Employee monitoring: developing the right policies and practices

Section four of the Personnel Today Management Resources one stop guide on employee monitoring, covering: developing and reviewing HR policies; ensuring legal compliance; and understanding best practice. Other sections .

Use this section to Gain an overview of the key areas affecting employee monitoring Develop or review HR policies to enable appropriate monitoring, including acceptable use of electronic communications Decide on action to ensure your policies and procedures comply with current legal requirements Understand best practice in monitoring staff

Organisations most likely to have policies on internet and e-mail use are the utilities (71 per cent) and those in the financial sector (69 per cent). The least likely to have formal policies are IT firms, according to a study.¹

Only four out of 63 employers surveyed by IRS did not have a formal written policy dealing with employee use of the internet.² Of the remaining 59 respondents, 28 operated a standalone policy dealing with employee use of e-mail and the internet, and 30 said it formed part of a wider electronic communication policy. Most of the policies had been drawn up recently, with none any earlier than five or six years ago, showing how fast technology has taken hold.

Putting in place and implementing policies on electronic communications ensures there are no misunderstandings as to how employees use such technology at work. Such policies allow both the employer and employees to get the most out of the technology, alerting staff to the technical and commercial risks of misuse and informing them about the consequences of misuse such as disciplinary action.

The Acas advice leaflet, Internet and E-mail Policies says that clearly formulated policies can help ensure that decisions within the organisation which affect workers:

are well thought out

are consistent

are understood by all users

are fairly applied

satisfy legal requirements

contribute to a productive relationship between the employer, the workforce and their representatives.

Managers who grasp the organisation's policies and objectives are more likely to act fairly and consistently. Workers are much more likely to be effective if they have access to policies which remove uncertainties about their employer's intentions and inconsistencies about management decisions. Setting out rights, responsibilities and limitations on the use of organisational equipment will help you prevent any unauthorised or careless use which might lead to legal risks.

By having a written policy, you will be able to:

help prevent damage to systems

avoid or cut back on time wasted on non work related activities

inform users of privacy rights and expectations

help to protect the organisation against litigation from, say, vicarious liability

educate system users in getting the best out of their systems and about how to avoid taking legal risks

inform users who to contact about the policy.

If, having carried out an impact assessment, you have opted for monitoring because it is justified in terms of being necessary to enforce your organisation's rules and standards, you need to make sure your workforce know and understand these rules and standards. The best way to do this is to set them out in policies, for example, on acceptable use of the e-mail system and internet access. This policy should be made available to all those employees affected.

You also need to set out the circumstances in which monitoring may take place, the nature of this monitoring and the safeguards that are in place for workers subjected to this monitoring. This can be included in the policy on use of technology or in a separate one on employee monitoring.

You should make those workers subject to monitoring aware that it is being carried out and why. Simply telling them their e-mails may be monitored may be deemed as not legally sufficient. The code's supplementary guidance section recommends leaving employees with a clear understanding of:

when information about them is likely to be obtained

why it is being obtained

how it will be used

who, if anyone, it will be disclosed to.

Make sure you :

discuss your plans in advance and accept employee feedback

set down clear guidelines on what behaviour is unacceptable

respect employees' needs and time

strike a balance between privacy and security.

Obligations

The Data Protection Code recommends taking into account obligations that arise from monitoring such as:

whether and how workers will be notified about monitoring arrangements

how information about workers collected through monitoring will be kept securely and handled in accordance with the Act.

considering the rights of individuals to obtain copies of information on them collected through monitoring

Consultation

Acas points out that involving workers and their representatives in the development, implementation and operation of policies is more likely to make them acceptable and successful.

Consulting with trade union or other worker representatives along with management and contractors helps provide authority and legitimacy to policies. It also shows that the organisation is fully committed to drawing up a workable and sensible framework.

Acas suggests setting up a working party on policy development with representatives from IT, HR, worker representatives and other directly interested parties such as security advisors.

Choosing who is responsible

You will need to identify who will be responsible for which monitoring policies and procedures.

In 46 per cent of companies with policies, the IT department was responsible for policies on e-mail and internet use, according to a survey by The Work Foundation. In 18 per cent it was HR's responsibility and in 21 per cent, it was the joint responsibility of different functions within the organisation.

You need to make sure in your policy who is responsible in the organisation for the implementation of training. Acas's guide says that training tends to be the responsibility of management with IT departments or contractors giving special technical training as required.

Responsibility for monitoring should ideally be allocated to a senior manager in HR or someone in a comparable position, as monitoring may well be more intrusive if those who have access to private information are close colleagues or a the manager of a worker.

You need to make sure you cross-reference any computer use policies with any other relevant policies such as use and storage of personal data.

Data protection

As monitoring involves processing and potentially holding information in individuals, compliance with the Data Protection Act is vital. Those with overall responsibility for monitoring should be in a position to feed their knowledge into other areas of the business where information about workers is processed, to make sure the organisation has a co-ordinated approach to data protection compliance.

The Code points out that data protection compliance is a multi-disciplinary matter. IT staff may be primarily responsible for keeping computerised personal information secure while the HR department may be responsible for ensuring staff are kept informed about monitoring procedures. All staff, including line managers, have a part to play in securing data protection compliance, such as making sure waste paper containing personal information is properly disposed of.

