Questions about town and parish councils
Follow Councillor Q&A on BlueSky

Follow us on BlueSky

0 votes
HR committee are monitoring all staffs emails. Allegedly they are doing this to make the Clerk and Deputy Clerks work balance easier. The chair of HR who is also the chair of the council has given the passwords to all members of the HR committee.
Is this allowed or is it as I think a data breach?
by (390 points)

6 Answers

+1 vote
Best answer
The ICO has some very good guidance on monitoring at work. As others have said, you can do it, but only in a way which is consistent with both data protection and human rights legislation. Counter-intuative as it may seem, employees have a right to a private life, even at work. There are a number of hoops the Council need to jump through to demonstrate that the monitoring is fair, lawful and transparent. Simply including monitoring in a policy does not make it fair or lawful.

First, the Council will either need to document why it is legally required to do this or document that has a legitimate interest in doing this, which will include demonstrating why this is the least intrusive way of achieving the stated purpose of improving the clerks work life balance. Why can't you simply monitor email volumes for instance? Just because a form of monitoring is available, does not mean it is the best way if achieving the aims. In my experience it is very difficult to persuade the ICO that monitoring is fair if it occurs in a setting where the employee would not reasonably expect it, or which has unjustified adverse effects on them.

Transparency means you must tell the employees about the monitoring in a way which is clear and easily accessible. This could be in a policy but it must be done before the monitoring begins.

Incidentally, if the clerks complain to the ICO, one of the first questions the ICO will ask is what data protection training the Councillors have had, and when did they last have it?
by (2.9k points)
selected by
I'd beg to differ....  shocker );0)

Training (or more appropriately the absence of it) would only become relevant IF the process is found to be inadequate.

One of the first questions the ICO would ask (in establishing due process) and require (if it ever got to that stage which is pretty unlikely) would be:
Has the employer completed a Data Protection Impact Assessment?  And if yes they might seek to examine it, if no they might ask why not - and from that might come a finding of inadequate training but it certainly wouldn't be at the forefront...

But what we are doing now is tumbling down into the minutia of the mechanics of the how and what must be in place in order to implement staff monitoring which is quite a technical deviation from the CONCEPT of monitoring staff emails which (in my interpretation) was the exam question in the OP.
I'm happy either way - I can wax lyrical about strategic concepts or I can dive down into the weeds...
Counter-intuative as it may seem, employees have a right to a private life, even at work.

This is not counter intuitive at all....

An employee "might" have a reasonable expectation of limited use of work internet / email during break times for personal use.  IF that is specified in terms and conditions of use, then those elements of data would be "personal" and not subject to routine examination by the employer.  Work based emails however are NOT "personal" and have much less restriction upon remote access.

If an email subject field was obviously from a private commercial or clearly personal nature, that should not be opened, if it were to contain a works order number or subject which was work related that WOULD be open to examination.

Dancing on a pin head....  Emails and internet tracking are entirely appropriate management tools when appropriately deployed.
Don’t get too hung up on training….
You’d be better off focussing on competence and frankly, a lot of so-called training is little more than a perpetuation or parroting of a general lack of intelligent analysis.
I’d take an enquiring mind over a ‘trained’ droid any day of the week and twice on a Coronation bank holiday weekend.
Here’s the HSE definition of a competent person - A competent person is someone who has sufficient training and experience or knowledge and other qualities that allow them to assist you properly. The level of competence required will depend on the complexity of the situation and the particular help you need.

The most important word in that entire passage is OR!

I can’t even remember the last time I attended any formal data protection training but frankly, so what, the perspective I have advocated, whilst obviously unpopular, is clearly unassailable.
0 votes
Data Protection protects peoples personal data. The email accounts should only be used for council activities so there should not be any personal data revealed unless the clerks have been using the email addresses for personal use (should be a policy forbidding this). Lots of companies use shared inboxes where many people can see all the emails in that inbox.
by (6.8k points)
–2 votes
It is perfectly reasonable, in fact it should be stated in IT / communications policies, that all 'work' email addresses may be monitored at any time by a properly authorised person.

If, for example, a council provides a dotGov email address to Cllrs and employees, they should all be made aware that their communications via this account are subject to scrutiny.

It doesn't surprise me that clerks, cllrs and even IT companies fail to understand this basic function.
If an FoI request is received, the duly authorised person must have access to ALL email accounts in order to accumulate data which matches the search criteria.

Any employer can access the emails of any employee on work provided email platform.  Similarly, they can access internet search history if they want to.
by (24.6k points)
Tragic that there are 2 people that are SO poorly informed as to think it appropriate to click the down vote button on a matter of FACT which they are obviously ill informed.

Whoever you 2 are - YOU are a major part of the observable problem with local government.
0 votes
Big Brother is watching! When you say monitoring, do you mean reading? I fail to see how this makes their work balance easier. Have the staff requested support, or is this just unwarranted interference?

Employers have the right to view messages sent by their employees using work emails, but they must have a valid reason to do so and must inform them beforehand, usually via a written policy or within the terms of a contract of employment. General monitoring or monitoring by more than one person is considered a breach of the right to privacy.
by (57.2k points)
It’s not that I don’t want to accept it at all.

The .gov link says that employees should be told that they are being monitored. They were not told for some time that monitoring was taking place.
The council does not have an IT policy ☹️

There has been some advice been given from LA and unions that have said that this should not be allowed. It gets very confusing when there are so many variations.
Thank you for your input though.
As usual I agree with Roundagain!

Who pays for the salaries and IT equipment?

