Data Protection & Privacy Issues in the Context of an Employment Relationship


11 Nov 2016

8 min read

Legislative Framework

Monitoring of employees at the workplace is not specifically regulated by Maltese Law. In this respect, one  must refer to the Data Protection Act (Chapter 440 of the Laws of Malta), the European Directive 95/46/EC on processing of personal data and free movement of such data, as well as relevant rulings of the European Court of Justice (“ECJ”) and the European Court of Human Rights (“ECHR”), and best common practices.

A principle common to all Member States is that when it comes to working life, employers must strike a balance between monitoring employees and employees’ right to a private and family life. In fact, on the one hand, employers have an expectation to safeguard themselves against “wrongdoing” at the place of work, and on the other hand employees have an expectation of privacy.

Therefore, as a matter of principle, monitoring of employees at the place of work must be reasonable, not excessive and not disproportionate.

Monitoring of Employees

Employers have the right to monitor their employees for whatever purpose they deem fit, and in a manner they deem fit, as long as such monitoring does not occur without the knowledge of the employees. In fact, as held by EUHR in Copland v. UK, 3rd April 2007, the monitoring of employees’ telephone calls, emails and internet usage without their knowledge is in breach of the right to privacy.

Employers may use technology at the workplace in order to check employees’ adherence to standards and procedures, to the extent that said use is not excessive or disproportionate and is restricted to what is necessary to safeguard, amongst others, one or more of the following interests:

Security in order to prevent theft, violence and other crime;

  • Health and safety in order to check that health and safety rules are observed;
  • Protecting business interests in order to prevent misconduct;
  • Assessing and improving productivity; and
  • Compliance with legal and regulatory/statutory obligations.

Furthermore, monitoring at the workplace must be done within clear limits and in a transparent manner. In fact, as held by the ECHR in Kopke v. Germany, decided on the 5th of October 2010, with respect to use of workplace video surveillance, this does not impede on employees’ private life if the surveillance: (i) is only carried out following suspicion of theft; (ii) is for a restricted period of time and (iii) is limited to a specific area.

Fraud, investigations and limits thereof

The Whistleblowers Act (Chapter 527 of the Laws of Malta, “WA”) states that every employer must have in operation internal procedures for receiving and dealing with information about improper practices or reports of fraud committed within or by that organization. In particular, the aforementioned procedures must identify the person or persons within the organization who are to act as the whistle-blowing reporting officer and to whom a “protected disclosure” may be made. According to the WA, a whistleblower making protected disclosure is not liable to any civil or criminal proceedings or disciplinary proceedings for any damage caused.

Although there is no obligation in terms of law, it is advisable for any company to put in place a fraud risk policy in order to prevent, investigate, detect and respond to the occurrence of fraud. The policy should, amongst other, outline procedures for the investigation of employees suspected of being fraudulent, the reporting procedures in the case of a whistleblower, and the specific repercussions, including disciplinary actions, that would result if an employee is found to be fraudulent.

In this respect, it is important to note that, as ruled by Maltese Courts, an employee may not be automatically suspended or dismissed in case of fraud. In fact, in two linked Maltese cases, Il-Pulizija v. Raymond Borg and Il-Pulizija v. George Zammit, two employees were accused of fraud at the workplace and were suspended by the employer pending proceedings. Although both employees were found to be guilty of fraud for having sold used ferry tickets, the Court ordered for them to be reinstated into full time employment.

Generally speaking, there are various ways in which an investigation may be conducted by employers.

Investigation may be the search of an employee’s locker or desk. An employer may have the right to search an employee’s locker or desk in certain situations including, but not limited to, the case where the employee is suspected of theft, having a firearm, dangerous weapon or drugs.

In this respect, it is essential that the employee’s consent has been obtained prior to conducting said search and that a search of an employee’s locker or desk is to be made only for legitimate work-related reasons or in connection with reasonable suspicion of a violation of a workplace policy, laws and/or contract of employment. “Routine” searches may be justifiable only in certain environments.

Furthermore, employees’ expectation of privacy has to be taken into account before carrying out any searches, and therefore employers should think about whether an average worker would consider a particular space private at the workplace.

Another way of conducting investigations is that of physical searches of employees, including cash and inventory shortages, disappearances of company or employee property, and contraband items such as drugs, alcohol, and dangerous weapons. Physical searches are generally not recommended. In fact, if employers have strong legitimate concerns, they should consider calling the competent Authorities.

In the case of monitoring computer used by an employee, it is advisable that employer clarifies that the computer cannot be utilised for personal reasons, but for work related matters only, and whether or not the employee can take the computer home. According to some practices, it is advisable that in any case before checking the computer, the employer should ask the employee if there is any personal information (e.g. bank details, family documentation, health screening, etc.) on the computer.

Drug testing is usually only permitted in the job application context, where employees are performing safety or security sensitive work, or when an employer has reason to believe that an employee is impaired by drugs at work. Nevertheless, employers do not have the right to test for drugs or alcohol without the employee’s consent.

On the other hand, an investigation may require interviews with suspects and witnesses within the company and/or consultation with managers, human resources and legal personnel. The exact players and actions shall be restricted to those deemed to be absolutely necessary on a case by case basis.

What is important to keep in mind is that an internal investigation should never compromise the relationship between the employer and “innocent” employees or unnecessarily damage any individual’s reputation. Before carrying out investigations, good planning, consistent execution, analytical skill, sensitivity, and a solid grasp of the legalities are required.

Once an investigation is conducted according to the procedure outlined in the policy and with the consent of the employee, the employer may take any necessary disciplinary action, including dismissal.

Why a Company policy is necessary

As above-mentioned, employers should implement a policy which clearly outlines ways of investigation, relevant procedures, the manner in which the collected findings are to be used and potential consequences including disciplinary actions.

A good policy should state, amongst other things, the following:

  • The policy is for the purpose of monitoring and compliance with work and safety rules;
  • All employees are subject to the policy;
  • If an investigation is requested, it is not an accusation of theft or other wrongdoing, but simply a routine procedure as part of an ongoing investigation;
  • An investigation may involve work areas, lockers, vehicles if driven or parked on company property or used on company business, and other employees’ personal items;
  • Refusal to cooperate during an investigation may lead to disciplinary actions including dismissal;
  • Surveillance cameras may be installed at the place of work and the recording may be used for disciplinary hearings.

Furthermore, it is important to implement a data processing code of practice, informing employees about:

  • What and why personal information is being recorded
  • Who processes it, and who is likely to have access to it and for what reason
  • Their right of access, rectification, blocking, erasure and destruction of such data
  • Any third party processors
  • Security policies and procedures

Ideally, a data protection clause outlining the above would be included in the employment contract.

A social media policy is also recommended, and this should:

  • Clearly set out the conditions under which private use of the internet is permitted;
  • Provide information about systems implemented both to prevent access to certain websites and to detect misuse;
  • Clearly explain enforcement procedures in case of breaches of internal electronic communication use;
  • Indicate the reasons and purposes for which surveillance and/or monitoring must be conducted.

Employers must ensure that employees have been provided with a copy of the policy and that they have read and understood the policy. The employees must also be made aware of any changes or updates to such policy as soon as is practicable.

For further information on how GVZH can assist you with your Employment and Industrial Relations legal requirements, please contact us here.