You need to be clear who is collecting, using, storing and destroying personal information if you are to be able to ascertain whether you are complying with the DP Act.

With activities such as covert monitoring and monitoring using information from third parties, the DP Code recommends limiting where possible the number of people involved:

Senior management should be responsible for making decisions on whether covert monitoring is justified

The number of people involved in any investigation should be limited.

It is worth considering placing confidentiality clauses in the contracts of relevant staff, particularly those involved in monitoring activities such as covert monitoring or those involving information from third parties.

Informing staff

If you decide to go ahead with monitoring, you must inform workers about the nature and extent of monitoring: making employees aware of monitoring is a fundamental requirement of data protection law. The code also suggests providing information about the nature and extent of monitoring when soliciting job applications.

In addition, the code recommends those making calls to, or receiving calls from, workers to be informed of any monitoring and its purpose, unless this is obvious. This could be done by a recorded message or by workers telling callers that their calls could be monitored.

Make sure employees are aware of the extent to which you receive information about the use of telephone lines in their homes or mobile phones you provide for their use, for which your business plays partly or fully, advises the Code. Do not make use of information about private calls for monitoring, unless they reveal activity that no employer could reasonably be expected to ignore. But remember, expectations of privacy are likely to be significantly greater at home than in the workplace.

Use staff handbooks, notice boards and online communications to keep staff informed of monitoring procedures. Any significant changes to monitoring arrangements should be communicated to staff.

Legally, there is an expectation of reasonable behaviour by the employer. If employees are informed in a company policy that they can have no expectation of privacy at all, the company can still expect to be treated unsympathetically by a tribunal if a manager reads an e-mail message from an employee's partner.

Drawing up policies

The most common approach to employee monitoring appears to be to only monitor use when suspicions arise that the system is being abused. Twenty-three companies out of 63 surveyed by IRS in 2003 took this approach. But 18 respondents said they routinely monitored all e-mail and internet use, with 12 saying they monitored a random sample, five when criminal activity was suspected and one a defined sample of user access.

Twenty-four respondents monitored just the address or heading on e-mails and 12 the main body of text.

In terms of tackling the amount of time people spend at work on the internet, the most common approach is to use software that blocks access to certain websites, according to IRS. The introduction of an e-mail/internet policy is also seen as important in addressing this (22 organisations). Less frequently, employers had asked people to use e-mail or the internet less (16 organisations), implemented their existing policy more vigorously (seven), or in one case introduced internet/e-mail-free days.

Employee communications policies

The main aims of employee communications policies are that employees understand that personal use does not guarantee privacy of correspondence and to attempt to stop personal use interfering with individual work responsibility.

In the IRS survey, 35 out of 63 respondents said they based their policy on legal advice, while 21 had used an earlier in-house policy as a template. A further 13 based it on another employer's policy, while eight bought an off-the-peg document. Only four negotiated an agreement with trade unions.

Activities employers tend to prohibit include accessing pornography and sending obscene e-mails (see table on activities forbidden by employer policies). Other internet use banned by employers not included in the IRS survey include materials promoting race-hate at cereal manufacturer W Jordan and anything likely to bring the company into disrepute at electronics firm Sony UK. Not all that many employers were found to be encouraging or insisting on certain good practice. Of those that were:

23 encouraged the use of formal business language in e-mails and a further 20 insisted on it

20 encouraged employees to report the receipt of inappropriate e-mails and 22 insisted on it

17 encouraged the clear labelling of non-work-related e-mails and 10 insisted on it

18 encouraged participation in training on e-mail use and a further 18 insisted on it.

In terms of problems encountered by employers, the most commonly cited issues are employees accessing inappropriate or banned websites, and sending inappropriate e-mail, according to the IRS study (see table in Section 1).

Table 4: Employers' policies on internet and e-mail use ('netiquette' policies)
	% of firms
Have or are working on netiquette policies	75
Monitor website access	66
Monitor e-mail messages	65
Monitor e-mails for inappropriate words or content	43
Would dismiss an employee for breach of policy	23
Tell new staff about policies during induction	49
Tell employees they are being monitored	90
Include e-mail in policies	93
Include web access in policies	87
Include disciplinary procedures for disregarding policies	78
Include virus eradication and virus liability	75

Source: The Work Foundation (formerly Industrial Society) in 2002

E-mail

With e-mail, it is hard to know whether an employee is dashing off a message to a friend or working hard on a report, whereas it is easy to see if an employee is surfing the internet for non-work-related material.

Employers need to stress to staff that e-mail is not the transient and informal means of communication many people think it is and that deleting or trashing a message does not mean it is unrecoverable. Employees need to be made aware that e-mails have the same authority as any other communications.

The organisation needs to remind staff that the speed and ease of using e-mail can often lead to ill-thought-out messages being exchanged, and the chance of misinterpretation. Train staff to be aware that e-mails:

are not transient

are easily misinterpreted

are easily recoverable

can easily lead to defamation, deliberate or otherwise

can be interpreted as bullying or harassment, if abrupt, inappropriate and unthinking language is used or even the use of capital letters

are frequently better replaced with a phone call, particularly if a complex or confidential matter is to be discussed

should have disclaimers attached if they are sent externally.

