SMT Online Web Exclusive

Employees online: how to protect the business

18 Nov 09

e-mail and web access for employees is necessary in most businesses but, as Nigel Miller explains, employers must always guard against the inherent dangers of such an open door policy.

By Nigel Miller

For many employees, e-mail and the web are indispensable business tools. When you give your employees Internet access, you give them a resource that has the potential to reap enormous business benefits – but it also has enormous potential to be misused and, in some instances, that misuse can be damaging for the business.

We all have our favourite story about that highly inappropriate e-mail that found its way into the public domain, causing huge embarrassment to both the business and the individuals concerned.

There are also examples of employees’ blogs that have, in some cases, resulted in the blogger being dismissed. One of the earliest cases was that of Ellen Simonetti, a flight attendant, whose Queen of Sky blog about her experiences led to her being fired by Delta Airlines for content deemed to be inappropriate.

The problem is that often people ‘say’ things in e-mails and online which they might not otherwise feel comfortable communicating to others in person. A combination of informality coupled with a lack of inhibition creates a potentially dangerous situation.

What might start out as a jokey e-mail can result in a defamation action. In such a case, in an out-of-Court settlement Norwich Union paid £450,000 to Western Provident Association because of libellous comments on its internal e-mail system about Western Provident Association’s alleged financial problems.

e-mail and workplace harassment

e-mail is also a common feature in workplace harassment cases. While it’s often one employee harassing another, under the Sex Discrimination Act the employer can be liable for the acts of employees, whether or not those actions are carried out with the employer’s knowledge or approval.

Aside from corporate embarrassment and bad publicity, poor IT governance can have an immediate financial impact. In July 2009, The Financial Services Authority (FSA) fined HSBC over £3 million for not having adequate systems and controls in place to protect their customers’ confidential details from being lost or stolen.

The FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties. Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen. In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.

The use of social networks can impact business in terms of employee productivity. A recent study suggested that up to 233 million hours may be lost every month as a result of employees spending time on social networks, costing firms over £130 million every day.

It can also jeopardize confidential information. In a recent case involving Hays Specialist Recruitment, an employee stored his business contact information on LinkedIn, the online social networking site. Hays alleged that the employee had uploaded business contacts from the company’s confidential database to his LinkedIn account. The employee argued he had been encouraged to join LinkedIn and that, once a business contact had accepted the invitation to join his network, the information ceased to be confidential as it could be seen by all his contacts.

How should employers respond?

How can an employer protect itself from all of these myriad risks?

Banning the use of the technology is unlikely to be the answer. When the law firm Allen & Overy tried to ban its employees from using Facebook, there was an internal backlash because the lawyers said that they needed Facebook to enable them to network with friends and businesses contacts which could develop business for the firm.

Also, there is no ‘one-size-fits-all’ solution. Every business is different. In one case, an investment banker was summarily dismissed by the bank’s Human Resources (HR) Department for viewing adult websites while at work after a report from the IT Department. His immediate boss complained to HR about the dismissal as HR were unaware that he was a leading analyst for the adult entertainment industry, and that access to websites with adult content was essential for his work.

The most important way that businesses can manage risk in this area is by developing an IT and communications policy. Such a policy will clearly define appropriate and inappropriate use of the technology.

Each business will need to define the limits of its own policies. A key benefit of having a policy is to use it to educate users about the risks for the organisation of inappropriate use, and to provide guidance as to how the technology should be used.

Such a policy might address the following issues:

• that e-mails must not contain anything which is offensive, defamatory, discriminatory or harassing

• a prohibition on viewing or distributing pornographic or obscene content or content that may cause distress to others

• to what extent - if at all - employees may take part in blogging and social networking sites

• an explanation about copyright on the Internet and that downloading software, audio or video files may be illegal

• the procedures for handling personal information and other confidential data, such as the use of encryption

• a reminder that an e-mail thought to be private can be quickly circulated to many people both within and outside the organisation, and should not therefore contain anything that would be embarrassing

Importantly, policies will provide that, in the event of a breach of the policy, there could be serious disciplinary consequences which might include dismissal.

Monitoring compliance and performance

Having a policy in place is one thing, but it’s also desirable to be able to monitor performance of that policy. This may mean reviewing employees’ e-mails and web browsing histories.

However, this can be problematic because, under data protection laws, businesses cannot monitor their employees e-mail and Internet use in a way which is invasive of their privacy.

If disciplinary action is taken against an employee based on evidence obtained through unfair monitoring then, far from this enabling the employer to dismiss the employee, it could lead to an unfair dismissal claim being made by the employee against the employer.

There could also be breaches of the Data Protection Act (for unlawful processing of personal information) and the Regulation of Investigatory Powers Act (for unlawful interception of a communication). In any event, evidence obtained in breach of an employee’s right to privacy may be inadmissible in Court and thus of no value.

Abuses of the system

So how can employers monitor abuse of their systems and gather evidence that may be needed for disciplinary proceedings?

Useful guidance is contained in the Information Commissioner’s Employment Practices Code, Part 3 of which relates to ‘Monitoring at work’. The Code confirms that the legislation does not prevent an employer from monitoring, but makes it clear that in doing so employers must act in accordance with the Data Protection Act.

The starting point is that employees have a legitimate expectation they can keep their personal lives private, and that they’re entitled to a degree of privacy in the work environment. If employers wish to monitor their employees, they should be clear about the purpose and be satisfied that the monitoring arrangement that they adopt is justified by real benefits that are delivered.

A key theme, therefore, is ‘proportionality’. A balance must be struck between the legitimate expectations of workers that their personal information will be handled properly and the legitimate business interests of employers in deciding how to run their own business.

Employers should undertake an impact assessment to work out how to achieve this balance. They should identify the risks in their business, and take proportionate steps to address those risks. Where available, a less intrusive method of monitoring should be used. For example, spot checks are preferable to continuous monitoring, and automated monitoring (eg using software to check for obscene language) is less intrusive than having e-mails reviewed by a person.

Also, it’s not normally appropriate to open e-mails that are clearly personal unless there are exceptional circumstances (for example, if there’s suspected criminal activity).

Overriding need for transparency

The other key theme is transparency. To comply with the Data Protection Act and other legislation, it’s not necessary to obtain employee consent but employees must be made aware – through an IT and Communications Policy – of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified.

While implementing a policy cannot itself eliminate all risk, if a properly considered policy is well implemented together with appropriate training then legal risks will be mitigated.