Commonly asked questions on the legal issues relating to data protection, surveillance and privacy in the workplace
Here we list a selection of key cases on data protection, surveillance and privacy at work, providing a summary of the decision and implications for employers
Log in to view more
Log in to view more of this content. If you don't have a web account why not register to gain access to more of the CIPD's resources. Please note that some of our resources are for members only.
Bărbulescu v Romania | European Court of Human Rights | 12 January 2016
 ECHR 61
Issue: Data protection – monitoring
This ruling gave substantial guidance for employers undertaking monitoring.
An employee was dismissed for breaching the employer’s IT policy that prohibited any personal use of IT equipment. Bărbulescu had previously been told to set up a Yahoo Messenger account for work purposes as well as his personal Yahoo account.
The employer had reminded employees of the IT policy and reiterated that personal use of the internet, phone or fax machine was not permitted. The employer’s notice confirmed that employees’ work would be monitored, and that misconduct would be punished.
The employer monitored Bărbulescu's communications and informed him he was in breach of the policy. Bărbulescu said he had only used Yahoo Messenger for work purposes, but the employer had a long transcript of his communications, including some personal communications with his brother and his fiancée. He was dismissed and challenged the dismissal in the Romanian courts. He lost, largely because he had been told about the company's position on personal use of IT equipment and about the monitoring. He then claimed in the ECHR for a breach of his Article 8 rights (right to respect for private life).
The ECHR held that the employee's right to a private life had been breached by the employer's monitoring. There had to be a fair balance between the employee's right to respect for his private life and the employer's right to run the company.
The right for respect for private life continues to exist at work, even if this right may be restricted in so far as necessary.
Implications for employers
The European Convention on Human Rights gives a right to respect for private and family life, home and correspondence (Article 8).
Employers should have comprehensive IT policies, which all staff know about, and which are regularly updated and reviewed. However, these IT policies and any monitoring practices should incorporate safeguards to prevent breach of the Article 8 right.
This case decision does not mean that employers can no longer monitor employees at all, but organisations should be careful about monitoring, even if their purpose is simply to ensure employees are not using their IT systems inappropriately.
The Regulation of Investigatory Powers Act 2000, and the Investigatory Powers Act 2016 and regulations, govern monitoring of electronic communications. Guidance on monitoring is also provided by the Information Commissioner's Office.
- consider if monitoring is required and decide the least intrusive method of doing so
- inform employees that monitoring may take place, if monitoring is necessary
- assess the degree of intrusion into employees' privacy caused by the monitoring
- monitor the flow of communications rather than the actual content of communications
- limit the number of people who have access to any data collected to make the monitoring less intrusive.
Each time monitoring is proposed employers should assess whether it is appropriate in the circumstances and should remain alert to changes in law governing this area.
Williams v Leeds United Football Club | High Court | 19 February 2015
 EWHC 376
Issue: Data protection – dismissal for email abuse
The technical director of Leeds United was given notice of an imminent redundancy. A week later he was summarily dismissed for gross misconduct when it was discovered by the club that five years before he had sent a pornographic email to a friend at another football club, and to a younger junior female member of staff – the receptionist – at Leeds United too.
It emerged that Leeds United had actually made a decision not to pay him for his notice period before notice of redundancy, and deliberately went through his emails to try to find evidence of misconduct. The emails were in clear breach of Leeds United’s email and internet use policies, but Williams had never been shown these policies. He accepted that the emails were inappropriate but claimed that this was not gross misconduct enabling termination of his contract without notice.
He brought High Court proceedings for wrongful dismissal for the salary and benefits he would have received during the notice period.
The High Court found in favour of the employer and dismissed Williams’ claim for wrongful dismissal. He had committed gross misconduct five years earlier, and the club was entitled to accept this as a repudiatory breach of contract even though that it was discovered so much later. The club was able to justify his dismissal by referring to evidence, discovered only after his dismissal, that he had also sent the offensive attachment to the receptionist at the club.
The fact that the emails had been sent five years earlier was immaterial as the employer had acted promptly when they were discovered. The motives to avoid paying notice pay were also irrelevant. It did not matter that the email and internet use policies hadn’t been shown to Williams as the emails were so clearly inappropriate that he should have known not to send them, especially given his seniority. Involving a much more junior member of staff was gross misconduct as she couldn’t complain and, by doing so, he had exposed the club to a sex harassment claim.
Implications for employers
Organisations that want to dismiss employees and avoid paying their notice pay may be able to use an employees’ misuse of their IT systems, especially transmitting inappropriate material, to defend it in the event of a claim. But for any dismissal, they must follow a fair procedure and act fairly.
