If you require any further information on the items featured in this newsletter or indeed advice on any other employment matter, please contact one of our employment solicitors to the right.
You can also download a copy of this newsletter in PDF format here
In this edition of our Employment Newsletter, we consider various employment law issues arising from the use of technology and social media in the workplace, as well as looking at some high profile cases involving employment matters in the technology industry.
In this newsletter:
- Social media and internet misuse
- Private messages sent at work can be read by employers
- Egg freezing: an employee perk?
- Age discrimination in the tech industry
- Reddit dismissal
- Data protection: compliance and US safe harbour principles
Social media and internet misuse
Technology has become an integral part of our daily lives both at home and at work. Businesses need technology to thrive and it has changed the way people communicate around the world. The increasing use of social media means employers need to be more vigilant about potential internet and social media misuse by employees, which could lead to dismissal for misconduct or even gross misconduct.
An employer cannot normally take action against its employees for what they do at home, provided no damage is caused to the employer’s reputation. However, case law has established that an employee’s actions may damage an employer’s reputation, even if those actions take place outside of work, particularly in relation to social media.
Examples of cases in which the Employment Tribunal has held that dismissals for misuse of social media were fair include:
- Derogatory comments posted on Facebook about the employer;
- Offensive comments posted about colleagues on Facebook;
- Offensive personal posts on Twitter unrelated to work;
- Distribution of pornographic content using work email;
- Excessive amount of time using the internet for personal use during working hours; and
- Inappropriate emails sent from a personal account to clients.
However, it is important to note that whilst these actions have been treated as sufficiently serious to justify dismissal, each claim is very much decided on a case by case basis. The determining factor is often the IT policies and social media policies in place, alongside the severity of the conduct.
Despite the obvious business necessity of making IT resources and communications systems accessible to employees, the improper and inappropriate use of such resources and systems carries risk for the employer, including potential unauthorised disclosure of confidential information, infringement of intellectual property rights and employee harassment and privacy violations. An IT policy allows an employer to minimise legal risk whilst harnessing the maximum benefits from these vital business resources.
A good IT policy should address the key issues that arise in employees’ use of IT resources and communications systems. It should also include information on employees’ privacy expectations and use of company e-mail and social media. The policy should be widely circulated and regularly reviewed to keep up to date with changing law, business practices and technologies.
If you require any further information or advice on social media and internet misuse in the workplace then please visit our employment contracts page.
Private messages sent at work can be read by employers
The European Court of Human Rights has recently ruled that employers can read their workers’ private emails and messages sent during working hours.
This ruling stems from a Romanian case involving an employee who claimed his right to privacy had been infringed after his employer went through his emails, without seeking his permission. The employee had used his Yahoo messenger account to send personal messages to both his brother and fiancée during working hours. The court ruled in favour of the employer, stating that it was “not unreasonable that an employer would want to verify that employees were completing their professional tasks during working hours.”
Crucially, the employee had been informed beforehand that he was not permitted to use company resources for his own personal use. This meant that he could not subsequently claim it was a breach of his human rights for his employer to monitor what he was doing. The employer had also acted within its disciplinary process as it had accessed the Yahoo account on the assumption that the information was related to professional activities.
This judgment does not, however, give an unfettered right for employers to “snoop” on their employees.
In this particular case, the employer had implemented an absolute ban on using its IT resources for personal use, which entitled the employer to properly investigate by reading the employee’s emails. Many employers allow some personal email use at work. As such, they could easily find themselves in breach if they read personal emails without justification and without a clear policy giving them permission to do so.
This case highlights the importance of having a set of policies in place to define what information employers are entitled to access and how they can go about accessing such information. This should be in addition to policies on employee internet usage during working hours and employers should ensure that such policies are communicated to all of their staff.
It should be noted that this is a decision of the European Court of Human Rights, rather than the Court of Justice of the European Union (commonly referred to as the ECJ), and so would not be directly affected by the EU referendum decision of 23 June. However, as the EU mandates that all members must sign up to the European Convention on Human Rights, the UK’s withdrawal from the EU would open up the possibility of a future government repealing the Human Rights Act and withdrawing from the Convention. The Conservative party has previously stated that it would consider replacing the Human Rights Act with a UK “Bill of Rights”, and so there is the genuine possibility of this becoming a manifesto pledge in a future general election.
If you require any further information or advice on private messaging in the workplace then please visit our employment litigation page.
Egg freezing: an employee perk?
American technology giants are well known for offering extensive benefits packages to their employees. Last year, Apple and Facebook began offering egg freezing for US-based female employees as an additional perk. Each organisation offers an allowance of up to $20,000 which can be put towards freezing eggs, in the hope of attracting and retaining talented female staff.
This is presumably an attempt to rectify the gender imbalance within such companies given that Apple and Facebook reported 69% and 68% male workforces respectively last year.
Although some may see this as another great benefit, starting a family is a very personal decision for every woman, and some have expressed concern about the pressure this could put on female staff to delay having a child until later in life. Clearly, the decision about when to start a family should be based on when it is right for the individual, not when it suits the company they work for.
