...was entitled to access an employee's mobile phone provided by the employer, which was used for business and personal use, to check whether he was storing confidential company information.
However, the Managing Director's actions of changing the employee's passwords in relation to personal accounts whilst searching for information, was deemed a step too far and the court found that the employer had breached their duty of care owed to the employee who was deprived of access to his personal accounts and awarded compensation.
The employer had been in discussions with the employee, who had worked for the company for over 20 years, as to the terms of his departure from the company. The employer knew that the employee had previously asked for copies of client information to be made for him to keep at home. The employee was involved in a sales role and worked from home from time to time. The information being sought included customer contact information as well as discounted price structures for the company's products. The latter being commercially sensitive information.
Using the employee's passwords, which the court held that the employee had provided, the employer accessed the employee's phone as well as his online accounts including his iCloud, Apple and AOL email accounts. On checking the device, the employer found some company customer contact information in the iCloud and to prevent the employee accessing any company confidential information from the use of the mobile phone, the employer changed the employee's password (it is unclear if this was intentional), resulting in the employee being permanently locked out of his personal accounts including his emails, WhatsApp and iTunes.
The Court found that in the circumstances, the employer had been "entitled to protect its business data by accessing the mobile telephone to discover whether there was any company information on it and if necessary delete it." This right extended to information stored in the employees personal online services such as Apple’s iCloud.
However, the employer owed the employee a duty of care and changing the employee's password, causing him to be permanently locked out of his accounts, amounted to a breach of that duty. The employer was unable to justify its actions despite the fact that the employee had voluntarily provided his passwords.
The employee was awarded compensation for losses suffered as a result of the breach. He was awarded £1,000 for the estimated value of the lost files and the inconvenience caused. In such circumstances the employer could also be at risk of paying the employee's legal costs although this is not clear from the judgement.
Employers that have reason to believe that an employee is storing confidential information on company provided devices, such as mobile phones and laptops, must assess whether or not investigatory actions such as confiscating and searching the devices are completely necessary.
Businesses should ensure that there are clear company policies in place and that employment contracts effectively deal with the private use of company-provided devices, which should be subject to the right on the part of the employer to monitor and search for company data should the need arise.
Employers should ensure that personnel carrying out checks are adequately trained IT specialists, to prevent unintended errors that affect the employees access to personal information occurring as they did in this case. The case demonstrated the employer's lack of understanding of the IT systems with which he was accessing and ultimately interfering with.
As the findings in this case were fact-specific it may not always be found that an employer is entitled to carry out such checks, particularly where there are no grounds of suspicion warranting an inspection. Employers also need to carefully consider any relevant privacy rights.
Finally, employers need to ensure that any interference with an employee's personal accounts goes no further than what is required to ensure the reasonable protection of confidential business information.