A responsible approach
HR and IT must work together to implement practical technology and policies for staff e-mail and internet use. Sue Weekes reports.
In the time it takes you to reach the end of this sentence, around three million e-mails will have flown out of in-boxes across the UK. According to figures from the London Internet Exchange, 1.3 million are sent every second in this country, with the average person receiving a new e-mail every five minutes - and some of us far more than that.
"A bulging in-box has become the equivalent of a male posing pouch," says Monica Seeley, co-author of the recent book, Managing E-mail in the Office.
Without doubt, e-mail provides organisations with the most powerful communications tool there has ever been. Like every other department in the organisation, HR can reap the benefits of this business-critical medium, but it also delivers a minefield of issues right on the profession's doorstep.
Leakage of sensitive corporate information, staff being abused in colleagues' e-mails, harmful viruses entering the network via attachments and loss of productivity due to high volume of personal e-mailing, are no longer just issues to be debated. They are actually happening in the workplace every day of the week.
If Jo Moore's 'bury bad news' message wasn't enough to convince HR professionals of the potential perils of careless e-mailing, then BBC2's E-mails You Wish You Hadn't Sent repeatedly demonstrates the disruption an ill-judged piece of digital correspondence can bring to the workplace.
It is no longer just about anecdotal evidence and supposition. A survey of 212 employers carried out by Personnel Today and KLegal last September revealed that there were 358 disciplinary cases for internet and e-mail use compared with a combined total of 326 for dishonesty, violence and health and safety breaches.
This is despite a fifth of employers monitoring e-mail usage on a daily basis, compared with 11 per cent 18 months ago. The rise in figures clearly demonstrates that HR can no longer abdicate its responsibility for tackling these issues to IT.
"The whole topic has been dominated by the IT function and HR has let IT lead," says Jonathon Hogg, a member of the management group at PA Consulting Group. "But now it's swinging towards HR because of the disciplinary procedures that need to be put in place." Hogg's views and the survey's findings are backed up by the practical experience of barrister Jonathan Naylor of the Employment, Pensions and Benefits Group at business law firm Morgan Cole.
"HR and IT have different perspectives and there can be a mismatch between their needs," he says. "But we have definitely seen an increase in the number of people being disciplined for such offences in the past six months. This is leading to a greater awareness on the part of HR and the decision to tackle it rather than sweep it under the carpet."
However, this is perhaps easier said than done. For a start, while a raft of clever security, monitoring and filtering software exists to impose restrictions and controls, current legislation such as the Human Rights Act (1998), the Data Protection Act (1998) and the Regulation of Investigatory Powers Act, currently conflict each other when it comes to e-mail.
For instance, the latter was brought in last year, and allows employers to monitor staff phone calls, e-mails, faxes and internet use in certain situations; yet the Human Rights Act throws this into a grey area as it states individuals have a 'reasonable expectation of privacy'. It is hoped that the code of practice being set out by the Information Commissioner's Office (ICO) will bring some clarity to proceedings, but this remains to be seen.
Legislation is important in such a discussion, but HR and IT's mission is to put preventative measures in place that eliminate problems before they get to the legal stage. Typically, these will be policy and procedural-based, and will be supported by appropriate technological controls, such as firewalls and encryption software.
Your organisation may already have an e-mail policy in place, but rapid technological advances emphasise the importance of revising this regularly. If you have not yet established an internet usage policy, it is a good chance to bring the two together as Scottish Water did after its merger (see box).
Disciplinary procedures
Geoff Haggart, vice-president of EMEA at internet security company Websense, which specialises in employee internet management solutions, says the e-mail monitoring market is more mature than internet monitoring, but there is every need for policies to be reviewed constantly to keep abreast of what is now possible at the desktop.
"We have things such as instant messaging and personal storage sites now, for example, and the use of attachments is much bigger now," he says.
Similarly, the use of web-based e-mail such as Hotmail and Yahoo accounts have grown rapidly in recent years, and were cited by IT professionals as one of their top three concerns, along with personal web surfing and software downloads in the Emerging Internet Threats survey, conducted by Websense and Infosecurity Europe 2003 (the latter are organisers of Europe's largest information security event).
Other worrying statistics highlighted by the survey, which focused on internet usage rather than e-mail, was that 94 per cent of IT departments admitted to dealing with security issues as a result of employees' use of the internet, and 71 per cent of policies made no provision for guidance on the use of personal storage sites - potentially a lethal area when it comes to breaching corporate security, Haggart believes.
"An employee could save a Word document to a personal storage site so they could work on it from home, and in doing so, allow a confidential document to go out on the web," he explains. "HR needs to brush up on the availability of things like this when putting policies together."
