A hotel owner has been informed that an employee has been receiving abusive e-mails from another employee. She has also heard that, as an employer, she could be sued by the employee who has received those e-mails. Is the manager able to legally monitor e-mails without letting the employees know?
The Regulation of Investigatory Powers Act 2000 (RIPA) prohibits employers from monitoring electronic communications (including e-mails and Internet usage) unless they have reasonable grounds for believing that parties to the communication have given their consent.
However, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBPR) qualifies this by giving businesses lawful authority to intercept communications in specified circumstances without the consent of the parties.
Under the LBPR, employers must make "all reasonable efforts" to notify employees that their communications may be intercepted. Interception is then permitted only for a purpose relevant to the employer's business and must be for a specified reason - for example, to establish the existence of facts which are relevant to the business, to ascertain compliance with standards and procedure, or to determine whether the communications are relevant to the business.
Additionally, the Data Protection Act 1998 (DPA) places restrictions on the processing of employees' personal data. "Personal data" includes all data from which a living individual can be identified, and "processing" covers the monitoring of e-mails.
Covert monitoring of e-mails - in other words, monitoring carried out in a manner calculated to ensure employees are unaware that it is happening - is rarely justified in law. Situations in which covert monitoring is permitted are where informing the employee would be likely to prejudice such matters as national security, the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty.
If the hotel owner starts covertly monitoring e-mails without justification, she could fall foul of the DPA and the RIPA. Additionally, she could face claims of constructive unfair dismissal, on the basis the hotel has breached the mutual term of trust and confidence implied into every contract of employment, by covertly monitoring e-mails.
If the hotel owner does want to be able to monitor employees' communications, she must have made "all reasonable efforts" to inform the employees that monitoring will take place. "Reasonable efforts" may be made by way of a staff notice, an entry in the staff manual, an e-mail usage policy, or in the written contract of employment.
Any monitoring should be carried out only after an "impact assessment" has been made which determines what monitoring (if any) is justified, in terms of the benefits it brings to the hotel. The Employment Practices Data Protection Code on Monitoring at Work (currently in draft form but due to be finalised soon) sets out guidance on impact assessments.
Employers have a duty to protect employees from harassment on the grounds of sex, race or disability, and can be found liable if they fail to take "all reasonably practicable steps" to prevent harassment.
Employees who are offended by certain e-mails may be able to bring claims of discrimination against the hotel. They may also be able to bring claims of constructive unfair dismissal on the basis that the hotel has not provided a safe workplace environment.
The hotel should ensure that it has done everything it can to protect employees from harassment, as the more it can show that it has taken preventive measures, the less likely it is that the hotel will be held liable.
The hotel should set out what is and is not acceptable in a clear and comprehensive e-mail usage policy. The policy should indicate what type of disciplinary action may be taken where the policy is breached. Any disciplinary action should be in accordance with the hotel's disciplinary policy, which should preferably be written (in accordance with the ACAS Code of Practice on Disciplinary and Grievance Procedures) and should include a clear statement that harassment (such as sexual or racial harassment) is unacceptable and may result in disciplinary action including dismissal for gross misconduct.
There should also be a clear written grievance procedure so that employees know how to raise grievances about matters such as harassment.
Lay down clear guidelines in an e-mail and Internet usage policy, and ensure that employees are made aware of the purpose and extent to which their communications may be monitored.
Have a clear and comprehensive disciplinary and grievance procedure which complies with the ACAS Code and refers explicitly to e-mail abuse and harassment.
Carry out an impact assessment before any monitoring takes place.
020 7405 2000
Guidance on the DPA can be found at:
An employer can be held responsible for the actions of an employee who abuses the e-mail system.