Set out clearly in the policy how you want e-mail to be used, stressing that disciplinary action will be taken if staff do not use it in this way. The options are full personal use, limited use, or no personal use although the latter is not advisable as the Human Rights Act recommends providing employees with some private communications.

To reduce liability arising from personal e-mails sent using the company's equipment, the Data Protection Code guidance section suggests adjusting the system to allow employees to send message which do not bear the organisation's official heading.

Content

Employers need to make sure employees are very clear about what they can include in e-mails. Attaching appropriate disclaimers (see NHS disclaimer ) is advisable. Employees should be made aware of the weight an e-mail can carry.

Inadvertent contracts

An e-mail can, for example, form or vary a contract in the same way as a written letter. In the case of Hall v Cognos, the employer was bound to honour a variation to a contract made by a line manager by e-mail. Hall made a late claim for expenses after being told wrongly by his line manager in an e-mail that this was OK. Hall's contract of employment stated that only amendments or modifications to contracts made in writing and signed by both parties were acceptable. The tribunal held that once an e-mail is printed out, it takes a written form and is signed by both parties as each message contains the name of the sender. It also ruled that the line manager had sufficient authority to agree to a variation on terms, even though the company had detailed company rules on reimbursement of expenses.

Having an e-mail policy in place is in itself no guarantee that breaches will no longer occur. Some 57 per cent of UK businesses have e-mail policies, rising to 83 per cent in large companies, according to a survey, yet more than half of these had still had security incidents in the last year.³ E-mail policies, like any other policies, need to be enforced.

Actions

Make sure e-mail monitoring is confined to address/heading unless valid reason to examine content

Encourage workers to mark personal e-mails as such and to encourage those that write to them to do the same

Check workers are aware of retention period of e-mail and internet usage

Set up system to inform workers of retention periods, such as displaying information online or in a communication pack

Avoid opening e-mails where possible, especially those clearly private or personal.

The internet

Employers should consider using monitoring that prevents rather than detects misuse, such as blocking access to inappropriate sites or material by using web-filtering software.

The Chartered Institute for Personnel and Development (CIPD) suggests that:

certain websites are banned

downloading offensive material is banned

internet access may be monitored

there are clear penalties for misuse of the internet

the internet is used for business use only or for private use as well.

Policies on internet usage vary widely from company to company, some allow reasonable personal use of the web, in some cases outside working hours and others allow no personal use at all.

The code's supplementary guidance recommends considering using monitoring that prevents rather than detects misuse, such as blocking access to inappropriate sites or material by using web-filtering software. It suggests:

taking advantage of state-of-the-art technology which can undertake complex analysis of images and prevent display of sexually explicit material without disrupting normal business activity

preventing misuse of systems by recording the time.

What to include in the policy

State what is acceptable use and what is prohibited, stating unequivocally that downloading offensive, obscene or indecent material is forbidden

State what your policy is on changing and disclosing security passwords: one of the easiest ways for a hacker to get into a system is to ask an unsuspecting employee for their password

Make it clear to staff that they are responsible for the security of their computer terminal and that they must not allow it to be used by an unauthorised person

Make it clear who is allowed access to the internet, from whom they will get this access and whether it will for business use only

State clearly what monitoring takes place, where, why and when

Notify that e-mail may be intercepted and read while the employee is absent

Highlight possible disciplinary consequences for breach of rules.

Video and audio monitoring

Continuous video and audio monitoring is considered to be particularly intrusive for workers and combined even more so.

If you do carry out any video or audio monitoring, you need to make it clear that it is taking place, and where and why it is being carried out.

The Data Protection Code suggests displaying a prominent sign identifying the organisation responsible for the monitoring and why it is being undertaken, with information on who to contact regarding the monitoring.

Although in limited circumstances, the DPA allows for covert monitoring, for example where telling workers about the monitoring would be likely to prejudice the detection of crime, workers should normally be told clearly when monitoring is taking place.

The code recommends limiting the number of staff involved in covert monitoring and clearly identifying in your policy who has the authorisation to be involved. You should set down clear rules limiting the disclosure of and access to personal information obtained.

You should make it clear that any information about workers who are not the target of the investigation should be deleted as soon as is practicable.

Activities you could not be reasonably expected to ignore include criminal activity, gross misconduct or practices that jeopardise the safety of others.

Location of cameras

The legal requirements in terms of location and use of equipment, as set out in the CCTV Code, include:

Making sure operators are aware of the purpose of the scheme and that the equipment can only be used for that purpose

Placing clearly and visible signs alerting the public to the fact that they are entering a zone covered by surveillance equipment and informing them of the organisation or person responsible for the scheme, its purposes and who to contact regarding the scheme. For example, if Images are being monitored for the purposes of crime prevention and public safety. (This scheme is controlled by the Greentown Safety Partnership. For further information contact 01234 567890.)

If signs are assessed to be inappropriate, the employer must have: identified specific criminal activity, identified the need to use surveillance to obtain evidence of this criminal activity; have assessed whether the use of signs would prejudice success in obtaining such evidence; and assessed how long the covert monitoring should take place to ensure it is not carried out longer than necessary

Information should only be obtained in this manner to prevent and detect criminal activity or to apprehend and prosecute offenders, not retaining it or using it for any other purpose. Sound recording facilities should not be used to record conversations between members of the public.

