Consulting for peace of mind

Security officers employed to provide a permanent security presence don't enjoy these entitlements. However, their employers must give them equivalent periods of compensatory rest. Or, in exceptional cases where it's not possible for objective reasons to grant such periods of rest, such rest as may be necessary to ensure their Health and Safety.

Recent case law at both a European and UK level concerning the interpretation of 'compensatory rest' as covered by the Working Time Regulations could well have a significant impact on arrangements for manned security provision on home shores. In the 1998 SIMAP decision, for example, the European Court of Justice decided that doctors were working – not resting – while on call at Health Centre premises during the night.

The recent Jaeger decision concerned a German doctor who was allowed to rest in a room with a bed for at least 49% of the time he spent on call at a hospital. The European Court commented that, although the doctor concerned was indeed inactive for half the time he spent on call, he had to be ready to provide his services at any time for as long as proved necessary. He was also being kept away from his family and social environment.

Following on from SIMAP, the European Court of Justice decided that the doctor was "working" and not "resting" whenever he was required to be physically present at the hospital's premises. Employers in the security sector should be thinking long and hard about the restrictions imposed on employees during rest or on-call periods.

The Harrow Borough Council case heard by the UK Employment Tribunal in September demonstrates the financial impact that non-compliance with the Working Time Directive could have on employers in the UK. In this case, women worked a basic 37-hour week, but were permanently on-call for another 76 hours per week. The Tribunal held that the hours spent on-call were working hours.

Eventually, it awarded each woman £1,500 in compensation, while back pay in the region of £200,000 is currently being negotiated.

Broadening in the meaning of working time will, of course, have a direct impact on the amount of compensatory rest employers must provide. In the Jaeger case, the European Court of Justice decided that consecutive hours of compensatory rest must follow immediately on from – and correspond to – the number of excess hours previously worked in order to alleviate fatigue or 'overload'.

Equivalent compensatory rest
The Employment Tribunal decision involving Ruddick versus Reliance Security Services interprets this new meaning of "equivalent compensatory rest" with particular reference to manned security.

Mr Ruddick worked 12-hour shifts without toilet breaks as a security officer at an office block. It was held that although the security company wasn't required by law to give Mr Ruddick 20-minute breaks every six hours, they did have to afford him equivalent rest breaks. A 20-minute break could be split up, or Mr Ruddick required to be within calling distance.

The Tribunal decided that the additional expense involved in providing a rest break wasn't a sufficient reason to make this such an exceptional case that Reliance Security Services didn't have to grant compensatory rest. The Tribunal did, however, envisage that an 'exceptional' case might well have existed if Mr Ruddick had possessed exceptional skills, or had been trained in unarmed combat.

As we have already emphasised, security operatives aren't legally entitled to fixed periods of rest. However, case law has redefined the meaning and extent of rest periods, and the decision in the Ruddick case indicates that the security industry will find it difficult to justify not providing compensatory rest because of exceptional circumstances.

Under the Working Time Regulations, most workers are entitled to a minimum daily rest period of 11 hours’ consecutive rest in any 24 hours, a rest break of a minimum of 20 minutes every six hours and a weekly rest period of not less than 24 hours in each

Following the decision on Jaeger, employers should be aware that if security officers are required to be physically present at premises, they may be 'working' for the purposes of the Working Time Regulations even if they're resting or sleeping during that time.

In addition, the Ruddick case establishes the fact that employers must, so far as is practicably possible, afford workers adequate rest breaks during working hours, while the Jaeger episode suggests that employers must allow workers compensatory rest promptly for any additional hours worked.

Security monitoring and surveillance
As a direct consequence of the fanfare which accompanied its introduction, many managers in the industry will already be familiar with the basic recommendations of the Information Commissioner's Code of Practice on Monitoring at Work. The Code applies generally to all monitoring activities entailing data capture. One section relates specifically to video and audio surveillance, and should be considered in conjunction with the previous Code of Practice on the Use and Application of CCTV (published in 2000).

In addition to the Information Commissioner's Code, increasingly influential but still little-known guidance on monitoring activities and other aspects of data privacy compliance has now been produced by the Article 29 Data Protection Working Party (a Working Party established under Article 29 of the Data Protection Directive). It comprises members of the Data Protection authorities of EU Member States.

In May and November 2002, the Working Party published detailed working documents on the 'Surveillance of Electronic Communications in the Workplace' and 'Video Surveillance' respectively. Although the status of its working documents is purely advisory, they're nonetheless an excellent source of compliance guidance.

