AUP – Acceptable Use Policy or Acute Underlying Problems?

The subject of monitoring in the workplace continues to attract press and public interest. It was back in 2000 when the lewd email sent to a City lawyer by his girlfriend was first forwarded to 6 colleagues and then circulated Worldwide in a matter of only a few hours.

The subject of monitoring in the workplace continues to attract press and public interest.  It was back in 2000 when the lewd email sent to a City lawyer by his girlfriend was first forwarded to 6 colleagues and then circulated Worldwide in a matter of only a few hours. 

More recently the Department for Work and Pensions was embarrassed by the revelation that some 20 employees had accessed over 2 million pornographic images and websites during an 8 month period.  Approximately 18,000 of these sites involved child abuse and in consequence some 20 dismissals resulted.  A number of blue-chip multi-national companies have similarly suspended or dismissed such offenders in legions.

An NOP survey recently undertaken on behalf of one of the world’s leading IT security companies demonstrates that even several years after the implementation of strict rules regarding the processing of emails, some 70% of employees would readily open emails they suspected to be inappropriate in content and, perhaps even more alarmingly, some 42% would circulate the offensive material to colleagues and friends!  Vicarious liability of employers ensures that doing nothing is not a sensible option.

So what can be done by an employer to try and protect itself in these circumstances?

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (“the LBP Regulations”) provide that an employer retains the right to carry out monitoring notwithstanding that the employee has not given their express consent provided such monitoring is necessary to carry out the following:
• Recording evidence of business transactions
• Ensuring compliance with regulatory or self-regulatory guidelines
• Maintaining the effective operation of the employer’s systems (eg preventing viruses)
• Monitoring standards of training
• Preventing or detecting criminal activity
• Preventing the unauthorised use of the computer/telephone system – ie ensuring the employee does not breach the employer’s email, internet or telephone policies.

Nonetheless the LBP Regulations stipulate that it is necessary for an employer to take reasonable steps to inform employees in advance that their communications might be intercepted.

Part 3 of the Data Protection Code on Employment Practices, briefly entitled “Monitoring at Work”, gives practical guidance on how employers should comply with the provisions of the Data Protection Act 1998.  The interception of emails is a form of data-processing and therefore the employer must consider whether the monitoring intrudes unnecessarily on the employees’ privacy.  The Code suggests that employers should:
• Actively consider whether the risk which any given method of monitoring is designed to address justifies that level of intrusion into the individual’s privacy
• Limit monitoring to traffic data rather than the contents of specific communications.
• Undertake spot-checks rather than continuous monitoring
• As far as possible automate the monitoring so as to reduce the extent to which extraneous information is made available to any person other than the parties to a communication
• Target monitoring on areas of the highest risk.

The Code also provides benchmarks that employers are expected to achieve in order to comply with the Data Protection Act.  It is apparent that in any prosecution or other enforcement proceedings account will be taken of the employers regard for these particular benchmarks and the first benchmark for employers is to:

 “establish, document and communicate a policy on the use of electronic communication systems”

There is a clear and absolute need for employers to have an Acceptable Use Policy (“AUP”) in place and for that Policy to be made known to all employees and consistently enforced through the employer’s disciplinary rules. 

The uncertainty an employer may face in having to deal with unfair dismissal claims arising out of the misuse of data or electronic communication systems is however largely avoidable with an Acceptable Use Policy which satisfies the following minimum requirements:-
• The AUP must be in writing
• Must be clearly communicated to all employees
• Set out permissible uses of email and internet
• Specify the prohibited/inappropriate uses
• State what monitoring, if any, will take place
• Set out acceptable online behaviour
• Stipulate unauthorised access areas
• Set out privacy rules in relation to other uses
• Set out privacy rules in relation to the employer’s rights to monitor and the nature and extent of such monitoring
• Stipulate the possible disciplinary consequences for breach of the Policy.

The establishment and implementation of an effective AUP is an imperative that simply cannot be ignored as many organisations are increasingly finding to their cost.  In the majority of cases the offensive material being viewed or circulated is pornographic.  The employer who does not deal effectively with this type of issue may be at risk of facing constructive dismissal and/or sex discrimination claims or even criminal prosecution. 

In the case of Morse -v- Future Reality it was held that the downloading and viewing in the workplace by male workers of sexually explicit images constituted sexual harassment as it rendered the working environment uncomfortable for a female co-worker.  Indeed, such a claim may be well founded irrespective of whether the images can actually be seen by the complainant as it has been held to be sufficient for a claim from a female to succeed if she is merely aware that such images are being viewed by her male colleagues.  It is also worth remembering that compensation for sex discrimination remains uncapped.

Notwithstanding the possibility of those employees without an effective AUP being at risk of facing plethora of both civil and criminal claims, what of the waste of time and the cost of down-time arising as a result of employers failing to manage the activities of their staff?  The cost of lost production may in many cases be likely to exceed any liability under any civil or criminal claim and as the Department for Work and Pensions must have asked itself, “how long does it take to access 2,319,569 pornographic images and web-sites and should the taxpayer be paying our civil servants to do this?”.

Separate and apart from the issues of civil and criminal liability and the cost of cyber-skiving, perhaps the most worrying consideration is the increase in the prevalence of breaches of security in IT systems. These include attacks from viruses and spam, infiltration by spy-ware and leakages of confidential information.  Further, the misuse of third party intellectual property, which for example in the music industry has led to the development of a form of CCTV on the internet, highlights the company director’s vicarious liability for the unlawful acts of employees, potentially leading to considerable fines for pirating or even imprisonment. 

Many of these serious threats originate from either innocent or reckless use of the internet by employees and here again a properly drawn and enforced AUP can provide invaluable user guidance as well as an essential measure of additional security to compliment and support the basic electronic security protection/fire-walls, etc. which any well-run organisation should already utilise.

The law perpetually struggles to keep abreast of technological advances and it is therefore essential that AUP’s are regularly updated to take account of the ever increasing exposure to new risks for example via internet messaging, Peer-to-Peer and USB sticks.  When the prevalence of an increasingly mobile or home-based workforce is factored into the equation the degree of risk multiplies yet further and the mounting challenges can only adequately be addressed by constant vigilance.   

Ian Tranter is a Partner and employment law specialist at Pannone & Partners. He can be contacted on 0161 909 3000 or [email protected]


Read more on IT risk management