Who Watches the Watchmen? Surveillance & Monitoring in

Who Watches the Watchmen? Surveillance & Monitoring in

Who Watches the Watchmen? Surveillance & Monitoring in the Workplace A talk by Paul Scholey, Senior Partner Morrish Solicitors LLP To IER, November 2016 Introduction Outline The size of the problem See, e.g. The Surveillance Road Map: https://

ico.org.uk/media/for-organisations/documents/1042035/surveillance-road-map.pdf Public authorities vs the private employment relationship Objectives Legislative Framework DPA 1998 The ICO and the Employment Practices Code The Regulation of Investigation Powers Act 2000

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 European Convention on Human Rights & HRA 1998 Common Law e.g. effect of employment contract Outside scope Protection of Freedoms Act 2012 (and a bunch of public law precursors/offshoots)

Freedom of Information Act Safe Harbour transfer of data EU US (now the Privacy Shield) The Right to be Forgotten Section 60 Equality Act 2010 pre-employment questionnaires Breach of Confidence/Privacy Recent and the near future

The Data retention and Investigatory Powers Act 2014 and The Data Retention Regulations 2014 Leading to: The Investigatory Powers Bill 2016 (Act by 31.12?) The EU General Data Protection Regulation The Employment Practices Code

Recruitment Vetting Records of employment Monitoring where we will concentrate Detailed provisions in relation to retention of health records EPC: Recruitment

Very detailed provisions Consider: Relevance Extraneous information Information only becoming relevant post-commencement of employment EPC: Records

E.g. personnel files Generally consent not needed for such files But care required to distinguish between e.g. records of absence and of health Consider who accesses what? EPC: Monitoring Types:

Electronic monitoring of throughput e.g. typing or supermarket checkouts CCTV in the office & use e.g. in PI cases Email: random checking and/or electronic checking Vmail Social Media accounts Facebook; Linkedin; IM

Blogs Telephone calls e.g. to check premium rates/private use EPC: Monitoring Has the employer undertaken an impact assessment? A proportionality test Are other, less intrusive methods available?

EPC: The effect of Article 8 Article 8 ECHR: the right to family and private life Qualified but are limits proportionate/necessary in a democratic society? The development of ECtHR jurisprudence and the approach of the UK courts and Tribunals most recently in Social Media cases EPC: Article 8 - Cases Halford v UK [1997] IRLR 471

Copland v UK ECHR 62617/00 Atkinson v Community Gateway Association UKEAT/0457/12/BA Barbulescu v Romania 61496/08 [2016] ECHR 61 Garamukanwa v Solent NHS Trust (2016) Other cases on internet use Grant v Mitie Property (2009)

McKinley v SoS Defence (2004) RBS v Goudie (2003) City of Edinburgh v Dickson (2009) EPC: Monitoring requirements Employers should tell employees:

Circumstances of monitoring When What How How used Limit availability to management subset?

EPC: Monitoring - practical issues EPC imposes a positive obligation on employers to be proactive Things to consider:

Induction check policy IT systems to check that information has been provided Reminders e.g. memos or emails Training Surveys of staff to check understanding Might be possible to assume consent but For sensitive personal data consent specifically needed Tell workers to mark personal or similar Only check addresses or headings in emails Only exceptionally look at personal email/SocMed accounts RIPA 2000 Interception Private and public networks

Communications being transmitted So opening an already-read email may not be RIPA-proscribed RIPA Whats covered: Telephony

Email Social Media (not e.g. records the domain of the EPC) RIPA Lawful authority Does the interception have lawful authority? Can be under RIPA or the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP Regs)

Warrants/authorisations the public law element not for this talk Consent Are there reasonable grounds to believe That the Sender AND the Recipient Consent to interception? RIPA The LBP Regs Came into force on the same days as RIPA

A response to the business lobby Sets out the exceptions to requiring consent RIPA The LBP Regs Exceptions:

Checking compliance with procedures/regulation Checking compliance with standards Detection of crime Detection of unauthorised use Checking the effective operation of the system Must concern communications relevant to the business Users must be told that interception may take place RIPA The LBP Regs Enforcement:

In the public arena - by way of complaint to the Investigatory Powers Tribunal (IPT has upheld about 10 complaints out of 1500 since 2000) And unlawful interception is a criminal offence But otherwise no private law remedy under RIPA Next: The Investigatory Powers Bill 2016 Powers of bulk interception

Collection in bulk of e.g. website usage Dr Gus Hosein, Executive Director of Privacy International: Hacking by any other name Leaves the right to privacy dangerously undermined and the security of our infrastructure at risk IPB 2016 details

Access to web and phone companies records An itemised list of each citizens browsing history Powers to collect bulk data including e.g. NHS records Warrant powers for bugging computers and phones with tech companies legally obliged to assist what of Apple v FBI? Because obviously we dont know enough: In 2014 there were 517,236 authorisations given, pursuant to requests for comms data from the police or other public authorities IPB 2016 details

Protections: Warrants to require ministerial authorisation A panel of judges with a power to veto (but a procedural check what about a joint decision as to reasonableness?) A new Investigatory Powers Commissioner An annual report on the impact and extent of use of powers IPB 2016 quotes

The spies have gone further than [Orwell] could have imagined, creating in secret and without democratic authorisation the ultimate panopticon. Now they hope the British public will make it legitimate. (Heather Brooke) In every other country in the world, post Snowden, people are holding their governments feet to the fire but in Britain we idly let it happen. (David Davies MP) By my read [the draft bill] legitimises mass surveillance. It is the most intrusive and least accountable surveillance regime in the West. (Edward Snowden) The GDPR: Summer 18?

The EUs General Data Protection Regulation ICO presently advising UK to prepare for it now, 2 years ahead of time Tighter controls on what data can be processed, how, and by whom A new approach to consent freely given, specific, informed and unambiguous an end to pre-ticked boxes? Any Questions?

Recently Viewed Presentations