Quality of images

It is important that any images produced by your equipment are as clear as possible to make sure they are effective for your purpose, such as preventing and detecting crime. The third, fourth and fifth data protection principles contained in the DPA are concerned with the quality of personal data. The CCTV code sets out standards which employers should meet in order to comply with the Act:

Use good quality tapes, if tapes are used

Clean medium on which images are captured so that images are not recorded on top of images recorded previously

Do not use the medium if it has become apparent that the quality of images has deteriorated

If the system records features such as the location of the camera and references to date and/or time, these should be accurate

If an automatic facial recognition system is used to match images captured against a database of images, make sure both sets of images are clear enough to ensure an accurate match.

Make sure the match is also verified and assessed by a human operator

Consider the physical conditions in which the cameras are located (for example, consider using infrared equipment in poorly lit areas)

Assess whether it is necessary to carry out constant real time recording or whether the activities you are concerned about occur at specific times (for example, consider only carrying out constant image recording for a limited period such as 10pm to 7am)

Maintain and service cameras to ensure clear images are recorded

Protect cameras from vandalism so they remain in working order

Make sure the camera is fixed within a specific time period.

Documentation

The CCTV code also recommends as best practice that employers have a documented procedure for ensuring the accuracy of any recorded features such as camera location and/or date and time reference and the results of the assessment made by the human operator are recorded even if there is no match. It also recommends that employers keep a maintenance log, define the person responsible for making sure the camera is fixed when necessary and that they monitor the quality of the maintenance work.

Image processing

The CCTV code sets out a series of standards which employers should meet if they are to comply with the Data Protection Act's principles:

Do not retain images longer than necessary (up to six months)

Remove or erase images once the retention period has expired

If retaining images for evidential purposes, make sure they are in an access-controlled secure place

On removing the medium used to record images to be used in legal proceedings, make sure the operator has documented the date of removal, reason for removal, any relevant crime incident number, image location (for example, the name and station of the police officer if the images were handed to a police officer, and the signature of the collecting police officer where appropriate)

Only let authorised employees view monitors displaying images from areas where individuals would have privacy expectations

Restrict access to recorded images to a manager or designated member of staff in charge of whether to allow third party access according to the organisation's documented disclosure policies

Only allow viewing of recorded images in a restricted area such as the manager or designated member of staff's office, barring access to other employees during viewing

Making all operators and employees with access to images aware of procedures which should be followed for access

Training all operators of their responsibilities.

In terms of best practice, the CCTV code recommends documenting the following when removing the image-recording medium for viewing purposes: date and time of removal; name of person removing the images; the name of anyone viewing the images including the organisation of any third party; reason for viewing; the outcome of any viewing; the date and time images were returned to the system or secure place if retained for evidential purposes.

Access to and disclosure of images to third parties

Employers need to make sure they control access to and disclosure of images recorded by CCTV and other surveillance equipment to make sure they preserve individuals' rights and to ensure the chain of evidence remains intact if images are required for evidential purposes.

The CCTV Code's standards for meeting the DPA's requirement on access to and disclosure of images to third parties are:

Restrict access to recorded images to staff who need access for you to achieve your purpose of using the equipment

Document all access to the image-recording medium

Only disclose recorded images to third parties in limited prescribed circumstances (for example, if the purpose of the system is to prevent and detect crime, then limit disclosure to third parties to: law enforcement agencies to help with criminal enquiries; prosecution agencies; relevant legal representatives; the media if public assistance would help with a criminal incident, taking into account any victim's wishes; people whose images have been recorded and retained- unless this would prejudice criminal enquiries or proceedings)

Record all requests for access or disclosure

Do not routinely make recorded images widely available such as to the media or place them on the internet

Where images are made available, make sure it is the manager or designated member of staff who makes the decision, and that the images of individuals are disguised or blurred so they are not readily identifiable

If you hire an editing company, the manager or designated member of staff needs to make sure there is a contract between the data controller and the editing company; that the editing company has given appropriate guarantees regarding security measures and that the manager checks these guarantees are met; that the written contract makes it explicit that the editing company can only use the images in accordance with the designated staff member's instructions; and that the written contract makes the security guarantees provided by the editing company explicit

Make sure the above apply if the media organisation receiving the images is the one doing the editing.

In terms of best practice, the CCTV code states that organisations should document the following if access to or disclosure of the images is allowed: the date and time of access or disclosure; the identification of any third party allowed access or disclosure; the reason for allowing access or disclosure; and the extent of information to which access was allowed or which was disclosed.

The code also recommends that if organisations do not have the facilities to carry out editing to blur or disguise images, they look at hiring this out.

Access by data subjects

Access to images by those monitored (data subjects) is a right under Section 7 of the Data Protection Act.

The CCTV's code's standards on access by data subjects:

Make sure all staff involved in operating equipment can recognise a request for access to recorded images by data subjects

Provide individuals with a standard subject access request form along with a leaflet describing what images are being recorded and retained, why and giving information on disclosure policies

Make sure the manager or designated member of staff determines whether disclosure would also entail disclosing images of third parties and whether those images are held under a duty of confidence

If third party images are not to be disclosed, the designated member of staff should make sure these images are disguised or blurred

If a third party or company is hired, the designated member of staff should ensure there is a contract between the data controller and the third party, that the third party has given appropriate guarantees regarding security measures and that the manager checks these guarantees are met; that the written contract makes it explicit that the third party can only use the images in accordance with the designated staff member's instructions; and that the written contract makes the security guarantees provided by the third party explicit.

