A decision issued today by the European Court of Human Rights (ECHR) has confirmed that employers have the right, in certain circumstances, to access private messages sent by employees whilst at work.

Whilst the ECHR's decision is consistent with current regulatory guidance in the UK, it provides a helpful reminder that organisations need to clearly explain to staff what monitoring of IT systems may be carried out.


The case involved an engineer employed by a Romanian company, who had set up a Yahoo! instant messenger account to communicate with clients. The account was set up by the employee at the employer's request. The employer's IT policies prohibited employees from sending personal messages during working hours.

The employer subsequently informed the employee that it had been monitoring the employee's use of the Yahoo! account and that his use of the account had breached the employer's rules on personal use. The employer provided the employee with transcripts of the messages and dismissed the employee for breach of the employer's policies.

The employee challenged the employer's actions in the Romanian courts, eventually appealing to the ECHR on the grounds that there had been a contravention of his rights under Article 8 of the European Convention on Human Rights as pertaining to "private life" and "correspondence".

The ECHR decided (almost unanimously) that there had been no breach of Article 8. The employer's internal policies clearly prohibited personal use of IT systems. Given that systems should only be used for professional purposes and the employer had a legitimate interest in checking how its systems were being used, it was not reasonable for the employee to expect that his communications would not be monitored.

When can employers monitor communications?

Whilst the ECHR found that the employer was not acting unlawfully, organisations should not view this decision as a green light to monitor all staff communications.

Most organisations permit limited personal use of systems by their staff and therefore need to ensure that any monitoring balances legitimate business interests with the employee's reasonable expectations of privacy.

Organisations should therefore ensure that their employment IT policies:

  • Set out the circumstances in which systems and devices may or may not be used for private communications
  • Make clear the extent and type of private use permitted
  • Explain the purposes for which any monitoring is conducted, the extent of the monitoring and the means used
  • Explain how the policy is enforced and the consequences of a breach

When developing a policy, organisations should consider the privacy impact of any proposed monitoring, by carrying out a privacy impact assessment. Privacy impact assessments will be one of the cornerstones of the new General Data Protection Regulation (GDPR).

It is important that organisations ensure that their staff are aware of the policy. The policy should be reviewed regularly to ensure that it is being enforced consistently and that it reflects current technology and the way in which that technology is being used.

Classic examples of problems are policies that prohibit the use of personal devices when the IT department has enabled BYOD, or blanket restrictions on the use of social media when staff are being encouraged to use social media for professional purposes. In both these cases, the organisation needs to ensure that clear guidance is provided and that any monitoring does not infringe any legitimate expectation of privacy.

The ICO provides guidance on employee monitoring in the Employment Practices Code (PDF).

If you would like assistance reviewing your current policies or approach to monitoring the use of your IT systems, carrying out a privacy impact assessment or preparing for the new GDPR, then please get in touch with me or your usual Brodies contact.

Update (14/1/16): Brodies' Head of Employment, Tony Hadden, was on BBC Radio Scotland this morning to discuss the ECHR's decision and monitoring of employee communications. Listen again on the BBC website (at 1:51:15).


Martin Sloan