Data protection watchdog will revise e-mail monitoring rules

The UK's data protection watchdog is to revise a controversial code of practice governing employers' right to snoop on workers'...

The UK's data protection watchdog is to revise a controversial code of practice governing employers' right to snoop on workers' e-mails, phone calls and Web use at work, following an outcry from business groups.

David Smith, the deputy information commissioner, said he recognised that the code should be reworked to acknowledge that there are often positive reasons for businesses to monitor workers' communications.

But he warned business leaders not to expect a wholesale rewriting of the Employment Practices Data Protection Code, which governs the rights of employers to monitor private e-mails, phone calls and Web use by staff at work.

"We are satisfied that the broad approach taken to monitoring is right," he told a meeting of employers and legal experts on Friday.

The code, which is undergoing an informal consultation period before its final publication in six weeks time, has provoked a backlash from employers, who claim it is too complex and too biased in favour of employees' privacy.

The Confederation of British Industry warned that many employers would decide to ban the use of personal e-mail and Web browsing at work rather than risk breaching the terms of the code. "That is in no one's interests," it said.

Sally Low of the British Chamber of Commerce believes the code is too complex for personnel officers to understand. "If employers are going to use it, it needs to be clear, concise and understandable," she said.

Low urged the Information Commission to put its plans to publish the code, which she claimed was rushed and badly thought out, on hold to allow time for further consultation.

Philip Virgo, strategic adviser at the Institute for the Management of Information Systems (Imis), said the code should be revised to give guidelines to staff involved in investigating security incidents that could impinge on workers' privacy.

Other business groups called for Smith to clarify the status of software used by employers to automatically monitor e-mails for content and viruses under the code of practice.

Delegates at the meeting were concerned that businesses should be able to retrieve important e-mails if staff are away on holiday or off sick without running the risk of breaching the code's benchmarks.

A manager at one large UK company said his firm had got around the privacy problems that this raised by asking staff to sign an agreement that they would respect their colleagues' privacy when they needed to look at e-mails sent to absentees.

"We had one case where a manager had looked in a mail box and found comments about the manager sent to everyone else. We said that he had to disregard this," he explained.

Imis is recommending that larger employers pay for independently managed cyber cafes to be set up in workplaces to allow employees to send private e-mails without fear of being monitored.

E-mail monitoring recommendations
  • Limit monitoring to the minimum needed for security

  • Supervise workers manually rather than electronically

  • Use spot checks rather than continuous monitoring

  • Record traffic data not content

  • Do not open e-mails that are obviously personal

  • Allow workers to mark e-mails as personal

  • Provide staff with facilities for private e-mails

  • Use systems that prevent misuse rather than detect it

  • Record time spent on the Internet not the content viewed

  • Monitor departments not individuals.

Source: Employment Practices Data Protection Code

Read more on IT risk management