Employee Monitoring in the Workplace: What Constitutes "Personal Data"?

In Copeland v. The United Kingdom (2007), the European Court of Human Rights found that the UK had violated Ms Copeland’s right to respect for her private life and correspondence under Article 8 of the European Convention on Human Rights by the way in which it monitored her telephone calls, email correspondence and internet use. Whilst it should be emphasised that this case related to an employer who had not implemented a policy covering the monitoring of employee communications, the reasoning of the Court highlights that employers should take special care to ensure that appropriate policies are applied fairly and are implemented in the first place.

The Court found as follows:-

• Emails sent from business premises could very well be part of an employee’s ‘private life and correspondence’.
• The collection and storage of personal information without the employee’s knowledge would lead to an interference in the employee’s right to respect for private life and correspondence.
• Monitoring may be considered necessary in certain situations but the court declined to clarify the circumstances in which it would be acceptable to do so.

The case emphasises that monitoring of employee communications should be undertaken with great care using always the least intrusive method. If monitoring is to take place, the rules should be clearly set out in a policy which the employees are made fully aware of.

******************************

The UK Information Commissioner has recently issued fresh guidance on what the term ‘personal data’ means. It gives practical examples and flowcharts which are of use to any Data Protection Officer or compliance personnel in the UK. The following questions are posed to assist the analysis:

1. Can a living individual be identified from the data, or from the data and other information in the possession of, or likely to come into the possession of, the data controller?
2. Does the data "relate to" the identifiable living individual, whether in personal or family life, business or profession?
3. Is the data obviously about a particular individual?
4. Is the data "linked to" an individual so that it provides particular information about that individual?
5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?
6. Does the data have any biographical significance in relation to the individual
7. Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?
8. Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?

Only a Court can rule on what the definition  in  the Data Protection Act really means, but guidance from the Information Commissioner is influential. Under Section 1(1) of the Data Protection Act “data” are defined as information processed or recorded in specified ways. “Personal data” are defined as: “… data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession, of the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual; …” . The guidance gives helpful practical examples which will assist the analysis of what is and what is not personal data, vital because the rules under the Data Protection Act only apply to the processing of personal data. The issue of the guidance followed on from a case brought by Michael Durant against the Financial Services Authority in 2003. He sought information held on him by the Financial Services Authority and the Court of Appeal ruled that just because a document contained his name, it was not necessarily defined as personal data. This decision led to the issue of the new guidance. The meaning of ‘relevant filing system’ was another feature of the Durant case and will be considered in future guidance from the Information Commission. We will update you as soon the guidance is issued.