The subject of monitoring in the workplace continues to
attract press and public interest. It was back in 2000 when the
lewd email sent to a City lawyer by his girlfriend was first
forwarded to 6 colleagues and then circulated Worldwide in a matter
of only a few hours.
More recently the Department for Work and Pensions was
embarrassed by the revelation that some 20 employees had accessed
over 2 million pornographic images and websites during an 8 month
period. Approximately 18,000 of these sites involved child abuse
and in consequence some 20 dismissals resulted. A number of
blue-chip multi-national companies have similarly suspended or
dismissed such offenders in legions.
An NOP survey recently undertaken on behalf of one of the
world’s leading IT security companies demonstrates that even
several years after the implementation of strict rules regarding
the processing of emails, some 70% of employees would readily open
emails they suspected to be inappropriate in content and, perhaps
even more alarmingly, some 42% would circulate the offensive
material to colleagues and friends! Vicarious liability of
employers ensures that doing nothing is not a sensible option.
So what can be done by an employer to try and protect itself in
these circumstances?
The Telecommunications (Lawful Business Practice) (Interception
of Communications) Regulations 2000 (“the LBP Regulations”) provide
that an employer retains the right to carry out monitoring
notwithstanding that the employee has not given their express
consent provided such monitoring is necessary to carry out the
following:
• Recording evidence of business transactions
• Ensuring compliance with regulatory or self-regulatory
guidelines
• Maintaining the effective operation of the employer’s systems (eg
preventing viruses)
• Monitoring standards of training
• Preventing or detecting criminal activity
• Preventing the unauthorised use of the computer/telephone system
– ie ensuring the employee does not breach the employer’s email,
internet or telephone policies.
Nonetheless the LBP Regulations stipulate that it is necessary
for an employer to take reasonable steps to inform employees in
advance that their communications might be intercepted.
Part 3 of the Data Protection Code on Employment Practices,
briefly entitled “Monitoring at Work”, gives practical guidance on
how employers should comply with the provisions of the Data
Protection Act 1998. The interception of emails is a form of
data-processing and therefore the employer must consider whether
the monitoring intrudes unnecessarily on the employees’ privacy.
The Code suggests that employers should:
• Actively consider whether the risk which any given method of
monitoring is designed to address justifies that level of intrusion
into the individual’s privacy
• Limit monitoring to traffic data rather than the contents of
specific communications.
• Undertake spot-checks rather than continuous monitoring
• As far as possible automate the monitoring so as to reduce the
extent to which extraneous information is made available to any
person other than the parties to a communication
• Target monitoring on areas of the highest risk.
The Code also provides benchmarks that employers are expected to
achieve in order to comply with the Data Protection Act. It is
apparent that in any prosecution or other enforcement proceedings
account will be taken of the employers regard for these particular
benchmarks and the first benchmark for employers is to:
“establish, document and communicate a policy on the use of
electronic communication systems”
There is a clear and absolute need for employers to have an
Acceptable Use Policy (“AUP”) in place and for that Policy to be
made known to all employees and consistently enforced through the
employer’s disciplinary rules.
The uncertainty an employer may face in having to deal with
unfair dismissal claims arising out of the misuse of data or
electronic communication systems is however largely avoidable with
an Acceptable Use Policy which satisfies the following minimum
requirements:-
• The AUP must be in writing
• Must be clearly communicated to all employees
• Set out permissible uses of email and internet
• Specify the prohibited/inappropriate uses
• State what monitoring, if any, will take place
• Set out acceptable online behaviour
• Stipulate unauthorised access areas
• Set out privacy rules in relation to other uses
• Set out privacy rules in relation to the employer’s rights to
monitor and the nature and extent of such monitoring
• Stipulate the possible disciplinary consequences for breach of
the Policy.
The establishment and implementation of an effective AUP is an
imperative that simply cannot be ignored as many organisations are
increasingly finding to their cost. In the majority of cases the
offensive material being viewed or circulated is pornographic. The
employer who does not deal effectively with this type of issue may
be at risk of facing constructive dismissal and/or sex
discrimination claims or even criminal prosecution.
In the case of Morse -v- Future Reality it was held that the
downloading and viewing in the workplace by male workers of
sexually explicit images constituted sexual harassment as it
rendered the working environment uncomfortable for a female
co-worker. Indeed, such a claim may be well founded irrespective
of whether the images can actually be seen by the complainant as it
has been held to be sufficient for a claim from a female to succeed
if she is merely aware that such images are being viewed by her
male colleagues. It is also worth remembering that compensation
for sex discrimination remains uncapped.
Notwithstanding the possibility of those employees without an
effective AUP being at risk of facing plethora of both civil and
criminal claims, what of the waste of time and the cost of
down-time arising as a result of employers failing to manage the
activities of their staff? The cost of lost production may in many
cases be likely to exceed any liability under any civil or criminal
claim and as the Department for Work and Pensions must have asked
itself, “how long does it take to access 2,319,569 pornographic
images and web-sites and should the taxpayer be paying our civil
servants to do this?”.
Separate and apart from the issues of civil and criminal
liability and the cost of cyber-skiving, perhaps the most worrying
consideration is the increase in the prevalence of breaches of
security in IT systems. These include attacks from viruses and
spam, infiltration by spy-ware and leakages of confidential
information. Further, the misuse of third party intellectual
property, which for example in the music industry has led to the
development of a form of CCTV on the internet, highlights the
company director’s vicarious liability for the unlawful acts of
employees, potentially leading to considerable fines for pirating
or even imprisonment.
Many of these serious threats originate from either innocent or
reckless use of the internet by employees and here again a properly
drawn and enforced AUP can provide invaluable user guidance as well
as an essential measure of additional security to compliment and
support the basic electronic security protection/fire-walls, etc.
which any well-run organisation should already utilise.
The law perpetually struggles to keep abreast of technological
advances and it is therefore essential that AUP’s are regularly
updated to take account of the ever increasing exposure to new
risks for example via internet messaging, Peer-to-Peer and USB
sticks. When the prevalence of an increasingly mobile or
home-based workforce is factored into the equation the degree of
risk multiplies yet further and the mounting challenges can only
adequately be addressed by constant vigilance.
Ian Tranter is a Partner and employment law specialist at
Pannone & Partners. He can be contacted on 0161 909 3000
orian.tranter@pannone.co.uk