The working documents reiterate the key data privacy principles requiring data controllers to ensure that their monitoring activities have clear, specific purposes, and that the extent and scope of the monitoring activities are proportionate to those articulated purposes. In addition, and perhaps more forcefully than the Information Commissioner's Code, the Working Party recommends that employers avoid relying upon employee consent to lend legitimacy to its monitoring activities.

In particular, the working document on video surveillance emphasises that a data subject's consent will only be legitimate if freely given and based upon sufficient explanatory information concerning the proposed monitoring activities. This suggests that a general consent wording agreed at the time of an individual's recruitment is unlikely to constitute adequately informed consent for this purpose.

Additionally, the Working Party on video surveillance recommends that data controllers have a data minimisation duty to limit the use of video surveillance by actively considering whether security measures such as access control, clearance devices, alarm systems and lighting techniques, etc – none of which entail personal data capture – could indeed serve as suitable alternatives.

Being data privacy-compliant
If video surveillance is the only viable security measure to achieve the specified purposes, its implementation and operation must be data privacy-compliant. The working document highlights the importance of flexibility in security technology. We would strongly recommend that surveillance technology is chosen by users with an eye to ensuring that the intrusiveness and range of data processing activities of that technology can be tailored as appropriate to reflect the user's data processing purposes.

Advanced but inflexible data capture which may appear ideal from a security perspective will not assist companies in ensuring data privacy compliance. The working document on video surveillance suggests that the proportionality principle should guide end users' thinking in setting out and operating all aspects of their surveillance activities including visual angle, camera mobility, installation arrangements and camera zoom, freeze and magnification facilities.

Operators should be trained to ensure that data captured reflects this approach, and that data is only used for the specific purposes of surveillance and not retained for any ancillary purposes (eg using a security entry camera for disciplinary proceedings against an employee).

Advanced but inflexible data capture which may appear ideal from a security perspective will not assist companies in ensuring data privacy compliance. The working document on video surveillance suggests that the proportionality principle should guide end

Once video data has been captured, it must only be retained and used for as long as is strictly necessary. Lastly, data subjects should be notified where surveillance is taking place. The Working Party acknowledges that it would defeat the purpose of video surveillance if data subjects had to be notified specifically of the location of cameras. That is not a requirement.

However, potential data subjects do need to be made aware of the general context in which surveillance activities are taking place. The Information Commissioner's Code of Practice contains slightly more detailed – and, perhaps, more onerous – guidance on the current position in the UK.

The working document concerning 'Surveillance of Electronic Communications in the Workplace' also contains a useful summary of the legal position in each Member State.

Many continental European Union States' national legislation imposes far stricter data privacy laws than the Data Protection Directive. Notorious examples are those of Germany and France. In Germany, privacy is an absolute constitutional right. Although monitoring activities can be conducted, only traffic data rather than content may be captured.

Vetting and criminal records
Ensuring that new recruits assigned to security functions are trustworthy is, of course, a major concern for security managers. However, the Data Protection Act 1998 – as interpreted by the Information Commissioner – closely regulates the practices of verifying and vetting candidates.

The Information Commissioner's Code on recruitment specifies that verification should only be done to the extent it is necessary to establish a candidate has the relevant credentials for the position. Candidates should be notified that verification is being conducted, and should have an opportunity to challenge any adverse information obtained through the verification procedures.

In contrast, vetting is defined as being proactive enquiries to third parties about a candidate's history. It's regarded as an even more intrusive process by the Information Commissioner. Vetting should only be used where a significant risk has been identified, and should only be employed in relation to conditionally successful candidates – not at any earlier stage of the recruitment process.

It's of particular concern for employers of security personnel that they obtain information regarding potentially relevant previous convictions. Following the establishment of the Criminal Records Bureau, candidates for in-house security positions will only be able to obtain by way of a Basic Disclosure any details of unspent convictions.

In contrast, the licensing regime for security personnel under the Private Security Industry Act 2001 confers greater powers on the Security Industry Authority (SIA). In considering whether or not to grant a licence to someone employed by a private sector security company, the SIA will enjoy access not only to spent but also unspent convictions (and therefore have more information than employers of in-house security personnel to enable the Authority to assess a particular candidate's suitability). This is but one of the factors which should be borne in mind by managers with security responsibilities when considering whether or not to contract-out their security function.

Information and consultation
The Government has recently published draft legislation which will introduce the familiar European concept of Works Councils to the UK. This legislation is the Information and Consultation Regulations 2005, which implement the Information and Consultation Directive adopted in March last year.

At present, there are no proposals to apply the regulations to any undertakings with fewer than 50 employees. For larger undertakings, the regulations have already taken effect for companies with 150 employees or more (as of 23 March this year, in fact), for those with 100 or more by 23 March 2007 and for those with 50 or more by 23 March 2008.