In the UK, qualifying employees have the right to request flexible working and, last year, a new shared parental leave scheme was introduced, allowing working parents flexibility over how they take leave in the first year of their child’s life. Employers who provide employees with the opportunity to spend more time with their family are more likely to retain quality staff and get a positive and productive response from their workforce. It will be interesting to see whether the unusual perk offered by Apple and Facebook will have the same impact.
If you require any further information or advice on family rights in the workplace then please visit our family rights page.
Gender pay-gap reporting
In the UK, the government is attempting to address the gender imbalance and discrepancy in pay amongst men and women with the introduction of gender pay-gap reporting. For the first time, larger employers (i.e. those with 250 employees or more) are going to be required to calculate and publish details of how they pay their male and female employees. However, public sector employers are not subject to these reporting requirements.
This new obligation is likely to be quite onerous and problematic for employers. It could well raise employee relations issues and cause reputational harm and it may even trigger potential equal pay claims from disgruntled employees. At the very least, employers could face embarrassment from the information they have to disclose.
The new gender pay gap reporting obligations are expected to come into force in October 2016. Current salary and bonus information will need to be analysed and reported on, so employers should be considering the potential impact of this new obligation now.
Age discrimination in the tech industry?
In addition to gender imbalance, the technology sector is known for employing a disproportionate number of young employees and is often accused of age bias.
Making recruitment and dismissal decisions based on age is against the law. However, age discrimination is considered to be commonplace in the tech industry and some companies do not even attempt to disguise this. The CEO of HubSpot, the American software and marketing company, was particularly vocal about this issue a few years back, explaining to the New York Times that the age imbalance at the Company was not something he wanted to remedy, but in fact something he had actively cultivated as “in the tech world, grey hair and experience are really overrated”.
Employers who think this way often use the excuse that as technology changes so fast, older people simply cannot keep up. However, in addition to breaking the law (and risking a claim for age discrimination), these organisations could be depriving themselves of great talent.
The risk of age and gender discrimination is not unique to the technology sector. Age and gender bias are risks for all businesses throughout all sectors. Employers can only justify age bias if there is a genuine reason for it. The Employer must have a legitimate aim and the means of achieving that aim must be appropriate and necessary. For example, an Employer may be able to justify requiring a certain level of seniority for a senior position (meaning younger employees won’t qualify) due to the need for experience to undertake the role. However under usual circumstances, it is very difficult for Employers to justify any form of age discrimination.
If you require any further information or advice on age discrimination please visit our equality and discrimination page.
Reddit, the news and social networking site came under fire last year for the dismissal of one of its employees, leading to extensive protest from the site’s users. Victoria Taylor ran the site’s popular “Ask Me Anything” forum in conjunction with volunteer moderators. Victoria was abruptly dismissed which led to the volunteer moderators shutting down entire sections of the site in protest.
The alleged reason behind Ms Taylor’s abrupt dismissal was her resistance to management ideas. Thousands of users called for the resignation of the Chief Executive over the poor handling of Ms Taylor’s dismissal. Ultimately, the Chief Executive of Reddit did submit her resignation, demonstrating the power of social media.
In the UK, employees, who have been employed by their employer for two years or more are protected from being unfairly dismissed. To dismiss an employee fairly, an employer must show that the reason for dismissal was one of five potentially fair reasons, and that they acted reasonably in treating that reason as sufficient for dismissal. Therefore, in addition to having a valid reason for dismissal, the employer must follow a fair process in dismissing the employee. Given Ms Taylor’s instant departure from the Company, it is unlikely that a fair process was followed.
Damages for unfair dismissal are broken down into a basic award, and a compensatory award. A basic award is calculated by reference to an employee’s age, length of service (maximum of 20 years) and a week’s pay (capped at £479) in the same way as a statutory redundancy payment.
A compensatory award on the other hand, is calculated by reference to the employee’s losses, and is limited to a maximum of £78,962 or 12 month’s salary, whichever is the lower.
The Reddit case is a useful reminder of the power of social media and the fact that, in addition to the financial costs of unfairly dismissing an employee, businesses acting in the same way as Reddit would have to deal with the impact on the morale of the remaining workforce, who would likely fear being treated in a similar fashion. Employers should also consider the impact on their reputation which will be of particular concern for those employers who are in the public eye.
If you require any further information or advice on unfair dismissals please visit our employment tribunals and litigation page.
Data protection: compliance and US safe harbour principles
All employers have a duty to comply with eight data protection principles, specified in the Data Protection Act 1998, in relation to the processing of employee data. These include requirements that data is processed for a legitimate purpose and that data is accurate, relevant and secure. The eighth data protection principle specifically provides that personal data shall not be transferred to a country outside of the EEA unless that country ensures an adequate level of protection in relation to the processing of personal data.
US Safe Harbour Principles
Transfers of personal data to US group companies and US providers of cloud and HR data storage facilities may now be unlawful following a decision by the European Court of Justice last year.
