Employee Monitoring Prepared for SurfControl by Hammonds

Transcription

1 The Legal Guide to Employee Monitoring Prepared for SurfControl by Hammonds UK Edition

2 T H E L E G A L G U I D E T O E M P L O Y E E M O N I T O R I N G Prepared for SurfControl by 1 Notice: This document serves as a guide for general information only; it should not be considered as legal advice. We make no warranty and accept no liability as to the accuracy or suitability of the guidelines contained herein. We advise organisations to seek individual legal advice prior to any implementation.

3 Sue Nickson, partner and national head of employment law at Hammonds looks at the importance of having an Internet policy. The subject of monitoring in the workplace always catches the interest of the press. It was back in 2000, but everybody still remembers the lewd sent to a Norton Rose lawyer from his girlfriend, which was forwarded to six colleagues and ended up being circulated worldwide. Mobile phone network operator Orange dismissed 40 members of staff for distribution of inappropriate material, stockbrokers Merrill Lynch dismissed 15 employees for sending offensive material on its system and in 2002 Hewlett Packard sacked two and suspended a further 150 for viewing and sharing inappropriate material. 2 The Human Rights Act 1998 came into force in October 2000 and implemented in the UK the European Convention on Human Rights (the Convention). The potential consequences for employers were clear from the decision of the European Court of Human Rights in the case of Halford v United Kingdom 1997 IRR471. Alison Halford, a senior police officer, alleged that her employer had tapped her private line work telephone. She successfully claimed that this was a breach of her right to privacy under Article 8 of the Convention. It was held that as her employer had not given her any prior warning that her telephone calls were liable to interception, she would have had a reasonable expectation of privacy for calls made on the private facility her office provided. The fact that the calls were made from the workplace did not mean that her right to privacy did not apply. It follows that the same principles will apply to communications and Internet use as to telephone calls. At the same time that the Human Rights Act came into force the Regulation of Investigatory Powers Act 2000 ("the RIP Act") updated the legislation governing the interception and monitoring of communications. It provided for both civil and criminal liability and made it unlawful to intentionally intercept communications over a public or private telecommunications system without lawful authority. A defence would only be available if it was reasonably believed that both parties to the communication consented to the

4 T H E L E G A L G U I D E T O E M P L O Y E E M O N I T O R I N G interception. Recognising that this would prevent monitoring of most workplace communications, further regulations were issued authorising the monitoring of communications where reasonably required for business purposes. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 ("the Regulations") provided that an employer retains the right to carry out monitoring despite the fact the employee has not given their express consent, if such monitoring is required to carry out the following: 3 recording evidence of business transactions preventing or detecting criminal activity ensuring compliance with regulatory or self-regulatory guidelines maintaining the effective operation of the employer's systems (e.g. preventing viruses) monitoring standards of training and service preventing the unauthorised use of the computer/telephone system - i.e. ensuring the employee does not breach the company's or telephone policies. Nonetheless, the Regulations provided that it would be necessary for an employer to take reasonable steps to inform employees that their communications might be intercepted. On 11 June 2003 Part 3 of the Data Protection Code on Employment Practices, entitled "Monitoring at Work" was published. This gives guidance on how employers should comply with the provisions of the Data Protection Act The interception of s is a form of data processing and therefore the employer has to comply with the Data Protection principles, including considering whether the monitoring intrudes unnecessarily on the employee's privacy. In particular, care should be exercised when monitoring communications that are clearly personal. Employers should avoid opening these s or confine monitoring to headings/addresses. Further, if access to an employee's or voic account is required while they are on holiday they should be informed in advance. The Code suggests that employers should: actively consider whether the risk that monitoring is designed to address justifies the intrusion into individuals' privacy by monitoring undertake spot checks rather than continuous monitoring limit monitoring to traffic data rather than the contents of communications as far as possible, automate the monitoring so as to reduce the extent to which extraneous information is made available to any person other than the parties to a communication target monitoring on areas of highest risk