Failure to carry out a proper investigation, for example, could make a dismissal unfair and mitigating factors, such as an unblemished service record, may have an impact on the fairness of the dismissal. If the HR team have been aware of issues for some time, but have taken no action, then a dismissal may be unfair.
Organisations must have a clear policy on social media, email and internet use that links in with the disciplinary policy, and keep it updated. The should ensure that the IT policy:
- clearly states that breach of the policy is potentially gross misconduct
- makes it clear that posts on private social media accounts are covered by it
- is brought to the attention of all employees.
In less serious cases, or cases involving more junior employees, the policies that the employer has are of even greater relevance. Employees should be treated consistently across the organisation, and any potential breaches of the policy should be fully investigated.
Edem v Information Commissioner and Financial Services Authority | Court of Appeal | 7 February 2014
 EWCA Civ 92
Issue: Data protection – data subject requests
Before this case it was thought that employers would only need to disclose data which was of ‘biographical significance’. For example, information would need to go beyond a mere mention of an individual's name in a matter with no personal connotations, such as a meeting request e-mail. It was also thought that to be covered the information must have the individual as its focus, affecting his or her privacy, whether in a personal or business capacity.
Freedom of information applications for disclosure of third party information became less likely to succeed following this case.
Edem made a request to the Financial Services Authority for information about the handling of an earlier complaint. He wanted to use data protection subject access rights to find out data, including the names and job titles of the junior staff who had dealt with his complaint. This contrasted with the Durant case, where the access request related to his own name. The FSA refused to provide names of the three junior employees because this was personal data and so should be exempt from disclosure.
Looking at legal tests applied in earlier cases, the question was whether it was necessary to decide if the names and job titles were ‘biographically significant’. It appeared that names alone did not satisfy this test from the earlier Durant case.
The Court of Appeal ruled that third party names, requested under the Freedom of Information Act 2000, could be withheld on data protection grounds. Importantly the court said that personal data should be interpreted in accordance with Information Commissioner’s Office guidance and that the Durant case only applied to limited situations.
When trying to work out whether an individual’s name is personal data, the CA said that biographical significance was irrelevant. The question was whether the data identified a living individual, although the biographical significance test should be used occasionally if needed.
The court held that:
Names are personal data, provided that the context is sufficient to identify individuals. In this case, the context of the individuals' employment in a particular capacity at the relevant time was sufficient to identify them. In contrast, the request in the Durant case was for documents in which Durant was merely mentioned by name.
Only if the information requested was not obviously linked to an individual was the ICO guidance on biographical significance and focus tests needed.
Implications for employers
This ruling has wide implications for employers handling data subject access requests. Under the legislation, individuals (data subjects) including employees can request access to personal data which the employer holds about them.
Under the freedom of information legislation, individuals can also request access to information that is held by UK public authorities, unless an exemption applies. However, third party personal data is exempt from being revealed if its disclosure would go against any data protection principles.
The ICO guidance is the starting point when identifying what information must be disclosed. This says:
- If information is obviously about someone, such as their name, or clearly linked to them, then it is personal data.
- If the situation is not so obvious, then information which is not obviously about someone or clearly "linked to" them may be withheld.
References to third party names are not automatically personal data. However, if names reveal the job title of the employees and so on, this may be personal data. If an employee is simply copied in on an email, with no other information about them, this is unlikely to constitute their personal data. It mostly depends on the context.
Crisp v Apple Retail (UK) Ltd | Employment Tribunal | 20 September 2011
Issue: Data protection – employer’s reputation on social media
An employee at Apple Retail enquired about a possible transfer to the US. However, he was unable to obtain a US visa and the company would not sponsor him, which made him disgruntled.
He made a series of Facebook posts that used swearing language to criticise working at Apple and made other criticisms about the company and its products. He was suspended pending an investigation and was summoned to a disciplinary hearing for making the comments on Facebook. He was unable to access the disciplinary procedure so had only one hour to familiarise himself with it before the initial meeting. Following the hearing, he was dismissed for gross misconduct for bringing the company’s name into disrepute.
He had previously had training in the company’s policies and guidelines, which included how an employee’s actions outside work and online could affect the employer’s reputation. He had been notified that a breach of the policy may result in disciplinary proceedings.
The employee claimed unfair dismissal, breach of his Article 8 right to respect for private and family life under the European Convention on Human Rights, and infringement of his Article 10 right to freedom of expression.
The employment tribunal found in the company’s favour and dismissed Crisp’s claim for unfair dismissal. The organisation had conducted a reasonable investigation and had clear evidence regarding the social media posts. The failure to provide Crisp with the disciplinary procedure prior to the appeal stage was not enough to make the disciplinary process unfair, as his previous training was sufficient to make him aware that these comments were capable of damaging the employer’s reputation.
