When you give your employees internet access, you give them a
resource that has the potential to deliver enormous business
benefits. But it also has enormous potential to be misused and, in
some instances, that misuse can be damaging for the business,writes Nigel Miller, commerce and technology partner at City
law firmFox
Williams.
We all have our favourite story about an inappropriate e-mail
that got into the public domain, causing embarrassment to the
business and the individuals concerned. There are also examples of
employee blogs that have in some cases resulted in the blogger
being dismissed. One of the earliest cases was that of Ellen
Simonetti, a flight attendant, whose "Queen of Sky" blog about her
experiences led to her being fired by Delta Air Lines for content
that her employers deemed inappropriate.
The problem is that often people "say'' things in e-mail and
online which they might not otherwise feel comfortable
communicating to others in person. A combination of informality
coupled with a lack of inhibition creates a potentially dangerous
situation. What might start out as a jokey e-mail can result in a
defamation action. In such a case, in an out-of-court settlement
Norwich Union paid £450,000 to Western Provident Association
because of libellous comments on its internal e-mail system about
Western Provident Association's alleged financial problems.
E-mail is also a common feature in workplace harassment cases.
While it is often one employee harassing another, under the Sex
Discrimination Act, the employer can be liable for acts of his
employees, whether or not done with the employer's knowledge or
approval.
Aside from corporate embarrassment and bad publicity, poor IT
governance can have an immediate financial impact. In July 2009,
The Financial Services Authority (FSA) fined HSBC more than £3m for
not having adequate systems and controls in place to protect its
customers' confidential details from being lost or stolen. The FSA
found that large amounts of unencrypted customer details had been
sent via post or courier to third parties. Confidential information
about customers was also left on open shelves or in unlocked
cabinets and could have been lost or stolen. In addition, staff
were not given sufficient training on how to identify and manage
risks such as identity theft.
Use of social networks can affect business in terms of employee
productivity. A recent study suggested that up to 233 million hours
may be lost every month as a result of employees spending time on
social networks, costing firms more than £130m a day. It can also
jeopardise confidential information.
In a recent case involving Hays Specialist Recruitment, the
employee stored his business contact information on social
networking site LinkedIn. Hays alleged that the employee had
uploaded business contacts from the company's confidential database
to his LinkedIn account. The employee argued he had been encouraged
to join LinkedIn and that, once a business contact had accepted the
invitation to join his network, the information ceased to be
confidential as it could be seen by all his contacts.
How should employers respond?
Banning the use of the technology is unlikely to be the answer.
When law firm Allen & Overy tried to ban its employees from
using Facebook, there was an internal backlash because the lawyers
said that they needed Facebook to enable them to network with
friends and businesses contacts, which could develop business for
the firm.
Also, there is no one-size-fits-all solution. Every business is
different. In one case, an investment banker was summarily
dismissed by the bank's HR department for viewing adult websites
while at work after a report from the IT department. His immediate
boss complained to HR about the dismissal as HR were unaware that
he was a leading analyst for the adult entertainment industry and
that access to websites with adult content was essential for his
work.
The most important way that businesses can manage risk in this
area is by developing an IT and communication policy. Such a policy
will clearly define appropriate and inappropriate use of the
technology. Each business will need to define the limits of its own
policies. A key benefit of having a policy is to use it to educate
users about the risks for the organisation of inappropriate use and
to provide guidance as to how the technology should be used.
The policy may address such issues as:
- E-mails must not contain anything which is offensive,
defamatory, discriminatory or harassing.
- A prohibition on viewing or distributing pornographic or
obscene content or content that may cause distress to others.
- To what extent, if at all, employees may take part in blogging
and social networking sites.
- An explanation about copyright on the internet and that
downloading software, audio or video files may be illegal.
- The procedures for handling personal information and other
confidential data, such as the use of encryption.
- A reminder that an e-mail that is thought to be private can be
quickly circulated to many people both within and outside the
organisation and so should not contain anything that would be
embarrassing.
Importantly, policies will provide that, in the event of a
breach of the policy, there could be serious disciplinary
consequences which might include dismissal.
Monitoring compliance
Having a policy is one thing, but it is also desirable to be
able to monitor performance of the policy. This may mean reviewing
employees' e-mails and web browsing histories. However, this can be
problematic because, under data protection laws, businesses cannot
monitor their employees' e-mail and internet use in a way which is
invasive of their privacy.
If disciplinary action is taken against an employee based on
evidence obtained through unfair monitoring, far from this enabling
the employer to dismiss the employee, it could lead to an unfair
dismissal claim being made by the employee against the employer.
There could also be breaches of the Data Protection Act (for
unlawful processing of personal information) and the Regulation of
Investigatory Powers Act (for unlawful interception of a
communication). In any event, evidence obtained in breach of an
employee's right to privacy may be inadmissible in court and so of
no value.
So how can employers monitor abuse of their systems and gather
evidence that may be needed for disciplinary proceedings?
Useful guidance is contained in the
Information Commissioner's Employment Practices Code, Part 3 of
which relates to
monitoring at work. The code confirms that the legislation does
not prevent an employer from monitoring but makes it clear that in
doing so employers must act in accordance with the Data Protection
Act.
The starting point is that employees have a legitimate
expectation that they can keep their personal lives private and
that they are entitled to a degree of privacy in the work
environment. If employers wish to monitor their employees, they
should be clear about the purpose and be satisfied that the
monitoring arrangement that they adopt is justified by real
benefits that are delivered.
A key theme, therefore, is "proportionality". A balance must be
struck between the legitimate expectations of workers that their
personal information will be handled properly and the legitimate
business interests of employers in deciding how to run their own
business.
Employers should undertake an impact assessment to work out how
to achieve this balance. They should identify the risks in their
business and take proportionate steps to address those risks. Where
available, a less intrusive method of monitoring should be used.
For example, spot checks are preferable to continuous monitoring,
and automated monitoring (eg, using software to check for obscene
language) is less intrusive than having e-mails reviewed by a
person. Also, it is not normally appropriate to open e-mails that
are clearly personal unless there are exceptional circumstances
(for example, suspected criminal activity).
The other key theme is "transparency". To comply with the Data
Protection Act and other legislation, it is not necessary to obtain
employee consent but employees must be made aware through an IT and
communications policy of the nature, extent and reasons for any
monitoring, unless (exceptionally) covert monitoring is
justified.
While implementing a policy cannot itself eliminate all risk, if
a properly considered policy is well implemented together with
appropriate training, then legal risks will be mitigated.