As Donald Rumsfeld, the current US Secretary of Defence said "…we know there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know."
There are clear downsides to the increased use of email (potential unwanted publicity and exposure to legal liability such as defamation claims). Monitoring employee’s use is an important part of mitigating the risks associated with email use. Often questions asked of lawyers related to employee monitoring centre around proving what an employer knows or suspects he knows about a particular employee.
With the new information age and the proliferation of email use, employers have a huge amount of data about employees that is stored on their IT systems which is, potentially, available to them. A common misconception is that because this information resides on a system owned or controlled by an employer, the employer can do as it wishes with this data. This is not so. Acting arbitrarily in relation to this data can give rise to compensation claims and claims for constructive dismissal. Moreover, you may not be able to rely on the evidence you’ve collected in court or tribunal proceedings.
There is a complex legal framework governing the monitoring of employee email and Internet use. There are three main statutes: Regulation of Investigatory Powers Act 2000 (“RIP Act”), Data Protection Act 1998 (“DPA”) and Human Rights Act 1998 (“HRA”).
The RIP Act regulates the interception of communications (e.g. emails). Essentially, an employer can only read emails which have not yet been read by an employee with “lawful authority”. So far as business is concerned, lawful authority is established if you monitor communications for a limited range of purposes such as “to establish the existence of facts” and you inform employees and users of email about the monitoring.
The DPA regulates the processing and use of personal data. Clearly, monitoring, accessing and using email data involves the use of personal data. In the context of the DPA, the Information Commissioner has published “The Employment Practices Data Protection Code”. This is made up of four parts, one of which is concerned with “Monitoring at Work”. This part of the Code addresses monitoring of communications such as email. It is designed to assist with compliance with the DPA and promote good practice. In practical terms, if you are complying with the Code, you are likely to be complying with the RIP Act, DPA and HRA. It is possible to distil two key themes from Code. Firstly, monitoring must be proportionate i.e. it must balance the rights of the employer to run its business as against the privacy rights of the employee. Secondly, employees must have a clear idea of what monitoring is being undertaken.
In terms of complying with the Code and ensuring email monitoring is lawful, employers should be undertake an impact assessment to ensure monitoring is proportionate and develop and implement an email and communications policy.
Employers should use impact assessments to:
- identify the purpose and benefits of monitoring – ask yourself what are you trying to achieve
- is monitoring appropriate to that purpose? – ask yourself whether there are other less intrusive options or whether monitoring goes further than is necessary
- identify the impact on employees – is it intrusive?
- taking all this into account, come to a conclusion as to whether monitoring is justified
By way of illustration, consider the scenario whereby the employer is concerned about length of time employees are spending surfing the Web – “cyber slacking”. Implementing a system whereby the employer could view the websites visited as well as the time spent on the Web may go too far. Arguably, all the employer needs to know is the time spent on the Web.
Although impact assessments do not need to be formal, you should record the process to ensure that you are able to demonstrate compliance if you are ever asked to by a disgruntled employee.
Lastly, you should only use monitoring results for their original intended purpose save in exceptional circumstances. Essentially, monitoring shouldn’t be used as a general intelligence gathering operation or a “fishing expedition”.
Email and communications policy
Employees need to know:
- when email use is monitored
- why the employer is monitoring
- how information collected will be used
- who it will be disclosed to
The policy should also set out clear standards of conduct and performance giving examples of appropriate and inappropriate use of email and the Internet. It can also cover matters such as data and systems security.
Implementing the policy is as important as developing the policy itself. It is not enough to simply hand staff a copy of the policy or require them to sign a consent form acknowledging the policy. Staff should be made continually aware of the contents of the policy by, for example, internal training sessions or regular reminders. This not only makes good business sense in terms of complying with the legal framework outlined above but also minimizes some of the risks associated with inappropriate email use.
We’ve all read and laughed at some of the email stories that the press are so fond of. Having a clear strategy for email and communications use should not only keep you out of the glare of law enforcers but also out of the gossip columns.