Make all staff aware of their rights

The code's best practice recommendations are that employers should provide data subjects (employees) with a standard subject access request form indicating the information required to locate the images requested and to identify the person making the request - such as a photograph - plus the fee to be charged for tracking down the image (up to £10). The form should also ask whether the individual would be satisfied with merely viewing the images recorded, should indicate that the response will be provided promptly and within 40 days of receiving the required fee and information, and should explain the rights provided by the Data Protection Act.

All subject access requests should be dealt with by a manager or designated member of staff, who should also be the person to locate the requested image.

If you do not have the facilities to blur or disguise images, then consider hiring a company to do this.

If the designated member of staff decides a subject access request is not to be complied with, the following should be documented:

The identity of the individual making the request

The date of the request and the reason for refusing to supply the images

The name and signature of the designated member of staff making the decision.

Personal data

The definition of personal data is not just limited to circumstances where a data controller can attribute a name to a particular image. If images of distinguishable individuals' features are processed and an individual can be identified from these images, this amounts to personal data.

Section 2 of the Data Protection Act separates out two distinct categories of personal data deemed sensitive. These are information on the commission or alleged commission of any offences, and on any proceedings for any offence committed, or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings. The latter is particularly significant for CCTV schemes set up by retailers with the police to identify known and convicted shoplifters from images.

Covert monitoring

Senior management should normally authorise any covert monitoring. Senior managers should satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice and that notifying individuals about the monitoring would prejudice its prevention or detection.

Interception

Interception is against the law unless it is authorised by the Lawful Business Practice Regulations.

Illegal interception includes access to e-mails before they have been opened by the intended recipient but not access to records of stored e-mails which have already been received and opened.

In cases such as customer enquiries, the intended recipient is clearly the business rather than a specific individual and therefore monitoring such incoming communications will not involve interception.

Monitoring through information from third parties

The Data Protection Code recommends employers take special care when making use of information held by third parties, such as credit reference or electoral roll information. And where the employer wishes to obtain information about a worker's criminal convictions, they must obtain a disclosure certificate via the Criminal Records Bureau.

An employee's financial circumstances should not be monitored unless there are firm grounds that financial difficulties would pose a significant risk to the employer.

Retention of information

Once you have obtained information through monitoring and have evaluated it, you should not retain the information unless you have an overriding reason for doing so, advises the code. Generally, you should not retain information for more than six months. There may be some exceptions, such as in the example given by the code's supplementary guidance of an employment agency that routinely places its workers in a variety of short-term assignments with clients.

Processing personal information

Just as with activities such as recruitment and selection, monitoring requires processing of personal information and therefore is subject to the requirements of the Data Protection Act. The data protection principles say data must be:

fairly and lawfully processed

processed for limited purposes

adequate, relevant and not excessive

accurate

not kept any longer than necessary

secure

not transferred to countries without adequate protection.

The code's supplementary guidance recommends:

considering who collects, uses, stores and destroys personal data

considering if all the information collected is truly necessary.

It it might be legitimate to request information about workers' other jobs where there is a justifiable need, for example, in connection with Working Time Regulations, or to ask for information about their children in considering an application for parental leave, points out the Data Protection Code.

Personal information obtained for a particular purpose should not be used for another purpose. It is likely to be deemed unfair legally to tell employees that monitoring is being undertaken for a particular purpose then use the information for another purpose they have not been told about. There may be exceptions to this such as if such an approach is clearly in the worker's interest or if the information reveals activity that no employer could reasonably be expected to ignore.

The code's supplementary guidance section suggests that the type of activities an employer could not reasonably be expected to ignore might include:

Criminal activity at work

Gross misconduct

Breaches of health and safety that might jeopardise other workers.

Processing sensitive data

The Data Protection Act sets out certain conditions which must be met if an employer is to process sensitive personal information. In terms of monitoring, the most relevant conditions are:

1 The processing should be necessary for employers to exercise or perform any right or obligation conferred or imposed upon them by law, such as decisions in legal cases.

These include obligations:

to ensure the health, safety and welfare of employees at work

to ensure a safe system of work

to ensure a safe working environment

not to discriminate on grounds of race, sex or disability

to protect customers' property or funds in the employer's possession

not to dismiss workers when it is unfair to do so.

Example of application (code's supplementary guidance): If the employer has evidence that a worker is using its e-mail system to subject another worker to racial harassment and there is no reasonable alternative to monitoring the worker's e-mail to ensure the employer meets its obligations not to discriminate on grounds of race.

