Privacy on parade – the circumscribed right to a private life

A new ruling of the Employment Appeal Tribunal (EAT) raises important questions about when employees can have a reasonable expectation of privacy in respect of material on their personal devices. In essence, the EAT ruled that there was no breach of an employee’s right to private life when his employer used emails and photos obtained from his mobile phone by the police in the course of a criminal investigation for disciplinary purposes (Garamukanwa v Solent NHS Trust).

This follows the judgment of the European Court of Human Rights last year that an employer had not breached an employee’s right to privacy when it reviewed Yahoo Messenger conversations between an employee and his brother and his girlfriend containing intimate details about his health and sex life (Bărbulescu v Romania). That case was hailed by many as conferring on employers the right to read their employees’ private communications, but in reality it did nothing of the sort. Bărbulescu merely applied long established principles from earlier case law, indicating that where an employee has an expectation of privacy, “ monitoring should be a proportionate response by an employer to the risks it faces taking into account the legitimate privacy and other interests of workers”.

There is in effect a two-stage test:

• Is there an expectation of privacy?
• If so, was there a legitimate reason for the intrusion and were the means chosen proportionate?

The case of Garamukanwa concerned an NHS Trust using material obtained from the police in disciplinary proceedings against an employee. The police, in turn, had seized the material in the course of a criminal investigation. Mr Garamukanwa’s complaint was that his right under Article 8 of the European Convention on Human Rights had been infringed by his employer examining matters relating purely or essentially to his private life and using evidence in relation to such matters to justify its decision to dismiss him.

The background to the case was that after a relationship between Mr Garamukanwa and a nurse called Ms Maclean ended, he suspected that she had started another relationship with another member of staff called Ms Smith. There was a campaign of anonymous letters and emails (some indicating that the author may have been following Ms Maclean and Ms Smith) and a fake Facebook account to which the names of 150 Trust employees were added. Ms Maclean complained to the police but no charges were ultimately brought against Mr Garamukanwa. 

When the Trust began an internal investigation, the police handed over material taken from Mr Garamukanwa’s mobile phone. This included a photograph of a sheet from a notebook containing email addresses, which suggested that he was the author of the anonymous emails. As a result, the Trust made a connection between Mr Garamukanwa and the malicious emails and he was dismissed.

The EAT confirmed that whether an employee has an expectation of privacy depends on the facts of the individual case. Did Mr Garamukanwa have a reasonable expectation of privacy in emails and photographs which the police had obtained? On these facts, the answer was no. He could not have an expectation of privacy in relation to material about a personal relationship with a work colleague, which had turned into a workplace issue by his own conduct.

Mr Garamukanwa argued that the Trust had failed to distinguish between the “public” material (such as the anonymous email send to the Trust’s staff and managers), the “private” material (such as emails sent to his former girlfriend about his feelings and their relationship, and photographs on his phone, which were not sent to anyone. Reliance on private material unjustifiably breached his right to private life, rendering the dismissal unlawful.

The EAT disagreed with this contention, ruling that Mr Garamukanwa had no expectation of privacy in respect of what he called the “private” material because he brought it all into the workplace and used work email addresses. There were also adverse consequences in the workplace for employees to whom the Trust owed a duty of care.

It is interesting the EAT decided that Mr Garamukanwa had no expectation of privacy at all over his interaction with his former girlfriend. It was perhaps not necessary to go that far. Many of the factors which the EAT considered prevented an expectation of privacy arising were matters which would definitely justify the intrusion (because the Trust had a duty to intervene to protect the other employees from the campaign of harassment). While it is clear on the facts why the EAT reached the conclusion it did, employers should be wary of assuming an employee has no expectation of privacy just because something is on workplace systems or affects colleagues.

Instead, employers should consider what the relevant policies say (for example, any policy on “acceptable use”):

• Do your policies indicate expressly that communications may be monitored and, if so, in what circumstances?
• Do they go on to state that, because correspondence may be reviewed and read for business reasons, employees should have no expectation of privacy on anything sent or received via workplace systems?
• Do your policies apply to all users, as opposed to their application being confined just to employees?
• Do you have appropriate language concerning monitoring and investigations in not just your acceptable use policy, but also your social media and Bring Your Own Device/Choose Your Own Device policies?

Employers with policies of this kind in place are well placed to defend any claim that a user’s privacy has been infringed, but should not stop there. Before undertaking any form of monitoring or investigation, an impact assessment should be conducted and documented which balances the reason for the intrusion against the extent of the intrusion.

Referring back to two-stage test above, any intrusion should be a proportionate response to an identified risk. If an expectation of privacy arises on the facts, you need to demonstrate that you satisfy the second limb of the test – namely, you had a compelling reason and your intrusion was no greater than necessary to address the risk you had identified.