The Article 8 right to respect for private and family life did not arise because of the nature of social media and the ease with which information can be distributed. The article 10 right to freedom of expression was balanced by Apple’s conduct in limiting this right to protect its reputation.
Implications for employers
Although this is only an Employment Tribunal decision and is not binding on other tribunals, it is a useful example of how the law treats misuse of social media in the workplace. Employee’s actions on Facebook are sufficiently linked to employment to justify dismissal.
Employers should review their IT policies regularly to ensure that they are sufficiently up to date, are linked to disciplinary and dismissal procedures, and make it clear that any breach of the policy could potentially be gross misconduct.
Training in social media policies may assist organisations that wish to dismiss employees for comments that could damage their reputations. They must be able to show that policies have been brought to the attention of employees, and that their policies make it clear that postings made on private social media accounts are covered too.
Preece v JD Wetherspoons plc | Employment Tribunal | 2 February 2011
Issue: Data protection – misuse of social media
Preece, who was a shift manager at a Wetherspoons’s pub in Cheshire, and her colleague, were subjected to a shocking torrent of verbal abuse and physical threats by a group of customers, particularly by two known customers. The manager was threatened with a cane and asked the customers to leave the pub because of this behaviour.
That evening the daughter of the problem customers made a series of unpleasant phone calls to the manager’s colleague, threatening them with a P45. That evening Preece began Facebook and real-life discussions about what had happened, in which she was rude about the two known customers.
The organisation received a complaint from the customer’s daughter about Preece’s Facebook entries and began an investigation.
The manager knew about the company’s policies on MySpace and Facebook, which stated that employees should not contribute to any content lowering the reputation of the company or its customers. She stated, in mitigation, that she had been subjected to three abusive telephone calls from these customers and their daughter.
At the disciplinary hearing, Preece admitted that her actions were in breach of company policy. However, she said her privacy settings meant that her Facebook messages would have been seen only by between a maximum of 40 to 50 friends, rather than all her 646 friends.
She was dismissed for gross misconduct and appealed on the grounds of the severe provocation. However, the dismissal was upheld and a claim for unfair dismissal followed.
The tribunal found that the employer genuinely believed that Preece had committed gross misconduct. The organisation had carried out as much investigation into the matter as was reasonable in all the circumstances. The Facebook activities were in the public domain. Under the European Convention on Human Rights, the employee had the right to freedom of expression, but the employer’s actions were justified in view of the risk of damage to its reputation.
The tribunal stated that if the Facebook entries had been made more in the heat of the moment, the organisation may have considered the manager’s misconduct warranted a final written warning, rather than dismissal. But there had been sufficient time for Preece to calm down between the incident occurring and her comments, and the dismissal was within the range of reasonable responses open to the employer.
Implications for employers
This case is a good example of how an employee who has mitigating factors in their favour may still be dismissed fairly for misconduct.
It is essential that all employers have, and follow, a clear and comprehensive policy on their employees’ use of social media.
Copland v United Kingdom | European Court of Human Rights | 26 June 2007
 ECHR 253
Issue: Data protection – monitoring
An employee at Carmarthenshire College had her telephone, internet and email use monitored to ascertain whether she was making excessive personal use of them.
The college said her telephone use was monitored only by analysing telephone bills for a few months. The employee said incoming calls were monitored as well as outgoing calls, and that the length, volume and telephone numbers were logged for at least 18 months, and her emails monitored for at least six months.
The college did not have a policy on monitoring employees’ communications.
The ECHR held that the monitoring was in breach of Article 8 rights to privacy under the European Convention on Human Rights as employees were not even warned that they could expect such monitoring to take place. It awarded compensation of €3,000 in respect of damages for stress, anxiety, and inability to sleep, plus €6,000 for costs.
Implications for employers
Organisations must have policies covering the monitoring of employee communications and apply these policies fairly.
The Regulation of Investigatory Act 2000 (RIPA), and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 made under RIPA, which cover such activities had not came into when this case was heard. Since the employee had not been informed of the monitoring, and consented to it, the employer’s actions were a breach of Article 8 and a criminal act.
Employees are entitled to a significant degree of privacy at work. Organisations should note that:
- It is a criminal offence for employers to intercept employees’ communications unless both parties to the communication consent, or the employer has taken reasonable steps to inform employees that their communications might be monitored.
- They must be able to justify any monitoring by real reasons and benefits.
- Monitoring employees’ communications can amount to a breach of the duty of trust and confidence, entitling an employee to resign and claim constructive unfair dismissal.