Model document of acceptable use policy: E-mail
E-mail
Acceptable	Unacceptable
Communication in connection with company business Occasional personal use Management access to read employees' mailboxes where there is a legitimate business to do so (eg if a person is absent and important e-mail is expected)	Using e-mail for personal, non-business-related communication during the working day, outside of normal break times Over-use of services for personal, non-business-related communication during break times or after hours. As a general guide, the following are examples of over-use: o   more than 5 non-business-related e-mail items per day, OR o   more than 30 minutes per day compiling and dealing with non-business-related e-mail, OR o   sending non-business-related e-mails directly to large distribution groups, OR o   forwarding "chain" e-mails, OR o   sending files with attachments (eg compressed files, executable code, video streams, audio streams or graphical images) to internal or external parties The frequency, number, time of day and business volumes will all have a relevance in any breach of this policy   Subscribing to non-business-related mailing lists Giving or using company e-mail addresses for non-business-related contact to multiple response or open sites, eg Friends Reunited
Forbidden
Sending e-mails, either internally or externally, or saving or storing attachments or documents, which could be regarded as: o   Defamatory or potentially libellous o   Harassment, victimisation or bullying under company policy (see link to additional information about this policy) o   A breach of company equal opportunities policy		o Discriminatory o Abusive o Pornographic o Obscene o Illegal o Offensive o Abuse of company logo or company name   Sending or commenting upon company business or information outside this group inappropriately. Further information on disclosure of information can be found in the link on this page
Note: Anyone who receives material of the types listed above should inform their manager, UK information security or HR immediately. Failure to do so may result in disciplinary action.

Source: Company acceptable use policy, Royal & Sun Alliance, IRS 2003

2 The processing is

of information relating to racial or ethnic origin, religious beliefs, physical or mental health

necessary to identify or review equal opportunities

contains safeguards for the worker.

Example of application (code's supplementary guidance): If monitoring arrangements are designed to prevent discrimination on grounds of racial origin, religion or disability.

Processing should be necessary and not reasonably addressable any other way.

3 The processing is necessary:

to exercise functions conferred on any person by or under an enactment

for the exercise of any functions of the Crown, a Minister of the Crown or a government department.

This condition is relevant for public sector employers with specific legal duties in terms of the conduct or probity of its employees. It is also relevant in terms of a public sector employer concluding that in order to carry out its wider statutory functions, it is necessary to monitor workers and in doing so to process sensitive personal information.

4 The processing is in the substantial public interest, is necessary to prevent or detect any unlawful act and must necessarily be carried out without the explicit consent of the data subject being sought, so as not to prejudice those purposes.

Example of application (code's supplementary guidance): situations where monitoring is necessary to detect criminal activity in the workplace and where seeking the consent of workers involved would amount to a tip off. 'Unlawful acts' include not only criminal matters but also acts that breach other statutory or common law obligations.

Model document of acceptable use policy: Internet
INTERNET
Acceptable	Unacceptable
Accessing business-related websites in relation to the user's job Accessing websites (OTHER than those containing pornographic, offensive or obscene material) for non-business-related reasons during breaks, lunch hours and before or after the working day	Spending any periods of the working day looking at non-business-related internet sites Tying up large proportions of internet resources or non-business-related activity, to the detriment of genuine business internet usage. This includes: o   Leaving live internet feeds open all day, eg, news, sports results, share-dealing sites o   Accessing, downloading, disseminating or storing images, video or audio streams for non-business-related purposes o   Making repeated attempts to access websites that, because of their inappropriate content, have been automatically blocked. o   Making your own available or using someone else's password and personal ID to access the internet o   Downloading any copyright material without the owner's permission or distributing non-company information, images or text which would amount to a breach of copyright, rendering the company liable to legal action o   Joining mailing lists, soliciting information, subscribing to personal sites or participating in chat rooms or internet relay chat unless there is a business need to do so o   Making inaccurate, unsubstantiated, discriminatory, defamatory or adverse comments about any company, individual, product or service, either internal or external
Forbidden
Abuse of the company's logo or company name Posting of or commenting upon any company business or information on any non-company internet site or via web-mail Downloading software use for hacking or cracking passwords Deliberately accessing sites containing pornographic, offensive or obscene material Downloading pornographic, offensive or obscene material Downloading peer-to-peer and interactive chat utilities		Saving, storing or forwarding any non-business-related files or attachments which could be regarded as o   Defamatory or potentially libellous o   Harassment, victimisation or bullying under company policy (see link) o   A breach of company equal opportunities policy o   Discriminatory o   Abusive or offensive o   Pornographic or obscene o   llegal

Source: Company acceptable use policy, Royal & Sun Alliance, IRS 2003

5 The processing is in the substantial public interest, is necessary to carry out any function designed to provide confidential counselling, advice, support or other services and is carried out without the data subject's consent because the processing:

is necessary in a case where consent cannot be given by the worker (data subject)

is necessary in a case where the employer (data controller) cannot reasonably be expected to obtain the explicit consent of the data subject

must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the provision of counselling, advice, support or other services.

This condition is relevant to the monitoring of calls to confidential counselling, advice or support lines such as those run by charities such as The Samaritans. It covers the position of the caller but not the worker taking the call.

6 The data subject has given explicit consent to the processing.

This consent must be explicit, with the worker having been told clearly what personal data are involved and what use will be made of them. The worker must have given a positive indication of agreement such as a signature.

The consent must be freely given, with the worker having a real choice whether or not to consent with no significant detriment arising from not consenting.

The code points out that the extent to which consent can be relied on in the context of employment is limited because of the need for it to be freely given.

Example of non-application (code's supplementary guidance): If the direct consequence of not consenting is dismissal, being passed over for promotion or the denial of a significant benefit that would be given to a consenting worker. In this case, consent is unlikely to be freely given.

Allowing employees access to personal data

Information on employees should be made available if an access request is made, unless an exemption applies (for more information on this, see Employment Practices Code, Part 2, Section 9, Workers access to information about themselves).

With e-mail or video monitoring, allowing employees access to information about themselves may well be onerous if information is stored in a way that makes personal information hard to retrieve.

Communicating policies to employees

Employers need to make employees understand that they have a right to protect their communications technology from misuse and abuse and to try to prevent embarrassment and falling foul of the law.

Communication methods include:

E-mail

Follow-up circulars

Incorporation in staff handbook, either as a hard copy or intranet

Inclusion in individual contracts

Presentation to staff to explain the system and its use, possibly at induction stage

Training in effective use

Training

The Data Protection Code warns that there are risks that the Act will be breached if line managers embark upon monitoring their workers without authority and without taking into consideration the provisions of the code of practice.

You will also need to set up instructions or training for those workers involved in monitoring, particularly in activities such as covert monitoring or monitoring using information from third parties, making them aware of the data protection principles involved.

The CCTV-specific code of practice sets down standards for processing images and states clearly that to comply with the DPA's seventh data protection principle, all operators of monitoring equipment should be aware of:

the organisation's security policy such as procedures to have access to recorded images

the organisation's disclosure policy.

the rights of individuals in relation to their recorded images.

It is also a good idea to run training sessions in e-mail use and management. These need not be long- between half an hour and half a day. Centrica, for example, launched half-day seminars on getting the most effective use out of the mailbox last year. Other companies such as construction materials company Lafarge Aggregates have opted for e-mail briefings of half an hour for its key e-mail users. Following a workforce survey in 2002 which found widespread frustration about e-mail, BT has set in motion a multi-pronged e-mail strategy including:

Team-based workshops on best practice

A charter outlining company expectations on e-mail best practice

An online e-mail fitness check which rates staff as bronze, silver or gold e-mail experts

Individualised mini training sessions

Internal coaches in e-mail best practice.

Training in e-mail best practice should run parallel to any monitoring arrangements, eliminating the need for intrusive monitoring and making policies more effective.

Data protection compliance

Data Protection Code recommendations on managing data protection

Identify the person responsible for ensuring policies and procedures comply with the Act and that they continue to do so

Make sure they read all the relevant parts of the code

Check employment policies and procedures including unwritten practices against the relevant parts of the code

Eliminate areas of non-compliance

Inform those who need to know why certain procedures have changed

Put in place a mechanism for checking that procedures are followed in practice, such as occasional audits and spot checks and/or a requirement for managers to sign a compliance statement.

All staff have a part to play in data protection compliance. Employers are liable to pay compensation for damage suffered by an individual as a result of a breach of data protection law arising from the actions of a line manager unless it is clear that the line manager has been acting outside his or her authority.

Training line managers and having clear procedures in place will help protect your business against claims.

You should make sure all employees are made aware of how data protection compliance affects how they work and what the possible consequences of non-compliance are such as disciplinary action or personal criminal liability. The DP Code's supplementary guidance recommends incorporating such information in the general induction process for new members of staff and to regularly remind existing workers of their obligations.

Taking action

As with any policy, problems can easily arise if a policy is not used in practice. If a policy has not been consistently applied but is later used to justify a crackdown, this may be deemed unfair in the eyes of the law.

If, for example your policy imposes a ban on personal telephone calls but in practice you turn a blind eye to a limited number of personal calls, you will not be able to depend on there being a complete ban as your justification for carrying out monitoring.

Employees should always be given the opportunity of explaining or challenging any information before action is taken against them. Employees can unwittingly visit websites though unintended responses of search engines, unclear hypertext links, mis-keying or misleading banner advertising.

Without a policy specifying what is and what is not acceptable use, it will be difficult to summarily dismiss for what you regard to be an unauthorised purpose unless the act is a criminal offence.

Any breaches of policies should be dealt with as you would deal with any other breach of rules, possibly leading to disciplinary action as set out in your discipline and grievance procedures. Acas has guidance on these areas (see the Acas Advisory Handbook: Discipline and Grievances at Work, which includes the code of practice on disciplinary and grievance procedures and gives examples of disciplinary and grievance policies.

Although most of the respondents to a survey by IRS (Sex and surveillance: the internet at work) had encountered a breach in policy, not all chose to take formal action. Of those employers prepared to make comments, 30 said they had not disciplined anyone in the previous 12 months in relation to use of e-mail or internet. Twelve organisations had dealt with one disciplinary case, 17 with between two and five, one with between six and 10 and one had taken more than 10 such cases with employees.

The survey found that 18 employers had dismissed one or more employees as part of disciplinary action - 29.5 per cent of those who answered the question. Among those who reported dismissing employees for abusing e-mail and internet facilities were instances such as a new employee who spent too much work time on personal e-mails and the internet not passing their probationary period, an employee being dismissed for distributing confidential information to a potential customer, employees being dismissed for continuing to access pornographic websites despite several warnings, and an employee being convicted of downloading child pornography.

Downloading inappropriate material

In the case of Parr v Derwentshire District Council, Parr was dismissed on ground of gross misconduct having used work-based internet facilities to access sexually explicit material. His claims of having visited the site by mistake, revisiting it because of concerns over easy entry by children, were pooh-poohed by the authority whose stance was that it required moral probity on the part of their employees. The tribunal dismissed Parr's claim for unfair dismissal.

