Lois Franxhi was an IT manager in Liverpool who had access to the Internet as part of her job. She used it to search for a holiday, carrying out almost 150 searches over four days. Her employer, however, was monitoring her Internet use and sacked her. This action was held to be justified by an employment tribunal last month, but the decision may be appealed.
A case like this raises difficult legal questions. The law has recognised that anyone who uses a phone or telecommunications system should have their privacy protected. The Irish Supreme Court recognised a constitutional right to privacy in Kennedy v Ireland 1987, a case which concerned the tapping of two journalists' phones. The Postal and Telecommunications Services Act 1983 makes it an offence to intercept phone conversations without authorisation and the Interception of Postal Packets and Telecommunications Act 1992 limits and regulates the interception of phone calls by the Garda. European law has developed along similar lines. The European Convention on Human Rights recognises a right to privacy and in Halford v UK 1997 the European court of Human Rights awarded damages to a senior English police officer whose phone had been tapped by her colleagues.
At the same time, employers have a right to ensure that employees do the jobs that they are employed to do and do not abuse the good name and equipment of an employer. Surveys exist which suggest that workers can use the Internet for up to half an hour a day conducting personal business, but employers may be more concerned that their workers are using Internet access for more dubious personal ends.
In the English case of R-v-Fellows and Arnold, Birmingham University discovered that one of its workers was using the university's computers to store some 11,650 pornographic images, including 1,875 filed under "child/minors", and using the university's Internet access to distribute them. He was prosecuted, convicted and sentenced to a term of imprisonment.
Since the enactment of the Irish Child Trafficking and Pornography Act 1997, Irish employers would have to be particularly concerned if their systems were being used to download child pornography. An employer who ignored the fact that his or her workers were downloading child pornography might commit an offence contrary to section 5(1) of that Act which prohibits the knowing facilitation of the import or export of child pornography or the publication or distribution of advertisements for such material. Companies and their directors, managers, and shareholders can be convicted of offences under this Act.
In any event, the Data Protection Act 1988 and the Data Protection Directive to be implemented shortly seriously complicate the position of an employer who wishes to monitor workers's online activities. The Act applies to personal data, which is data relating to a living individual who can be identified from the data or from other material.
It provides that personal data may only be processed if it has been obtained "fairly". This provision has yet to be examined by the courts, but it is quite possible that data obtained as a result of surreptitious monitoring would not be regarded as being fairly obtained.
Such data can only be kept for a specified and lawful purpose and only kept for as long as is necessary for that purpose. It must be adequate, relevant, accurate and up-to-date. The Act makes it difficult to secretly monitor workers, as it gives individuals the right to access their personal data. Institutions such as government departments or banks also have to register the existence of any such data with the Data Protection Commissioner.
The problem with this area is that at the same time as a right to privacy has been developing; technology has developed in a way that may make that right seem like an illusion. Systems that do more and more for the user also tend to retain more and more information about what they have done for the user.
To take one example, "firewalls" that companies use to protect their Internet connections from hackers routinely collect information about all access to the Internet from within that company. This is likely to include the URL of every web page visited, the date and time, and the user viewing the pages. At least, the "To", "From" and "Subject" lines of email will be recorded. If the company so wishes, the full text of all email messages can be stored.
The fact that technology makes it easy to monitor employees, however, does not mean that such monitoring will be permitted by the courts or the Employment Appeals Tribunal. The right to privacy of workers and the right of employers to monitor them may be difficult to reconcile. The best way of doing so is for employers to have an explicit policy on the subject. The best place for an employer to set out this policy is in workers's contracts of employment and collective bargaining agreements.
Denis Kelleher (www.ncirl/itlaw) is a practising barrister and co-author of Information Technology Law in the European Union to be published shortly by Sweet & Maxwell