Email and internet use: writing a policy
Tina Maxey of steeles (law) llp continues a series of articles on email and internet use in the workplace with guidance for employers on writing a policy.
While email and the internet are essential workplace tools, allowing employees unfettered access to these systems carries risks for employers. A policy setting out clear principles on internet and email use should be introduced to minimise those risks. This will help ensure that communication resources are not spent on non-work-related activities and productivity does not suffer.
Policy content
When writing a policy it is essential that it clearly states what is not permitted by staff when using the internet and email. While the content of any email and internet policy should be tailored to the needs of the business, the essential elements are:
- Guidelines
as to when and to what level personal use is acceptable, assuming that there is
no detriment to employees' work, or alternatively whether personal use is
prohibited. If personal use is prohibited, employers
should ensure that this happens in practice. If the policy is not enforced and
an employer subsequently dismisses an employee for using the systems for
personal use, this could amount to an unfair dismissal.
- Guidelines on acceptable use
outlining the types of websites that are inappropriate and off limits, in
particular those involving pornographic or obscene material, including a warning
that employees should not access or download such information.
- A ban on sending defamatory,
discriminatory and other obscene material. Employees should be informed that
even when intended as a joke, this type of material could be construed as
offensive.
- A
prohibition on contributing to blogs where the contribution can be traced back
to the employer or might be likely to cause it embarrassment or bring it into
disrepute.
- Advice on email etiquette,
stating that the employer's standard disclaimer must be used at all times.
- A means of ensuring that
employees are aware of the problems that may arise. They should be warned that
legally binding contracts can be formed by email correspondence and that
defamation and breach of copyright apply to emails.
- A reminder that the content of
emails should comply with the employer's equal opportunities and
anti-harassment policy.
- A prohibition on the loading or
running of unlicensed software.
- A prohibition on the
distribution of chain emails or jokes.
- A warning that breach of the email and internet policy could result in disciplinary action and could be construed as gross misconduct entitling the employer to dismiss without notice.
Unless an employer specifically states what is not acceptable, it may face an unfair dismissal claim if an employee is dismissed for misuse of the email or internet systems.
Monitoring
When developing its policy an employer should consider whether any monitoring of employees' use of email and internet systems takes place. Employee monitoring is a sensitive area and can be deemed to be intrusive. However, through monitoring, an employer may be able to stop, or at least regulate, inappropriate use.
The legal issues surrounding monitoring are complex and involve the consideration of four separate pieces of legislation: the Data Protection Act 1998 (and accompanying Code of Practice); the Regulation of Investigatory Powers Act 2000; the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000; and the Human Rights Act 1998.
Data protection
The Data Protection Act 1998 imposes obligations on organisations in respect of employee records and the principles for collecting, processing and storing personal data.
The Information Commissioner is under a duty to promote both data protection compliance and good practice. The Information Commissioner's Employment Practices Code (PDF format, 12.13MB) provides guidance to employers on how to comply with their obligations under the Act. The section of the code relevant to monitoring in the workplace is Part 3.
The code is good practice only and is not embodied in statute. A failure to comply with the code does not equate to a breach of the Act. However, it should be noted that the code makes it clear that 'any enforcement action would be based on a failure to meet the requirements of the Act itself'. Abiding by the code is just one way that an employer can comply with the Act. As relevant parts of the code will be taken into account in any enforcement action, an employer will need a good reason to depart from it.
If monitoring will be carried out, an employer needs to inform its staff of this. However, it is not enough simply to tell employees that their email and internet use is being monitored. Under the Act the level of information that an employer should provide to its employees is high. Employees must have a clear understanding of what monitoring will take place, when it will take place, the purpose of such monitoring, how the information will be used, to whom it will be disclosed and for how long the information will be retained. This information can be communicated in the policy.
Lawful business practice regulations
Employers that wish to monitor electronic communications are subject not only to the Data Protection Act 1998, but also the Regulation of Investigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.
The Regulations govern monitoring if it involves the interception of electronic communications. Interception takes place if the contents of a communication are made available, during the course of its transmission, to someone other than the recipient, for example where a business opens emails stored on its server before the intended recipient has opened them.
It is against the law to intercept, unless the interception comes within one of the exceptions under the 2000 Act or the Regulations.
Regulation of Investigatory Powers Act
The Regulation of Investigatory Powers Act 2000, section 1 makes it an offence to intercept communications, except where interception is authorised under warrant (although this is unlikely to apply in an employment context), or where the interception takes place with consent.
The lawful interception can take place where both parties to the communication have consented to the interception or the employer reasonably believes that both parties have consented. Obtaining consent may be an option to employers in relation to internal emails, but may be more problematic in the case of external emails. In these circumstances an employer will have a general defence if it can show that it reasonably believed that both the sender and recipient consented. The ambit of this defence has never been tested in the courts, so it is uncertain exactly what an employer would have to show for its belief to be considered reasonable.
Exceptions under the Regulations
Given the uncertainty of the scope of the defence under the Regulation of Investigatory Powers Act 2000, an employer wishing to intercept email communications will be on safer ground if it can bring itself within one of the exceptions under the Regulations that allow employers to intercept without consent.
Interceptions are authorised for monitoring or recording communications:
- to ascertain compliance with
the regulatory or self-regulatory practices or procedures relevant to the
business (for example, checking that employees are giving customers 'health
warnings' required under financial services legislation);
- to ascertain or demonstrate
standards that are or ought to be achieved by means of persons using the system
(for example, quality control and training);
- to prevent or detect crime;
- to secure effective operation of the system.
Interceptions are also authorised for monitoring received communications to determine whether they are relevant to the business and monitoring communications made to a confidential anonymous counselling or support helpline.
It should be noted that the above broad grounds for lawful interception without consent are restricted to interceptions effected solely for the purposes of monitoring communications that are relevant to the business. Interceptions that are targeted at personal communications that do not relate to the business are not allowed.
For the Regulations to apply, an employer must make reasonable efforts to inform users of the system that an interception may take place. Workers, including temporary and contract staff, will be users of the system; outside senders of email will not. The policy should advise workers that interception may take place.
The Human Rights Act
The Human Rights Act 1998 offers protection of fundamental human rights, including, of particular relevance to employment, the right to privacy. However, so long as an employer complies with the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000 it is unlikely that the Human Rights Act 1998 will afford additional protection.
Disciplinary action
It is essential that an employer has a written policy on acceptable usage. However, simply issuing a written policy will not be enough. The policy should be well publicised and supplied to employees at the outset. It should set out clearly the sanctions applied for any breaches and it must be applied fairly and consistently.
Where an employer suspects an employee of misusing electronic communications systems it will need to substantiate its suspicions by carrying out an investigation. The investigation must be handled carefully. If an employer informs the employee of its suspicions too early, there is a risk that valuable evidence could be destroyed. This must be balanced against the need to inform the employee that an investigation has been launched. It should be remembered that websites can be visited unwittingly through unintended results from search engines and that information can also be misinterpreted. Employees should be given the chance to explain or challenge any findings.
Next week's article will be a case study on email and internet use and will be published on 22 October.
Tina Maxey is a solicitor at steeles (law) llp (TMaxey@steeleslaw.co.uk)
Further information on steeles can be accessed at www.steeleslaw.co.uk
