Richard Woudberg, legal counsel at Integralis, looks at the balance between freedom and control in the electronic workplace. The rise in electronic methods of communication such as email and the Internet have provided employees with a greater degree of flexibility and freedom. However, employers wish, and indeed are often compelled by legislation, to maintain control over their employees, and the means by which they can do so can be increasingly intrusive. The need to strike a balance between the concerns of employers and employees is reflected in recent legislation. Employers have good reason to be concerned about email or Internet usage. Time spent on non-business-related emails or surfing the Internet may reduce profitability by reducing time spent on legitimate business. A recent survey by Websense highlighted that threequarters of UK companies have dealt with cases of Internet misuse at some point, whilst a survey by Datamonitor has shown that two-thirds of companies are now actively monitoring employee Internet usage. Some companies have created official policies on employee use of the Internet, informing employees that they may be monitored and expressly barring employees from downloading offensive material. Others have no official policy and actively encourage employees to go online as much as possible to gain insight on competitors and customers.

Employers may risk being vicariously liable for defamatory material communicated by email. In a high profile case of recent years, incorrect rumours concerning a rival insurance company were circulated on Norwich Union’s internal email system, with the result that Norwich Union paid out nearly half a million pounds in a court settlement to the rival company. As email is so quick and easy, there is an increased risk that employees may unwittingly enter into contracts that bind their employers. A disclaimer should therefore be included on all emails that are sent out. Use of email also brings an increased risk of leakage of confidential information, which may be an employer’s business secrets, or confidential employee information. Employers should include in their electronic communications policy a clause to the effect that no confidential information is to be sent via email or that if it is, it must be encrypted. Additionally, the use of encrypted emails must also be monitored, as it is a mechanism by which confidential information can leave an organisation without being interrogated for inappropriate content. Furthermore employers now have a duty under the Data Protection Act (DPA) 1998 to prevent unauthorised access to employee information and must therefore take adequate security measures to comply with this. Employers will also be concerned to prevent the infection of their networks by viruses, which may enter the system via attachments to emails sent from outside. ‘Spam’ (unsolicited or junk email) uses valuable bandwidth and email server space and wastes email recipients’ time. Spoof email can deceive the recipient into clicking on a hyperlink that connects to a prohibited site and can even request information to be returned by ‘reply to sender’ command, which can have disastrous consequences in terms of data-loss of trade secrets, betrayal of client confidentiality or theft of data. An employer may be vicariously liable if its employees create a working atmosphere that gives rise to sexual or racial harassment claims by other employees. Employees might do this by downloading or sending to other employees emails which that employee considers offensive, such as sexually explicit jokes. Liability for such claims is not subject to any cap and such claims can be costly. Directors or other appropriate officers of a company may be liable if their employees send obscene material by way of email.

Under the Telecommunications Terminal Equipment Regulations 1992 an employee may be found guilty of an offence if he/she sends material that is grossly offensive or of an indecent, obscene or menacing character by means of a public telecommunication system. If the employer is a company, then the company’s officers may also be guilty of an offence if they are found to have consented to the above, or simply to have neglected to restrain the employee from his or her actions. In the event of a dispute between employer and employee, emails may provide vital evidence, but such evidence would be disallowed by the court or tribunal if it has been obtained unlawfully.

Controlling employee use of electronic communications

There is an increasing range of products now available that can monitor email and Internet use by employees. Email content can be checked by keyword to filter out any that contain specified words, for example the phrase ‘business plan’ might be used to target employees engaging in rival business activities. Even more sophisticated products are available that are set up to monitor the overall context of communications rather than focusing on keywords. Internet use may be monitored by recording websites visited and time spent on each, and employers can prevent access to certain websites by installing software that blocks access to a database of sites that they control. For example, it is possible to classify types of site – ie business/non-business sites – and use this to stop employees accessing pornographic sites on the Internet.

Avoiding monitoring problems Employers should have a clear policy on the use of communications, which includes guidance on Internet sites to avoid and on the appropriate use of email and the telephone. For example, a company might allow a certain amount of personal use of email and the telephone but not allow personal use of the Internet, and this should be made clear in the policy.

Notably, the DPA draft code states that with regard to Internet use, where the main concern for employers is the accessing and downloading of pornographic material, the statement that ‘pornographic’ sites are prohibited is not clear enough. Interestingly, the code also queries whether directors would be likely to be held liable for their employees sending obscene material by email if such use was clearly prohibited. It should be borne in mind of course that employees may inadvertently access prohibited sites, for example by clicking on a hyperlink in a spoof email or through a search facility. The policy should warn employees that their emails may be monitored, highlight the disciplinary sanctions for inappropriate use of email or the Internet, and be included in the employment contracts and company handarticle. It is also advisable to put a message on computer screens stating that the computer user consents to monitoring as stated in the company handarticle. The DPA draft code states that in ascertaining an employee’s expectations or otherwise of privacy, regard will be had to the monitoring that takes place in practice rather than to the policy, so that if no monitoring takes place in practice, then it is not legitimate to suddenly start monitoring. Employees should be consulted on the benefits of an Internet policy to ensure that the employer’s conduct is seen as reasonable. The existence of a policy that is communicated to employees may be enough to allow employers to monitor without fear of redress from employees. Nevertheless, it may be desirable to go further and provide a separate computer terminal that is stated to be private, and likewise a separate telephone.

Oftel has published guidance on what should be included in a telephone use policy, including the approved nature and timing of personal calls and disciplinary measures for flouting the policy. It states that warnings alone may not be enough to counteract the ‘legitimate expectation of privacy’, and that separate phone lines should be provided for private calls. It also suggests that monitoring should be confined to that which is ‘necessary and proportionate’ to the issue it is seeking to address – for example, by using an itemised record of phone calls to find out about misuse of the phone by employees rather than by recording calls, which is more intrusive. For monitoring to be fair in terms of the code, the impact on the employee and his/her rights to a reasonable degree of privacy should be considered. The code states that the risks to be dealt with and benefits obtained by monitoring should be proportionate to the effects on the employee. Monitoring should be targeted to those employees who present a risk, and it is important to be aware of the specific business purpose for which the monitoring is to be carried out. Monitoring, states the code, should be as unobtrusive as possible in order to attain the business objective. This can be achieved by itemising calls rather than listening to the content; by using spot checks rather than continuously monitoring; by using automated methods where possible; and by monitoring the traffic of data rather than the content.

Where emails are accessed when staff are away, emails that are clearly personal should not be opened. In this regard it would be helpful if employees were told to keep personal and business emails separate. Another very important concern for employers will be the effect the new legislation may have on the use of email evidence by employers in tribunal claims. Emails often provide a very useful evidential trail, but evidence gathered by email monitoring that has been obtained in contravention of the Regulation of Investigatory Powers (RIP) Act or the Human Rights Act will be inadmissible. Integralis, the corporate solutions division of Articon-Integralis, provides information security solutions to all industry sectors throughout the world, allowing organisations to grow and achieve their business goals securely. These solutions combine services and system integration, the deployment of ‘best-of-breed’ security products, as well as managed security services, and employ some of the leading technologists and most skilled engineers in the industry. Integralis is recognised as a leading and trusted provider of information security solutions in the European IT and e-commerce security market. For further information contact: Integralis Ltd, Theale House, Brunel Road, Theale, Reading, RG7 4AQ. Tel: +44(0)1189 306060; Fax: +44(0)1189 302143. Email: info@integralis.co.uk; Website: www.integralis.co.uk