| E-MAIL INTERNET POLICY – BACKGROUND INFORMATION
This article explains the background to the policy (HR 3/02) and (HR 12/00). An employer’s right to monitor staff is a complex issue. There are three pieces of legislation that have a bearing on this issue, all of which are relatively new and interrelate. The law and best practice will be clarified through case law but, as yet, there have not been any significant cases. The relevant legislation is:
The Human Right’s Act, through article 8, states "everyone has the right to respect for his private home family life, his home and his correspondence". Therefore individuals have a right to privacy. What is uncertain is the right to privacy that an individual employee enjoys whist they are in the workplace. It is also not yet clear whether or not an individual employee can waive their right to privacy. The expectation is that providing an employer acts reasonably, proportionally and fairly an employer may be able to restrict individuals’ right to privacy whilst they are at work. The Information Commissioner has published a draft code of practice relating to the Data Protection Act 1998 in which the Commissioner has sought to lay down some guidelines in respect of monitoring and surveillance. Again, the draft code suggests that any monitoring or surveillance should be designed to operate in such a way that does not intrude on employees privacy or autonomy and is both lawful and fair to employees. In addition, employers should be open about the monitoring and surveillance activity that it undertakes. The Commissioner suggests that it would, in most circumstances, be inappropriate to carry out covert monitoring. However, the draft code was issued before the Regulation of Investigatory Powers Act 2000 (RIPA) was enforced (in October 2000) and it is anticipated that the code will be in line with RIPA when it is finalised and published later this year. The RIPA allows monitoring and surveillance for a number of specific business purposes including "investigating or detecting unauthorised use of the (IT) system and to secure the effective operation of the (IT) system". Again, the best practice advice with regard to RIPA is for the employer to be perfectly open with employees about the nature and range of monitoring undertaken. Therefore, the issues are complex and will be kept under constant review. The Service has legitimate reasons to monitor both e-mails and Internet usage. Firstly, to protect and secure its IT system and also to ensure that usage of the system is authorised. In addition, The Service has a responsibility to its staff to protect them from bullying, discrimination etc. or from being offended by inappropriate material. It also wishes to protect itself from third parties should a third party receive offensive or inappropriate material emanating from The Service’s IT system. In order to balance its legitimate reasons for monitoring employees activities and to ensure that it does so legally the Internet and e-mail policy as set out in HR 3/02 was designed. This policy sets out what is authorised usage of its IT system and explains how the monitoring system works. In order to, as far as possible, protect the privacy of staff’s personal e-mails, The Service has made provision for e-mails that are clearly specified as ‘personal’ to be transmitted without being read. The Service is therefore complying with the "present" best practice in relation to its e-mail/internet policy. It is being open about the reasons for its monitoring, has taken steps to allow staff privacy in relation to "personal" e-mails, has sought to fully inform staff, and has set out the procedure should the policy be breached. Whilst we hope that the situation does not arise, it is clearly possible for serious harassment/discrimination or offence to be caused through the use of unacceptable e-mails or arising from content available on the Intranet. The Service wishes to be able to deal, in the strongest terms, with any wilful and serious breach of its policy. Therefore, it is again, best practice, to ensure that the disciplinary procedure is clear and fully explained to staff. The Service recognises that it is all too easy to stumble on to inappropriate e-mail on the Intranet and has therefore set up a procedure for accidental breaches to be reported. The policy is not there to penalise/discipline staff for minor transgressions (unless repeated) but rather to ensure that any serious breach can be dealt with severely and quickly. The procedure is designed to safeguard both The Service and its staff. Disciplinary action will not be taken unless a member of staff has wilfully breached the policy. All that The Service is trying to do is to ensure that staff treat each other with dignity and respect at all times and that offensive, discriminatory or other material that could be used to harass or bully staff is not introduced into the workplace. Surely, that is in everyone’s best interest. In summary, the basic principles are: An organisation can stipulate how its IT systems are to be used. The Service has a legal responsibility to protect its staff from harassment, bullying or offence as well as the need to protect itself from legal liability to third parties. The internal e-mail system should be considered to be another official method of communication with colleagues. Therefore, the same principles that apply in other forms of written or oral communication are equally applicable to e-mails. E-mails should therefore be considered as just another way of communication officially amongst one another. It is therefore not acceptable to use language or discuss content that you would not discuss with colleagues through any other form of communication. The Service also has standards of behaviour with respect to the sorts of images or printed matter that we would display in the office. The Service will not tolerate pornographic magazines, girlie calendars or other adult material being on display in its offices. Therefore, The Service does not want any similar items to be displayed on its IT equipment. Such material may cause offence to colleagues and therefore The Service has a duty to ensure that such material is not brought into its workplace. As a consequence, we need to have a policy about Internet usage which states that inappropriate material should not be accessed/viewed/downloaded etc. using The Service’s IT equipment. In order to protect itself and its staff The Service uses monitoring software that identifies and logs any text/phrases/Internet sites that may be unacceptable. Once logged, this material may be seen by The Service’s IT security staff during the ordinary course of their work. Again, The Service needs to protect those staff from seeing unacceptable material. Therefore, The Service needs a policy which sets out what is authorised and unauthorised usage of the Internet using its IT equipment. The Service has decided that staff should be able to use both the e-mail and Internet for their own personal use (subject to the restriction on unacceptable material/usage). We recognise that staff have a right to privacy and therefore we have introduced the policy with regard to external personal e-mails to ensure that personal e-mail communications (as long as they are properly flagged up as personal) will not be read. We have explained that personal use of the Internet will be monitored as will text messages sent via the Internet. Many organisations do not allow personal use of either their e-mail or Internet facility but The Service felt, as a professional organisation, that it should allow its staff such personal usage. This decision will be reviewed in the light of experience. In order to be able to deal with breaches of the policy the disciplinary rules need to be set out. Best practice dictates that it is best to be upfront and open with staff. Therefore, the disciplinary rules are set out in the policy. Disciplinary action will only be taken where the policy has been wilfully breached. The policy includes a procedure for staff to report accidental breaches (which, given the amount of unacceptable material on the Intranet, is inevitable). With regard to unacceptable material received from 3rd parties, disciplinary action will only be taken against a member of staff if there is evidence that the member of staff orchestrated the 3rd party action. Staff are advised to create a folder called "Personal" in which to store any personal correspondence/e-mails. This folder should be created in either "My Documents" or as a folder in their Mailbox in Microsoft Outlook. Human Resources March 2002 |