5 The Code provides benchmarks that employers are expected to meet in order to comply with the Data Protection Act. It is clear that in any prosecution or other enforcement action account will be taken of the employer's regard for these particular benchmarks and the uncontested first benchmark for employers is to: Establish, document and communicate a policy on the use of electronic communications systems. 4 Is in writing There is a clear and absolute need for employers to have an Acceptable Use Policy (AUP) in place that is made known to all their employees. The risks that an employer will face if they do not put into place such a policy can be seen from the decision in the case of Dunn v IBM United Kingdom Ltd ET Case Number /97. Here the employee was summarily dismissed for accessing pornography on the Internet. The tribunal upheld the claim for unfair dismissal as it was not a case where there was a clear breach of company policy such as to automatically warrant summary dismissal. The uncertainty that an employer faces with such an unfair dismissal claim can be avoided with a policy that complies with the following minimum requirements: Is clearly communicated to all employees Sets out permissible uses of both and Internet Specifies the prohibited/inappropriate uses States what monitoring, if any, will take place Sets out acceptable on-line behaviour Stipulates unauthorised access areas Sets out privacy rules in relation to other users Sets out privacy rules in relation to employer's right to monitor and the nature and extent of such monitoring Stipulates possible disciplinary consequences for breach of rules

6 T H E L E G A L G U I D E T O E M P L O Y E E M O N I T O R I N G Ideally, the policy should also: 5 Set out any restrictions e.g. size/type of attachments that can be sent or received Set out the reasons for monitoring, the extent of monitoring and the means used giving examples of types of material Set out any restrictions on material that can be viewed or copied, Outline how the policy is enforced and penalties that exist for a breach of policy. It is an area that cannot be ignored as even leading companies have found to their cost. In the majority of the cases the offensive material being viewed or passed on is pornographic. The employer who doesn't deal with this issue may be at risk of facing constructive dismissal, discrimination claims or even criminal prosecution. In the case of Morse v Future Reality it was held that the downloading and viewing of sexually explicit images in the workplace by male workers did constitute sexual harassment if it makes the working environment uncomfortable for a female co-worker. It's worth remembering that compensation for discrimination is not capped. Conclusion In conclusion, employers who fail to put in place a relevant policy are at risk of a myriad of different claims, both civil and criminal. To minimise liability employers should consider putting in place, without delay, a carefully drafted Acceptable Use Policy (AUP) and Disciplinary Procedure and ensure that all employees are aware of the contents and implications of the policies. There is little point in having policies in place if employees are not aware of their contents. Failure to put employees on notice of the contents of these policies may affect an employer s right to take action against an employee for a breach of the policies if the employee is not aware either that usage is being monitored or that inappropriate usage could lead to disciplinary action up to and including dismissal. Therefore an AUP should link in closely with the Company s Disciplinary Procedure and Bullying and Harassment procedures.

7 However, no employer should only rely on a single solution when it comes to security. A simple three stage process offers the best protection for an organisation, its people and its assets. This process is: Policy As this guide outlines, a well written and communicated policy is key to providing legal support to an organisation s overall business strategy and allowing it to operate in a clearly defined way. 6 Education Organisations need to do more to use their own staff as a layer of protection by educating them better on how to use Internet and resources in a more efficient and secure way while protecting information, adhering to compliance issues and supporting the security infrastructure of the organisation. This helps workers become part of the solution rather than, as is often regarded, part of the problem. Technology Technology can be implemented to act as the safety net that enforces a company s own Acceptable Use Policy; but also to notify when a breach has been attempted. This will stop the majority of Internet use transgression in the workplace, provide information on general network traffic and enhance security systems already in place. For more information on how Internet filtering technologies can support your business go to:

8 All Internet content you read, send and receive carries a risk! SurfControl Web & Filter give you the tools you need to implement and enforce your own Acceptable Use Policy. Only SurfControl gives you THE TOTAL SOLUTION for comprehensive protection against harmful and inappropriate Internet content risks. REAL Security is a 3 stage integrated process of: 1 Policy - have an Acceptable Use Policy (AUP) in writing and communicate it to all employees 2 Education - give staff specific training on security issues 3 Technology - use filtering technology as your safety net FREE Guides & White Papers: How to write an AUP UK Legal Guide to Staff Monitoring Corporate Governance White Paper 7 Tips to Enforcing Corporate Governance Policy on your Network Download Now: FREE 30 Day Trial of our Software Products: SurfControl Web Filter SurfControl Filter SurfControl Instant Message Filter Download Now: