Employers reacted with dismay this week to proposals for new regulations that will severely restrict their ability to monitor employees' e-mails, telephone calls and Web surfing habits.
A draft code of practice from the Data Protection Commissioner published this week will ban workplace monitoring, unless employers can show it is essential to protect their business.
But its publication, only a week after the Department of Trade & Industry issued regulations which appeared to give businesses extensive rights to monitor communications, has thrown employers into a state of confusion.
The Confederation of British Industry (CBI) said it was "bizarre" that one arm of government should be proposing advice and guidelines that conflict with those published by another.
Nigel Hickson, head of the CBI e-business group, said, "We are now faced with a situation where businesses have been told the legitimate business reasons why monitoring can take place and we are then told that routine monitoring of the content of communications is likely to be contrary to the Data Protection Act."
The code, the latest in a series of regulations to affect workplace surveillance, will have significant implications for the way IT departments manage Internet access.
It will mean that businesses will have no automatic blanket right to monitor all employees' communications to prevent the downloading of pornography, protect company secrets or stem other abuses.
Companies will have to show that they have evidence that staff are likely to misuse facilities, that their activity genuinely poses a risk to their business, and that there is no other way of dealing with the problem.
The code could force businesses using automatic monitoring systems to screen for pornography or scan e-mails for confidential documents to rethink their policies.
"Employers need to be very clear about why they are introducing monitoring and what the problem is they are trying to address. Monitoring should not be used for fishing exercises," said David Smith, assistant data protection commissioner.
The code will require employers to respect the privacy of e-mails, whether personal or work-related, if they contain personal information. Companies will have no right to open e-mails that are clearly private and will have to offer employees the chance to delete all copies of e-mails containing personal information from servers and back-up files.
Edwardo Ustaran, partner at law firm Paisner & Co, urged employers to issue their IT staff with guidelines to ensure they are aware of their obligations to protect privacy under the code.
"IT departments have a lot of power over information and access to employees' passwords. These regulations are going to affect them a lot," he said.
The Office of the Data Protection Commission denied that there was any contradiction between the code and the DTI's Lawful Business Practice Regulations, published last week.
"The lawful business practice regulations get you through the first hurdle - is monitoring legal,?" said Smith. "But you have to go further and consider whether personal information is processed fairly."
Companies have until 5 January 2001 to comment on the Data Protection code.
Workplace surveillance: dos and don'ts
This was first published in October 2000