The same residents who elect the Councillors to represent their interests

So it’s not unreasonable for Councillors to check that all is well as in my experience the main failing of Councillors is their reluctance to actually carry out the role they are appointed to
So probably my last post, thank you everyone for your comments.
Just to make it confusing the Monitoring officer has said that no one should be able to monitor the clerks emails unless there is a genuine concern that there has been wrong doing and the clerk should be advised before it starts. Clerk was also advised to change all passwords which has been done.
The same advice has also been received from the clerks union.
Once again, many thanks to all.
It’s absolutely nothing to do with the MO as it’s an employment issue if there’s a problem then Councillors should seek advice from a HR consultant
To me IT equipment is no different to a company car and employers have every right to monitor their use
As a manager I downloaded phone use and used it for Conduct and Discipline purposes
I'm going to go one further.
Just THIS WEEK I have received the entire contents of a council dotGov email account downloaded at the server by the service provider and sent to me in a zip file and I've read every message therein.
This would be the second time in 12 months I have initiated this process.

The first time was when the person that 'should' have known how to manage an FoI request made a complete hash of it and it was necessary to explain, in granular detail, how they 'should' be doing the job they are paid for.  Disappointingly, it also took several increasingly bad tempered phone calls to the IT company to explain to them how and why such functionality was not only entirely necessary but that is was a basic IT function which I really shouldn't be having to explain to them.

On the more recent occasion (last week) my service request landed on the desk of a different company employee from the previous time and they set about trying to convince me that the only way they could do it was to change the password of the user and give me the new password.  yes, more not good tempered exchanges...

OBVIOUSLY, as I have to go into detail to explain, that was NOT the correct procedure since that would (a) alert the employee that something was amiss with their email account and (b) lock them out of it thus precluding any further work - neither of which was acceptable.

The service request something like "please provide in a downloadable file format all sent and received traffic from the email account blahblahblah from 08:00 XX Apr to 17:00 XX May 23"

I will say again - it should be a standard clause in any IT / communications policy that all work email accounts are subject to examination.  Any council which DOESN'T have such a policy should ask them self how do you propose to comply with an FoI request relating to user email accounts?  You CAN'T - unless you rely upon the users of those accounts to search and provide any / all relevant messages and that's hardly a reliable or defensible process is it.

I am genuinely astounded that people in this forum / sector seem to make life so difficult for themselves.

The quote from the monitoring officer is perfectly clear - if there is a justifiable need and if the user has been informed....  But where it goes on to talk about passwords that seems however to illustrate a certain lack of awareness (if accurately quoted) since passwords are a user level IT security measure and email monitoring would be at system admin level which is above user security anyway.
Either  the question to the MO was poorly formatted or the MO was poorly informed or MO quote is not an accurate reflection of the question and answer posed - who knows?

There needs to be a policy which all staff and Cllrs have acknowledged as a condition of use of official email accounts (and to comply with the requirements of FoI) and there needs to be a justifiable need to examine emails.

With those 2 elements in play an employer (council) can examine the emails of any employee or a Cllr.

If the OP is an aggrieved person that is having their email monitored, or a 3rd party that is uncomfortable with such monitoring of others, lodge a complaint and let it run its course.  Come back and let us all know how that goes.  Or, you could try the ICO chatbot - its not too bad but as with all these systems, the value of the output is directly proportionate to the accuracy of the input.


https://ico.org.uk/for-organisations/sme-web-hub/frequently-asked-questions/transparency-cookies-and-privacy-notices/#monitor
0 votes
What a splendid way to engender trust, confidence, and a harmonious working relationship.
by (11.6k points)
Actually, it is *sometimes* an entirely appropriate, necessary and lawful management tool.

Not for routine monitoring but where necessary - and there are plenty of examples of necessary - it absolutely IS one of many means of improving staff performance (or supporting dismissal.)
0 votes
Hi Rick, I  don't think it would be helpful to address all of the points made below here, but to focus on the exam question:
Whether data is personal data is all about the context in which the processing takes place. If the purpose of accessing the work emails is to assess the performance of the clerks then the emails do become the clerks' personal data. In those circumstances, if it has not been done lawfully, fairly and transparently, the answer to your exam question is yes, this is a data breach. Whether it has to be reported to the ICO depends on the level of the resultant harm to the clerks (including distress).
If you do report it, the ICO's breach form will ask you to provide details of the data protection training undertaken. If you are asked for a DPIA you can remind the ICO they are only required in high risk situations, which this isn't.

Feel free to message me if you have further questions. I work in this field in my day job.
by (2.9k points)
When you are in a hole - stop digging!

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

Your advice - based upon your own self declared professional experience - is empirically flawed.
Please refer yourself to the SOURCE INFORMATION contained in the ICO link above.

Welcome to Town & Parish Councillor Q&A, where you can ask questions and receive answers from other members of the community. All genuine questions and answers are welcome. Follow us on Twitter to see the latest questions as they are asked - click on the image button above or follow @TownCouncilQA. Posts from new members may be delayed as we are unfortunately obliged to check each one for spam. Spammers will be blacklisted.

You may find the following links useful:

We have a privacy policy and a cookie policy.

Clares Cushions logo Peacock cushion

Clare's Cushions creates beautiful hand made cushions and home accessories from gorgeous comtemporary fabrics. We have a fantastic selection of prints including Sophie Allport and Orla Kiely designs and most covers can be ordered either alone or with a cushion inner. Buying new cushions is an affordable and effective way to update your home interior, they're also a great gift idea. Visit our site now

3,116 questions
6,162 answers
8,580 comments
10,863 users
Google Analytics Alternative