HR cannot be expected to get to grips with every facet of cyber vulnerability any more than it can be expected to know the pros and cons of the vast range of products available to combat it. What it must do, is consult with IT about the main areas of concern, and return to IT once a policy is drafted to find out whether the technology exists to support its aspirations.
It would seem that 'being reasonable' in both technical and policy-related approaches to e-mail controls is the key to success. Certainly when it comes to personal e-mail or internet use, you just have to accept that staff will use it for personal reasons on occasions, just as they use the company phone. Banning it completely is hardly a management vote-catcher, and is more likely to damage the company brand than yield any positive results.
If workers are told their e-mails may be monitored, and company policy details that they may be liable to disciplinary action if caught abusing the system, this will be enough of a deterrent for much of the workforce.
Acceptable use
Drafting a policy with the help of the legal department, then getting employees to agree to it (typically by clicking an 'I agree' box when they log on to the system) isn't necessarily difficult. The problem lies in making staff aware of the policy's details and ensuring it is being communicated and enforced by line managers as well as the HR department. After all, who hasn't clicked an 'I accept' box when loading software without reading it?
"At the moment, the vast number of companies have an 'acceptable use' policy in place, but they have to consider whether that policy is really effective and whether it is being enforced," says Naylor. "The HR profession is generally aware of the relevant legislation, but it has to be proactive in distilling information down to line managers who don't always know the law."
The security and misuse issues that surround e-mail are big enough for HR to deal with, but they should also be aware that the extent to which this vital communications channel has entered our lives and culture is also changing the way people work and operate - and it isn't something that can be controlled by policies and software.
What is required is a roadmap to help bring some order to the way we use e-mail so that you manage your in-box, rather than the other way round. Otherwise, we all run the risk of becoming little more than e-mail response junkies.
When North, East and West of Scotland Waters merged into Scottish Water, it gave HR director Paul Pagliari an opportunity to develop a single e-mail and internet usage strategy to replace the mixture of different policies that he had inherited. There is no great mystery to putting an e-mail policy in place, he says. The key is ensuring there is "no ambiguity in the policy". "It's about being upfront with people, and being honest and reasonable, " he adds. Scottish Water accepted that it had to allow reasonable use of the web and e-mail for personal reasons, but staff have to ask their line manager for permission to register for it. This is a one-off request, he says: "It requires a positive act of communication and therefore is far more memorable." On registration, staff can read the policy on screen and must
click an 'I accept' button. Afterwards, a screen with the policy set out pops
up whenever the computer is idle. "We follow this up with occasional
e-mail monitoring," says Pagliari. "We haven't had to discipline
any employee, but make it clearwe
would have no hesitation in following through with action if we needed
to." |
Monitoring and security products can be broadly grouped into three different levels: those that work on the outer perimeter of a company network, such as firewalls, which can block everything from internet shopping to e-mails with a specific word in them; those that work on server level, and those that work at desktop level, which are often largely anti-virus products. It is likely that you will decide to engage an external specialist along with IT. Computer Associates (CA) is market leader in what is called the 3A market - which stands for authentication, authorisation and administration (of all kinds of data). Simon Perry, vice-president of CA's security strategy, explains that the company is typically called in to tell HR what is technically possible, but warns that "perfect security most likely comes through absolute inconvenience," he says. "We sometimes have to suggest that people ratchet down a bit." Implementing controls is one thing and measuring how effective they are is another, but Clearswift - which has a 23 per cent share of the global content-filtering market - recently launched what it describes as the industry's first 'black box' service to check corporate e-mail security. Called ClearDetect, it establishes any areas of vulnerability by scanning e-mail traffic via the black box which sits alongside the corporate network. Data collected can include the volume of e-mail traffic (including attachments), and compliance and confidentiality violations. "In beta-testing, trial customers who thought they were safe found pornography, sensitive information being leaked and even employees running their own businesses," says Clearswift chief marketing officer, Paul Rutherford. |
There are eight enforceable principles of good practice outlined by the Information Commission. Anyone processing personal data must comply. Data must be: 1 Fairly and lawfully processed 2 Processed for limited purposes 3 Adequate, relevant and not excessive 4 Accurate 5 Not kept longer than necessary 6 Processed in accordance with the data subject's rights 7 Secure 8 Not transferred to countries without adequate protection. Personal data is defined as facts and opinions about the individual and includes information regarding the intentions of the data controller (usually the employer) towards the individual, although in some limited circumstances, exemptions will apply. Processing now incorporates the concepts of 'obtaining', holding' and 'disclosing'. Source: the Information Commission Other useful websites Freedom of Information The Lord Chancellor's department's site has all you ever wanted to know on the Freedom of Information Act www.lcd.gov.uk/foi/foidpunit.htm British Computer Society (BCS) Get the BCS' view on the impact the European Union Directive on Data Protection will have on us |