Privacy law must not penalise business

Employers say proposals to enforce employees' privacy in the workplace are unworkable and will have serious consequences for...

Employers say proposals to enforce employees' privacy in the workplace are unworkable and will have serious consequences for business. Senior policy adviser at the British Chambers of Commerce Policy Unit, Sally Low, says legislation must address these concerns



In late autumn last year the Information Commissioner's 60-page draft Code of Practice on workplace privacy was circulated to employers to gauge their views on proposed new legislation. Two hundred employers wasted no time replying to what they saw as flawed recommendations, prompting the Commissioner to delay the timetable for legislation and implement the code in stages, the first of which is due to become law next month.

The swift and angry response from business was due to the potentially damaging impact many of the recommendations in the draft could have on them. SMEs in particular will be hit hard if the code goes ahead in its current form. Under the current proposals employers will be forbidden from monitoring their employees' use of the Internet and e-mail and will have few means of protecting their business from abuse of these tools - such as the introduction of pornography to the workplace, harassment of staff, defamation, computer viruses or the disclosure of commercially sensitive data.

Employers will be vulnerable to impersonation, loss of data and intellectual property and potential loss of patents and copyright breaches.

What the British Chambers of Commerce (BCC) and other business organisations are pressing for is a Code of Practice that is fair, workable and commercial; as it currently stands it is none of these things. No attempt has been made to take into account the context in which businesses will implement the code. The increasing cumulative burden of business regulation and the accompanying administrative costs fall heavily on businesses in tight competition, and disproportionately on small businesses who do not have the established in-house resources to deal with them.

Many businesses will accept that enhancement of working conditions for employees and the eradication of poor practices by some employers can be positive for businesses themselves. However legislation should not add to the administrative burden for business or, if it is unavoidable, do so in ways that are particularly sensitive to the needs of smaller businesses - this is why the government launched the "think small first" campaign and passed the Regulatory Reform Act 2001.

The BCC represents 135,000 businesses in the UK. We attach great importance to consultations, which give us feedback as to how a theory will impact on business if actually implemented. In writing the Code of Practice it is vital to listen to the practical experience of businesses and balance their needs with those of employees.

Businesses tell us that the draft code is far too complex and, as it stands, unworkable. There is also a strong chance that employees could end up more vulnerable as the code supports tough restrictions on the use of CCTV - which many employees feel adds to their security - and some of the recommendations in the code could make employees more vulnerable to harassment.

It is vital that the final Code of Practice should be clear in the distinction between what is required in order strictly to comply with the Data Protection Act and what is simply a guide to good practice in the interests of data subjects and users. As it stands this distinction is blurred and takes an inconsistent view of legal requirements.

The reasons why an employer will undertake employee monitoring should be understood. No employer engages in the expense of monitoring unless there is a sound commercial reason for doing so. This can be for the reasons, as with call centres, of maintaining the integrity of a system or for performance measurement. Most employers in practice allow modest personal use of e-mail and the Internet, but also need to protect their costs and avoid legal or other liabilities.

The draft code is doomed to failure in seeking to establish what level of monitoring is proportionate and attempting to specify it. Employers must be able to determine what level of protection is required for their business, its costs, reputation, systems and liabilities. They should also be able to alert employees at the start of their employment to any monitoring procedures and create reasonable means for the employee to have privacy in personal communications.

The draft Code is especially unrealistic where the Internet is concerned. Given the risks associated with inappropriate Internet access and the time that can be wasted by employees, routine or random monitoring of Internet usage should be commonplace, not the exception.

Simply promising to make the code shorter, call employees "workers" and provide a summary, although helpful, is not enough. There is little evidence Elizabeth France, the Information Commissioner, is listening to business - a recent article in the Financial Times reported that there was support at ministerial level for introducing similar guidance throughout all government departments and agencies.

For this code to be workable in a business context the content must change fundamentally. The Information Commissioner must ask herself, when writing the final version, if it is realistic about the needs of business as well as employees.

Above all businesses want a Code of Practice which is reasonable, balancing personal access on the one hand with protection for the employer on the other. Finally, it must be commercial, recognising the need for performance measurement and the fact that some employers incur serious risks from inappropriate behaviour by employees. If it is all these things it will have struck the right balance and will be welcomed by business.

Sally Low is senior policy adviser at the British Chamber of Commerce' Policy Unit

E-mail Sally Low at the BCC >>

Read more on IT legislation and regulation