Employers say proposals to enforce employees' privacy in the
workplace are unworkable and will have serious consequences for
business. Senior policy adviser at the British Chambers of Commerce
Policy Unit, Sally Low, says legislation must address these
concerns
In late autumn last year the Information Commissioner's 60-page
draft Code of Practice on workplace privacy was circulated to
employers to gauge their views on proposed new legislation. Two
hundred employers wasted no time replying to what they saw as
flawed recommendations, prompting the Commissioner to delay the
timetable for legislation and implement the code in stages, the
first of which is due to become law next month.
The swift and angry response from business was due to the
potentially damaging impact many of the recommendations in the
draft could have on them. SMEs in particular will be hit hard if
the code goes ahead in its current form. Under the current
proposals employers will be forbidden from monitoring their
employees' use of the Internet and e-mail and will have few means
of protecting their business from abuse of these tools - such as
the introduction of pornography to the workplace, harassment of
staff, defamation, computer viruses or the disclosure of
commercially sensitive data.
Employers will be vulnerable to impersonation, loss of data and
intellectual property and potential loss of patents and copyright
breaches.
What the British Chambers of Commerce (BCC) and other business
organisations are pressing for is a Code of Practice that is fair,
workable and commercial; as it currently stands it is none of these
things. No attempt has been made to take into account the context
in which businesses will implement the code. The increasing
cumulative burden of business regulation and the accompanying
administrative costs fall heavily on businesses in tight
competition, and disproportionately on small businesses who do not
have the established in-house resources to deal with them.
Many businesses will accept that enhancement of working conditions
for employees and the eradication of poor practices by some
employers can be positive for businesses themselves. However
legislation should not add to the administrative burden for
business or, if it is unavoidable, do so in ways that are
particularly sensitive to the needs of smaller businesses - this is
why the government launched the "think small first" campaign and
passed the Regulatory Reform Act 2001.
The BCC represents 135,000 businesses in the UK. We attach great
importance to consultations, which give us feedback as to how a
theory will impact on business if actually implemented. In writing
the Code of Practice it is vital to listen to the practical
experience of businesses and balance their needs with those of
employees.
Businesses tell us that the draft code is far too complex and, as
it stands, unworkable. There is also a strong chance that employees
could end up more vulnerable as the code supports tough
restrictions on the use of CCTV - which many employees feel adds to
their security - and some of the recommendations in the code could
make employees more vulnerable to harassment.
It is vital that the final Code of Practice should be clear in the
distinction between what is required in order strictly to comply
with the Data Protection Act and what is simply a guide to good
practice in the interests of data subjects and users. As it stands
this distinction is blurred and takes an inconsistent view of legal
requirements.
The reasons why an employer will undertake employee monitoring
should be understood. No employer engages in the expense of
monitoring unless there is a sound commercial reason for doing so.
This can be for the reasons, as with call centres, of maintaining
the integrity of a system or for performance measurement. Most
employers in practice allow modest personal use of e-mail and the
Internet, but also need to protect their costs and avoid legal or
other liabilities.
The draft code is doomed to failure in seeking to establish what
level of monitoring is proportionate and attempting to specify it.
Employers must be able to determine what level of protection is
required for their business, its costs, reputation, systems and
liabilities. They should also be able to alert employees at the
start of their employment to any monitoring procedures and create
reasonable means for the employee to have privacy in personal
communications.
The draft Code is especially unrealistic where the Internet is
concerned. Given the risks associated with inappropriate Internet
access and the time that can be wasted by employees, routine or
random monitoring of Internet usage should be commonplace, not the
exception.
Simply promising to make the code shorter, call employees "workers"
and provide a summary, although helpful, is not enough. There is
little evidence Elizabeth France, the Information Commissioner, is
listening to business - a recent article in the Financial Times
reported that there was support at ministerial level for
introducing similar guidance throughout all government departments
and agencies.
For this code to be workable in a business context the content must
change fundamentally. The Information Commissioner must ask
herself, when writing the final version, if it is realistic about
the needs of business as well as employees.
Above all businesses want a Code of Practice which is reasonable,
balancing personal access on the one hand with protection for the
employer on the other. Finally, it must be commercial, recognising
the need for performance measurement and the fact that some
employers incur serious risks from inappropriate behaviour by
employees. If it is all these things it will have struck the right
balance and will be welcomed by business.
Sally Low is senior policy adviser at the
British Chamber of Commerce' Policy Unit
E-mail Sally Low at the BCC >>