But in the case of Dunn v IBM United Kingdom, Dunn's complaint of unfair dismissal was upheld. Dunn was dismissed for gross misconduct after admitting misuse of company assets by accessing pornography. But the tribunal took the view that summary dismissal did not fall within the range of reasonable responses. Breach of company policy had not been clear cut and Dunn had admitted his offences without appreciating where this would lead. Dunn's compensation was, however, halved to take this into account.

The following case illustrates the need for companies to set out clearly what they deem unacceptable and for them to think very carefully before they make a response to misuse or abuse of technology.

In the case of Humphries v H Barnett & Co, Humphries was found to have used company computer facilities to download obscene pornography, including sex with animals. The employer placed him initially on 'garden leave' pending the expiry of one month's notice, but then decided after further computer checks that Humphries was not entitled to any right to notice because of the extent of misuse.

The tribunal observed that the downloaded pictures were so obscene that they amounted to gross misconduct. This was despite the fact that the company had not laid down terms detailing what constituted gross misconduct making it hard to justify summary dismissal on the grounds of mere use of the internet for unauthorised purposes. But the tribunal reluctantly upheld Humphries' claim for wrongful dismissal on the grounds that the employer's decision to place him on garden leave meant it waived Humphries' repudiatory breach of contract.

Wasting company resources

If you have included within your computer-use policy a statement about the unacceptability of employees wasting time surfing the internet for private purposes, it should be easy to tackle this when it happens by following normal disciplinary procedures to addressing unsatisfactory work performance. If an employee continues to persistently misuse computer facilities despite having been warned, this could justifiably lead to dismissal.

Gaining unauthorised access

In the case of Denco Ltd v Joinson, the employer summarily dismissed Johnson for gross misconduct after he used another employee's password to gain unauthorised access to sensitive data. A tribunal ruled that Johnson's dismissal had been unfair as his motives were not improper but the Employment Appeals Tribunal (EAT) overturned the decision, ruling that if an employee deliberately uses an unauthorised password to enter a computer known to contain information to which he is not entitled, this will constitute gross misconduct and will normally warrant summary dismissal. But the EAT warned that employers make it very clear that any unauthorised interference with computers will carry severe penalties.

Employers should avoid acting too harshly and should spell out clearly what action may be taken if employees misuse or abuse their technology.

In the case of British Telecommunications v Rodrigues, Rodrigues' complaint of unfair dismissal was upheld. Rodrigues used and modified other employees' passwords to gain unauthorised access to information, but Rodrigues could easily have obtained the same information over the telephone. BT's computer policy emphasised the importance of security, but neither its disciplinary code or any other company literature made it clear that incidents of computer misuse would automatically result in summary dismissal. The EAT upheld the conclusion that dismissal was an inappropriate penalty, particularly as Rodrigues had a long, good track record with the organisation.

Sacking over disclosure of confidential information is common. The Inland Revenue discovered that one of its employees had written a letter to a right wing group, the National Socialist Alliance, offering to supply sensitive data from the Revenue's computer. The employer dismissed the employee for misconduct on the grounds of threatened disclosure of confidential information from records held on the employer's computer.

The Inland Revenue made clear in its rules on confidentiality that information acquired by employees in the course of their work should not be misused or discussed externally.

In the case of Winder v the Commissioners of Inland Revenue, the tribunal dismissed the employee's claim of unfair dismissal, saying the employer was entitled to conclude that although Winder had not actually disclosed confidential information, his offer was a breach of his duty to maintain confidence.

Using the telephone for personal calls

In the case of John Lewis plc v Coyne (2001) IRLR 139 EAT, the company had introduced a policy prohibiting employees from using office telephones for personal calls and had made it clear that any breaches of the policy would be viewed seriously and would normally lead to dismissal. Following an investigation, it was discovered that in the course of a year, an employee with more than 13 years' service and a clean disciplinary record had made a number of calls totalling £37.76. The employee was dismissed by the general manager who took the view that her conduct amounted to dishonesty, but the tribunal and the EAT upheld her claim for unfair dismissal.

Although disciplinary action would have been appropriate in view of the fact that the company's telephone policy had been breached, it was not reasonable for the employer to treat the matter automatically as grounds for summary dismissal. This was because it was not obvious by ordinary standards that the employee's conduct amounted to dishonesty and there was no evidence to suggest that she would have realised her personal use of the company's telephones would be regarded in this light.

References

¹The Work Foundation (formerly the Industrial Society), Monitoring internet use and e-mails, March 2002

²Mark Crail, Sex and surveillance: the internet at work, IRS Employment Review, 7 November 2003

³Infosec, Information Security Breaches Survey, 2002

Cases

Hall v Cognos Ltd, Hull employment tribunal (17.2.98, case no 18033525/97)

Parr v Derwentside District Council, Newcastle upon Tyne employment tribunal (23.9.98, case no 2501507/98)

Humphries v V H Barnett & Co, South London Employment tribunal (10.7.98, case no 2304001/97)

John Lewis V Coyne 2001 IRLR 13 EAT

Denco Ltd v Joinson, EAT 1991 ICR 172

British Telecommunications plc v Rodrigues EAT 20.2.95 (854/92)

Winder v The Commissioners of Inland Revenue, Ashford employment tribunal, 20.4.98, case no 1101770/97