The practice of transferring data outside of the EEA has become commonplace as a result of on-going globalisation, with many employers routinely transferring employee data to US based group companies and US based providers of cloud data storage systems and HR systems.
In July 2000, the European Commission issued a decision which stated that, provided US companies receiving data from the EEA had signed up to ‘Safe Harbour’ principles which require adherence to a set of standards devised by the Commission and the US Government, personal data could be transferred to those companies. Reliance on the Safe Harbour framework is a common practice amongst UK employers for the purposes of legitimising the transfer of employee data to US recipients.
However, in October last year, the ECJ considered a case raised by an Austrian national user of Facebook concerning the security of his personal data after he become aware of US intelligence agencies’ surveillance practices. The individual’s personal data had been transferred from Facebook Ireland Limited to its US parent company Facebook Inc. under the Safe Harbour framework.
The ECJ observed that only the companies signed up to the Safe Harbour principles observe those principles. There is no commitment of adherence from US intelligence agencies, which are lawfully permitted (under US law) to perform surveillance of personal data for the purposes of national security. The ECJ decided that the Safe Harbour framework did not therefore provide adequate protection in relation to the Facebook user’s personal data, meaning that the 2000 European Commission decision was invalid and no longer legally justified.
The EC and the US Government have been in discussions to agree an amended Safe Harbour framework for some time in recognition of such potential issues and these discussions continue. However, until these discussions are concluded and a new framework agreed, employers should not rely on Safe Harbour arrangements in relation to the transfer of employee data. The same advice also applies in relation to the transfer of personal data to US corporate entities for any other purpose.
In the meantime, employers will have to rely on other mechanisms for international transfers of personal data available under EU data protection legislation to legitimise transatlantic data flows of personal data (including employee data) between companies and to comply with the Data Protection Directive.
The result of the recent EU referendum of 23 June is unlikely to affect compliance with the data protection regime in the short term. The Data Protection Act 1998 implemented the EU Data Protection Directive within the UK, and therefore the DPA remains in place as a stand-alone act of Parliament until such point that it is specifically revoked. Withdrawal from the EU will not automatically revoke the Data Protection Act. It is likely that the UK government will clarify how such legislation will be applied in the future as part of withdrawal negotiation process with the EU.
As the above case regarding the “safe harbour” principle demonstrates, any company located in a country outside the EU must still comply with certain standards if they intend receiving and processing data from inside the EU. Therefore it is likely that an agreement akin to the “safe harbour” principle will need to be agreed between the UK and the EU at a future date.
In a further development of Data Protection law, the EU Parliament recently ratified a new “General Data Protection Regulation” that will take effect from 25 May 2018. Due to having the status of an EU “regulation” it means the legislation would have had direct effect without the need for further domestic legislation. The ratification of this legislation in May 2016 received much coverage in the press. However, given the likely timetable for withdrawal from the EU, it now appears unlikely the 2018 legislation will apply in the UK.
Compliance and Enforcement
Deliberate failure to comply with the data protection principles resulting in substantial damage or substantial distress is likely to be considered a serious matter by the Information Commissioner who, since April 2006, has had the power to impose fines of up to £500,000.
The Information Commissioner has a general power to issue enforcement notices which may require the data controller to comply with the data protection principles, including an order that an employer refrain from making a data transfer. This could have potentially serious commercial implications. Failure to comply with an enforcement notice is a criminal offence which can be committed not only by a corporate entity but by its directors, data controllers and some managers.
Other means of complying with the eighth data protection principle are:
- Undertaking an adequacy test in relation to data protection provided by the country and corporate entity receiving the data;
- Relying on exemptions and derogations under the legislation e.g. data subject consents;
- Requiring data recipients to enter into the ‘model contractual arrangements’ (contractual agreements devised and approved by the European Commission); and
- Adopting Binding Corporate Rules (BCRs) (between group companies) which must be approved by the Information Commissioner.
Undertaking an adequacy test is a complicated internal analysis resulting in a company decision that adequate protections are in place in relation to the recipient of the data. This approach is not recommended, not least as such corporate decisions may be challenged by the Information Commissioner.
The reliance on exemptions and derogations alone can be a difficult approach. By way of example, where an employer relies exclusively on consent, lawfulness of the data processing is dependent on that consent not being withdrawn.
Both contractual model clauses and BCRs are designed to enable the transferring EU data controller to prove that the personal data transferred will come to no harm in the receiving country. The use of a data-transfer agreement incorporating certain model contractual clauses is perhaps the simplest and most practical way of seeking to ensure compliance.
There is some risk that for as long as US recipients of data are under a legal obligation to allow US public authorities wide-ranging access to data that is unacceptable under the EU framework, that proof will be difficult to deliver, but until the Safe Harbour framework is re-established, this approach is best, together with consideration and use of applicable exemptions and derogations.
If you require any further information or advice on data protection and policies then please visit our employment contracts page.
These articles provide general information only and do not constitute advice. In addition, there may have been changes to the law since the article was published.
You should contact us if you require advice or assistance on any specific legal matter.