Durant v Financial Services Authority | Court of Appeal | 8 December 2003
 EWCA Civ 1746
Issue: Data protection – personal data and manual records
This case involved a very long-running dispute between a former Barclays Bank customer and the Financial Services Authority (FSA, now the Financial Conduct Authority).
Durant wanted access to personal information which the FSA refused to give him. It was critical in the case to establish precisely what ‘personal data’ meant under data protection law in force at the time. Although the law has moved on since, the case remains very useful for employers trying to fully understand the complexities of personal data and filing systems.
The Court of Appeal judges decided against Durant, ruling that merely mentioning an individual's name in a document does not make that whole document personal data. This meant that some data could not be obtained by an individual under their rights of access. The CA said personal data covers personal information that affects a person's privacy, whether in their personal or family life, business or professional capacity.
The CA also gave guidance on the kinds of manual files that were covered by subject access. Paper-based personal information was subject to the data protection legislation, but only if the information was recorded in a highly structured filing system so that specific information about a particular individual could be readily located.
Implications for employers
At the time, the Durant case was ground-breaking, because the Court of Appeal clarified the two most important data protection issues, namely:
- what makes data personal
- what was meant by a relevant filing system.
The law has developed since this case. As well as detailed guidance from the Information Commissioner's Office, developments have included the Data Protection Act 2018, the General Data Protection Regulation and updates to the Freedom of Information (FOI) legislation.
Following this case (and the subsequent legislation):
- Personal data now includes information relating to an ‘identifiable natural person’. This includes a person who can be identified, directly or indirectly, by reference to their name, or an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- Processing of personal data covers processing by automated means, and non-automated processing, which is intended to form part of a filing system.
- Under certain circumstances, personal data includes online identifiers such as IP addresses and mobile device IDs.
For example, there are many individuals called John Smith but where the name is combined with other information (such as an address, place of work, or telephone number) this will usually be sufficient to clearly identify one individual.
Under the Data Protection Act 2018, even unstructured manual information processed by public authorities constitutes personal data. This includes paper records that are not held as part of a filing system. Although it is personal data, it is exempted from most of the principles and obligations in the GDPR.
Employers should be cautious and make sure all data is secure and not stored for longer than necessary. Also see the implications in the Edem case.
Halford v United Kingdom | European Court of Human Rights | 25 June 1997
 ECHR 32
Issue: Data protection – monitoring
An assistant chief constable with Merseyside Police unsuccessfully sought promotion and then started tribunal proceedings, claiming the reason for her failure to progress further was sex discrimination.
She alleged a campaign against her followed in response to her sex discrimination claim, including press leaks and interception of her telephone calls. She claimed a breach of her Article 8 rights to privacy under the European Convention on Human Rights when her phone calls from her office were intercepted for the purposes of obtaining information to be used against her in the discrimination proceedings. She also claimed her phone calls from home were intercepted.
The ECHR held that:
- the telephone conversations in Halford's office at the police headquarters fell within the scope of her private life and correspondence
- the police authority violated her Convention rights to privacy when it tapped her office telephone calls to gather information in order to defend the sex discrimination.
No warning was given that calls made on the office telephone would be liable to interception, and so Halford had a reasonable expectation of privacy for such calls. She was not able to show that her telephone calls made from her home had been intercepted. She was awarded £10,000 damages but her claim to have suffered a stress-related illness as a result of the breach was rejected.
Implications for employers
Article 8 of the European Convention on Human Rights gives a right to respect for private and family life, home and correspondence. Employers’ monitoring practices should incorporate safeguards to prevent breach of the Article 8 right.
Organisations must identify the purpose and benefits of monitoring; an impact assessment which achieves this may range from a few moments’ thought to a detailed analysis.
If monitoring is to be used, businesses must:
- have a clear policy on privacy, which refers to the nature and extent of any associated monitoring, and make employees aware of the policy
- tell employees what monitoring is taking place and why, and keep them aware of this
- ensure that the sensitive data conditions are satisfied under the data protection legislation if sensitive data (such as health information) is monitored.
The staff that have access to personal information obtained through monitoring must be kept to a minimum and be properly trained in confidentiality and security requirements.
Personal information collected through monitoring must only be used for purposes for which the monitoring was introduced, unless it reveals activity that no employer could reasonably be expected to ignore (for example, criminal conduct).
Please note: While every care has been taken in compiling these notes, CIPD cannot be held responsible for any errors or omissions. These notes are not intended to be a substitute for specific legal advice.
Explore our related content
Episode 51: What can your people data tell you about your organisation? This podcast discusses how human capital analytics has evolved and how it can drive value in your business.
Introduces the legal position on data protection in the UK, the obligations of employers, and individual rights surrounding access to information