For many employees, email and the web are indispensable business tools. When you give your employees internet access, you give them a resource that has the potential to reap enormous business benefits. But it also has enormous potential to be misused and – in some instances – that misuse can be damaging for the business.
We all have our favourite story about that highly inappropriate email that got into the public domain causing huge embarrassment to both the business and the individuals concerned. There are also examples of employee blogs that have in some cases resulted in the blogger being dismissed. One of the earliest cases was that of Ellen Simonetti, a flight attendant, whose “Queen of Sky” blog about her experiences led to her being fired by Delta Air Lines for content that they deemed inappropriate.
The problem is that often people ”say” things in email and on-line which they might not otherwise feel comfortable communicating to others in person. A combination of informality coupled with a lack of inhibition creates a potentially dangerous situation. What might start out as a jokey email can result in a defamation action. In such a case, in an out-of-court settlement Norwich Union paid £450,000 to Western Provident Association because of libellous comments on its internal email system about Western Provident Association’s alleged financial problems.
Email is also a common feature in workplace harassment cases. While it is often one employee harassing another, under the Sex Discrimination Act, the employer can be liable for acts of his employees, whether or not done with the employer’s knowledge or approval.
Aside from corporate embarrassment and bad publicity, poor IT governance can have an immediate financial impact. In July 2009, The Financial Services Authority (FSA) fined HSBC over £3 million for not having adequate systems and controls in place to protect their customers’ confidential details from being lost or stolen. The FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.
Use of social networks can impact business in terms of employee productivity. A recent study suggested that up to 233 million hours may be lost every month as a result of employees spending time on social networks, costing firms over £130m a day. It can also jeopardize confidential information. In a recent case involving Hays Specialist Recruitment, the employee stored his business contact information on LinkedIn, the on-line social networking site. Hays alleged that the employee had uploaded business contacts from the company’s confidential database to his LinkedIn account. The employee argued he had been encouraged to join LinkedIn and that, once a business contact had accepted the invitation to join his network, the information ceased to be confidential as it could be seen by all his contacts.
How should employers respond?
How can an employer protect itself from all these various risks?
Banning the use of the technology is unlikely to be the answer. When the law firm Allen & Overy tried to ban its employees from using Facebook, there was an internal backlash because the lawyers said that they needed Facebook to enable them to network with friends and businesses contacts which could develop business for the firm.
Also, there is no “one size fits all solution”. Every business is different. In one case, an investment banker was summarily dismissed by the bank’s HR for viewing adult websites while at work after a report from the IT department. His immediate boss complained to HR about the dismissal as HR were unaware that he was a leading analyst for the adult entertainment industry and that access to websites with adult content was essential for his work.
The most important way that businesses can manage risk in this area is by developing an IT and communication policy. Such a policy will clearly define appropriate and inappropriate use of the technology. Each business will need to define the limits of its own policies. A key benefit of having a policy is to use it to educate users about the risks for the organisation of inappropriate use and to provide guidance as to how the technology should properly be used.
The policy may address such issues as:
o That emails must not contain anything which is offensive, defamatory, discriminatory or harassing.
o A prohibition on viewing or distributing pornographic or obscene content or content that may cause distress to others.
o To what extent – if at all – employees may take part in blogging and social networking sites.
o An explanation about copyright on the internet and that downloading software, audio or video files may be illegal.
o The procedures for handling personal information and other confidential data, such as the use of encryption.
o A reminder that an email that is thought to be private can be quickly circulated to many people both within and outside the organisation and so should not contain anything that would be embarrassing.
Importantly, policies will provide that, in the event of a breach of the policy, there could be serious disciplinary consequences which might include dismissal.
Having a policy is one thing but it is also desirable to be able to monitor performance of the policy. This may mean reviewing employees’ emails and web browsing histories. However, this can be problematic because, under data protection laws, businesses cannot monitor their employees email and internet use in a way which is invasive of their privacy.
If disciplinary action is taken against an employee based on evidence obtained through unfair monitoring then, far from this enabling the employer to dismiss the employee, it could lead to an unfair dismissal claim being made by the employee against the employer. There could also be breaches of the Data Protection Act (DPA) (for unlawful processing of personal information) and the Regulation of Investigatory Powers Act (for unlawful interception of a communication). In any event, evidence obtained in breach of an employee’s right to privacy may be inadmissible in court and so of no value.
So how can employers monitor abuse of their systems and gather evidence that may be needed for disciplinary proceedings?
Useful guidance is contained in the Information Commissioner’s Employment Practices Code, Part 3 of which relates to “Monitoring at work”. The Code confirms that the legislation does not prevent an employer from monitoring but makes it clear that in doing so employers must act in accordance with the DPA.
The starting point is that employees have a legitimate expectation that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment. If employers wish to monitor their employees, they should be clear about the purpose and be satisfied that the monitoring arrangement that they adopt is justified by real benefits that are delivered.
A key theme, therefore, is “proportionality”. A balance must be struck between the legitimate expectations of workers that their personal information will be handled properly and the legitimate business interests of employers in deciding how to run their own business. Employers should undertake an “impact assessment” to work out how to achieve this balance. They should identify the risks in their business and take proportionate steps to address those risks. Where available, a less intrusive method of monitoring should be used. For example, spot checks are preferable to continuous monitoring, and automated monitoring (e.g. using software to check for obscene language) is less intrusive than having emails reviewed by a person. Also, it is not normally appropriate to open emails that are clearly personal unless there are exceptional circumstances (for example, suspected criminal activity).
The other key theme is “transparency”. To comply with the DPA and other legislation, it is not necessary to obtain employee consent but employees must be made aware through an IT and Communications Policy of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified.
While implementing a policy cannot itself eliminate all risk, if a properly considered policy is well implemented together with appropriate training, then legal risks will be mitigated.
Please get in touch if you’d like us to prepare or review your employee IT & Communications Policy.