Watchdog raps Welsh council over covert surveillance of employee

A Welsh council has agreed to review its approach to using covert surveillance of employees after the Information Commissioner’s Office found that the authority had breached the Data Protection Act.

The ICO received a data breach notification on 28 November 2013 relating to a covert surveillance which had been undertaken by Caerphilly County Borough Council on an employee suspected of defrauding the authority in breach of its sickness absence policy.

The watchdog said it accepted that the use of covert surveillance to monitor employee behaviour could be justified in some circumstances.

“However, ….in order to justify such action the employer must be satisfied that there are grounds for suspecting criminal activity or equivalent malpractice, and that notifying individuals about the monitoring would prejudice its prevention or detection,” the ICO said.

It continued: “Abuses of an organisation’s sickness policies can amount to such malpractice, but covert surveillance should only be used in exceptional circumstances as a last resort when alternatives which respect the employee’s privacy have been considered and are not viable/ appropriate.”

The ICO found that on the specific facts of the case the council did not have sufficient evidence to warrant the authorisation of covert surveillance.

The employee concerned had only been off work with a sick note for anxiety and stress for four weeks at the time the surveillance was authorised, it noted.

The surveillance had been authorised on the ‘anecdotal’ basis that the employee had told a few people that she felt housebound and Caerphilly believed she would use the absence to avoid attending meetings she was required to attend at work.

“However there was no medical indication that the employee was housebound and no other measures were taken to discuss the employee’s sickness absence and potential attendance at meetings before resorting to covert surveillance at such an early stage,” the ICO said.

“[The council] has accepted that there had been no evidence to suggest that the employee would use the sickness policy as a basis for not attending the meetings she was required to attend. In fact the employee attended a meeting which took place shortly after the surveillance had been carried out without being aware that the surveillance had been conducted.”

Caerphilly had also confirmed that the report which was produced by the surveillance company had never been used. This was despite the report verifying that the employee was not housebound.

In an undertaking given to the ICO, Caerphilly County Borough Council agreed to:

  • Follow the ICO’s Employment Practices Code when reviewing its employee surveillance policies, procedures, guidance and training, and conducting any covert surveillance in the future;
  • In particular follow the guidance provided in section 3 of the code covering the use of impact assessments and covert monitoring; and
  • Ensure that in every case an appropriate written impact assessment is completed.

Anne Jones, the ICO’s Assistant Commissioner for Wales, said:
 “It shouldn’t need to be said that spying on employees is incredibly intrusive and must only be done as the last resort.
 

“Organisations need to be absolutely clear why they need to carry out covert surveillance and consider all other alternatives first. If it cannot be completely justified, it shouldn’t be done.”

A copy of Caerphilly’s undertaking can be viewed here. The ICO’s Employment Practices Code can be viewed here.