. More relevant to monitoring Internet use are the Telecommunication Regulations which apply to monitoring or recording such communications. However, here, it is possible to monitor, without recording communications, and without consent, where it is for the purposes of understanding whether a communication is relevant to a business. What is relevant to a business is widely defined and includes the concept of ‘a communication which otherwise relates to that business’. However, the Telecommunications Regulations do require an employer involved in monitoring to have at least made reasonable efforts to inform the employees that an interception or monitoring of this kind may take place.

Practical Application

In terms of what this all means in practice, businesses really need to make all employees aware of the nature and extent of any monitoring and the reasons for it. This does not mean that every instance of monitoring has to be declared to an employee in advance – covert monitoring is provided for. But it does mean that businesses have to be clear on what monitoring may be taking place. It is also clear that businesses must have a policy on the use of electronic communications. Such a policy needs to make clear how employees may use the system, and what usage is not permitted. For example, if particular Internet access is not allowed (and some businesses have attempted to ban the use of social networking sites during work time) then the details of such a ban need to be made clear. Outright bans on personal use of the Internet should be avoided. They are often unworkable and also do not provide for that element of private life in the workplace, which is an important concession for employers to make.

A policy of this kind can also be used to explain the purposes for which any monitoring is conducted, the extent of the monitoring and how it might be carried out. Needless to say it is also important that the policy outlines how it will be enforced and the penalties for a breach.

Such a policy provides a legitimate platform for a business to then monitor employee usage of its communications systems, including Internet use. The question then is exactly how can this monitoring be conducted. The answer is that the monitoring must be conducted in a proportionate manner and in a way which preserves the privacy of an individual insofar as possible. Covert monitoring should not normally be considered and it would be rare for covert monitoring of workers to be justified: it is only for use in exceptional circumstances.

The rule of thumb is to carry out monitoring at the least intrusive level available, given the purpose of the monitoring. So, automated monitoring must always be favoured over human monitoring, where possible and effective. It is also recommended that monitoring of Internet use is carried out by someone other than an employee’s immediate management team, to avoid their immediate colleagues and superiors having access to personal data on them where there may in fact be no issue at all.

It is also recommended that an impact assessment process is carried out before conducting specific monitoring activity. This process should involve considering such matters as: who will undertake the monitoring; for which purposes the monitoring is being undertaken; how will the information from the monitoring be used and stored; and whether those carrying out the monitoring process are aware of their obligations under the various pieces of legislation. Through this process, a business must also consider whether it could adopt a less intrusive form of monitoring.

Drawing on examples from the Data Protection Act Codes of Practice, if an employer is concerned to monitor the type of Web sites being accessed to ensure that no inappropriate Web sites are accessed then it is recommended that details of the Web sites visited can be viewed on a team or departmental basis, unconnected to individual users. Only on discovering use of a site which may breach policy should a business identify the relevant employee and shift its investigations to that individual’s activity. Equally, if the concern is about employees wasting time and resources, this can be monitored through measures of time spent accessing sites, rather than the detail of those sites or the employees’ activities on those sites.

From these examples, it can be seen that general monitoring for compliance with workplace rules should take place at an anonymous level until a specific issue is identified. This is different to circumstances where an employer has a legitimate basis for believing that an employee has been abusing the work systems or resources (eg where a complaint is received from another member of staff). In the latter case, following an impact assessment process, the employer can carry out focused, but limited, covert monitoring to investigate that complaint, if this is necessary in the circumstances. Even then, the employer should not delve into private details or private communications unnecessarily and must maintain any investigation strictly at the level required given the issues in hand.


Overall, there is much that an employer can do in the way of monitoring. However, a well thought through policy is a must and the wise employer will stop and assess what it intends to do, why and how, before proceeding.
Michael Bradshaw is a Partner at Charles Russell and is an employment law specialist: