Ex post defensive monitoring of email and protection of employer’s assets
- 7 marzo 2012
- Remote and defensive monitoring
- The case of the dismissed bank employee
- Supreme Court decision on defensive monitoring
- Practical consequences
Remote and defensive monitoring
As described in our previous article (“Italy: Remote monitoring and defensive monitoring of employees in the internet age”, published in October 2010), Article 4 of Law 300/1970 – known as the Statute of Workers – includes provisions on systems for monitoring employees. In particular, it prohibits employers from using remote monitoring systems which are aimed solely at monitoring the working activities of their employees.
Under Article 4 of the law, an employer may use monitoring systems for reasons related to organisation or production or for security reasons. However, if the monitoring system indirectly monitors – or could be used to monitor – the working activities of employees, the employer must follow a specified procedure of codetermination with internal trade union representatives (or, where there are no such representatives, the competent labour office). In these circumstances the monitoring can be described as ‘involuntary’ or ‘unintentional’ (‘preterintenzionale’) because the monitoring is incidental to the real will of the employer.
As explained in our previous article, defensive monitoring falls into a different category. It is permitted because it aims to protect the integrity of the employer’s business assets, although it may potentially identify malfeasance, civil wrongdoing and criminal offences committed by employees in connection with the performance of their professional activities.
Nevertheless, an employer may not use defensive monitoring without restrictions, and must take particular care that such monitoring is conducted in a way that respects its employees’ confidentiality and dignity. A 2010 Supreme Court decision (Decision 4375, February 23 2010, as referred to in our previous article) modified the court’s previous approach, which had considered defensive monitoring to be permissible, regardless of its effects on the working activities of employees.
The court stated that software which allows for the monitoring of email correspondence and internet use falls within the definition of a ‘monitoring system’ if it allows the employer to conduct remote and continuous monitoring of its employees in the course of their working activity, thereby monitoring the performance of their duties.
In addition, the court specified that defensive monitoring falls into the category of involuntary monitoring; therefore, employers must follow the prescribed procedure if their aim is to identify illicit conduct on the part of employees in relation to their performance.
The case of the dismissed bank employee
In a recent case a bank employee was dismissed for cause because he had breached secrecy and confidentiality obligations, disclosing by email certain confidential information relating to a client and taking advantage of the information in a banking transaction.
The bank proved the employee’s illicit conduct by monitoring his email and internet access.
The employee contested his dismissal, arguing that the evidence adduced by the bank did not comply with Article 4(2) of the law (ie, the codetermination requirement).
However, the labour court found the dismissal to be fair because the employer had monitored the email and internet use ex post and certain elements had led the employer to believe that the employee had engaged in illicit conduct.
Supreme Court decision on defensive monitoring
On February 23 2012 the Supreme Court issued Decision 2722, in which it gave its view on the dispute concerning the dismissed bank employee, focusing in particular on the employer’s ex post monitoring of its employees’ working activity.
The court stated that ex post monitoring of email and internet use does not fall into the category of involuntary monitoring if the defensive monitoring undertaken by the employer relates to the protection of goods that are not part of the employment relationship.
The defensive monitoring undertaken by the employer was intended to safeguard the bank’s professional image. According to Supreme Court, this qualified as a form of protection that the employer may exercise “with the instruments derived from the exercise of powers related to the employer’s supremacy on its company structure” when the employer has reason to believe that, by monitoring retrospectively, it may identify illicit conduct, which in turn may give rise to an employee’s dismissal.
Furthermore, the defensive monitoring was undertaken only after the employee committed the illicit conduct (and was therefore ex post defensive monitoring), confirming that the employer’s sole purpose was to investigate possible damage to the bank’s professional image, not to monitor its employees’ performance.
In the context of disciplinary action, an employer may fairly use information obtained by monitoring an employee’s email or internet use if:
- the defensive monitoring was undertaken ex post; and
- the defensive monitoring was undertaken for the purpose of protecting company assets (including the company’s professional image).
Although the Supreme Court has excluded ex post defensive monitoring, where directed solely at safeguarding the employer’s assets, from the provisions of Article 4(2) of the law, it is advisable for employers that wish to monitor their employees’ email and internet use to follow the above-mentioned procedure on involuntary monitoring. Furthermore, employers should ensure that they provide detailed information on appropriate use of IT systems and equipment, and that they make such information available to employees as an internal policy. Similarly, clear information must be provided on whether, how and to what extent such use will be monitored.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.