Workplace privacy arguably took a back seat during the pandemic as the working population grappled with seemingly more urgent concerns. But in the hybrid working world it is rearing its head as a difficult and complex issue for employers and employees alike.
Hybrid working has created a greater risk of work information becoming mingled with personal information as the boundaries between what is ‘work space’ and ‘private space’ and what is ‘work time’ and ‘personal time’ become blurred. This grey area can give rise to practical difficulties and potential disputes, such as the recent High Court case of Brake v Guy, which considered whether an employee who used her work email account for personal communications had any reasonable expectation of privacy in respect of those personal emails. The court held on the facts that she did not.
The use of work email accounts for employees’ private purposes is a perennial issue. Employees often forget that their employer may monitor the use of internal and external emails to ensure that its use is legitimate, lawful and not excessive. Whilst some employers may be cautious about reviewing emails which are obviously private, others may be less selective. It also creates issues for employees who are leaving a business, who may be keen to recover private emails stored on their work systems but may have difficulty sorting them from work emails or getting access to them once they are cut off from the company system.
Clouding the issue
Cloud-based computing is now a key feature of hybrid working. In one case, an employee who had been using his personal phone for personal text messages had been inadvertently logged into his work cloud platform, and consequently all of those text messages (some of which related to his dissatisfaction with his employer) were uploaded to a platform visible to his employer and colleagues. In another case, an employee of a start-up using Google Docs inadvertently uploaded personal documents containing private information for the whole company to see. Such cases represent a pertinent warning as to the privacy dangers of cloud-based systems and the risk of private information coming into the employer’s domain.
Employees are also often unaware that their employers have access to their internal chat platforms, such as Microsoft Teams, and that their conversations are not in fact private. Some employers use trigger-based software to monitor red flags on such platforms, or will perform random spot-checks for compliance purposes. Some less trusting employers may resort to ‘spyware’ to monitor employee productivity and to track employee location.
As we highlighted in our article last year, employers can rely on software to track how employees are spending their time – how many emails are being sent per hour, how often the mouse is used, what location they are working from and to monitor teams and other messaging channels traffic. Employees should not overlook this and be aware that their use of work devices and platforms is fettered.
But there are also tricky issues for employers, who cannot simply assume that the inadvertent appearance of private information on work-based systems means that all rights to privacy in that information have been waived. Employers should question whether their information security policies are adequate, and whether they have warned staff of the consequences of mingling work and private communications and the monitoring of such communications, as well as ensuring that the consequences that follow for employees are fair and reasonable.
Employers must also be aware of the risk of regulatory intervention if they allow the use of unofficial communications channels to run riot. In December last year, the Securities and Exchange Commission in the US announced charges against J.P. Morgan Securities LLC (JPMS), after JPMS admitted that, over a three-year period, its employees often communicated about securities business matters on their personal devices, using text messages, WhatsApp, and personal email accounts. None of these records were preserved by the firm as required by the federal securities laws. JPMS further admitted that these failures were firm-wide and that practices were not hidden within the firm. It received a fine of $200million.
So what’s the message?
New ways of working bring new risks. From an employee perspective, the potential technological complexity of hybrid working creates a very real risk of confidential, personal information being disseminated more widely than originally intended. Employees need to be savvy, to ensure that their expectations of privacy in the workplace have caught up with the realities of the hybrid working world.
On the other hand, privacy breaches and monitoring systems raise a range of regulatory and practical issues for employers and should not be used indiscriminately or without warning. In general, employment tribunals (and the Information Commissioner) take the view that employees ought to be warned of the consequences of the personal use of workplace systems and regulators are taking an increased interest in practices that might militate against proper record keeping, with potentially expensive consequences for employers who have failed to keep up.