Employees can use and misuse the Internet in a variety of different ways, whichcan lead to different types of liability for the employer. The differences inliability can arise either from the varying types of usage or from the type ofcontent, or both.
The most lively areas of activity in the employer-employee context in the UKhave been obscenity and defamation.
Obscenity
There has been a steady flow of reported incidents of employees beingdisciplined or dismissed for downloading obscene or pornographic materials fromthe Internet. The courts have shown themselves willing to ensure that the provisions of therelevant legislation (primarily the Obscene Publications Act 1959 and theProtection of Children Act 1978, both subsequently amended) are effectiveagainst those using the Internet.1 Recently, in R v Waddon,2HHJ Hardy held that, where it was alleged that the defendant had uploadedobscene materials from his computer in the UK to his US-hosted Web site, thatconstituted publication within the United Kingdom for the purposes of theObscene Publications Act 1959 since s1(3)(b) of the Act provided thatpublication included transmission. He also held that when a police officer inthe UK downloaded material from the US Web site into his computer, thatpublication or transmission was in effect still taking place on instructionsoriginating from the defendant. Both the sending and the receiving took placewithin the jurisdiction.
Defamation
As to defamation, in two cases companies have made substantial damages paymentsas a result of the activities of employees. In 1997 a defamation claim broughtby Western Provident Association against Norwich Union Insurance Companyconcerning an internal Norwich Union e-mail was settled on payment of £450,000damages by Norwich Union. In 1999 a defamation case brought by Exoteric GasSolutions and its owner Mr Andrew Duffield against British Gas was settled whenthe plaintiffs accepted a payment into court of £101,000. The case concerned aninternal e-mail circulated by a British Gas area manager after Mr Duffield leftBritish Gas to set up EGS.
Employer liability
Vicarious liability An employer is vicariously liable for wrongfulacts committed by its employees in the course of their employment. In general anemployer will be liable for acts of the type the employee is employed to carryout or incidental to such employment, even though the method adopted by theemployee was forbidden by the employer. On the other hand, where the employeewas prohibited from doing the act at all, his performance of that act willnormally be outside the course of his employment. If an employee sends adefamatory e-mail in the course of business correspondence with a customer, theemployer company will be vicariously liable, notwithstanding that the employeewas forbidden to send defamatory messages. If, on the other hand, the employeewas, say, a cleaner who was not employed to correspond with customers (or anyoneelse) at all, then the company could argue that it was not vicariously liable.
The question of employer liability is less clear with personale-mail communications. As a general rule a private communication unrelated tothe company’s business should not result in the company being vicariouslyliable for a defamatory communication. An example would be an e-mail to a friendof the employee about their plans for the weekend.
However, it is well known that companies’ computer systems areroutinely used for personal e-mail between staff. As external e-mail becomescommon, the same culture is gaining hold. This is a different situation frompaper communications, where a company can credibly argue that its stationery isnot routinely made available for employees’ personal communications. Aclaimant might argue that, if personal e-mail is routinely tolerated by theemployer, the employer becomes vicariously liable for any defamatory content.There would still be a strong argument that personal e-mail was not sent in thecourse of employment by the company but there has to be an increased risk ofvicarious liability. In theory, the simplest way to avoid vicarious liability isto prohibit personal e-mail – but if the prohibition is honoured only in thebreach it might not improve the company’s position.
Liability for Defamation For some types of liability there may beadditional routes to fixing an employer with liability. For instance, indefamation law anyone who participates in the first or main publication of adefamatory statement is liable for the defamation. In the traditional publishingcontext this applies not only to the author, the editor and the publisher, butalso to the printer and the distributor. Although subordinate disseminators suchas printers and distributors have an ‘innocence’ defence available to themunder s 1 of the Defamation Act1996, they are prima facie publishers and so potentially liable.
If an employer was held to have published any e-mails emanatingfrom its system, then it would have to consider whether it could take advantageof any of the innocent dissemination defences under the 1996 Act.
Liability for criminal acts A corporate employer’s potentialliability for its employees’ criminal acts is more limited than that for civilwrongs. There are various routes to company liability for criminal acts ofemployees, which have given rise to much academic debate. For instance, acompany may be vicariously liable on the clear words or construction of astatute.3 Or if any necessary acts and mental state were those ofindividuals who represent the controlling mind and will of the company andtherefore can be identified with it, the company can be liable for the criminalacts of the individuals.4
Agency The law of agency is of particular relevance to the formation ofcontracts. Were it not for the culture of informality which tends to pervade theuse of e-mail, it would hardly be worth drawing attention to the fact that anemployee communicating on behalf of a company can bind it to legal obligations.The point is significant since it is still quite common for companies who havestrict signing procedures for hard copy correspondence to leave e-mail to itsown devices. The employer will be bound where the employee has been givenauthority to enter into contracts on the employer’s behalf. However, theemployer will also be bound if the employee reasonably appeared to the otherparty to have authority to enter into the contract on the employer’s behalf,even if he did not in fact have such authority.
Monitoring of Employees’ InternetActivities
The appropriate response of an employer to the prospect of liability foremployee misuse of the Internet is likely to be a tripartite approach: educationof employees as to appropriate and inappropriate use, implementation of clearrules and sanctions, and use of technical measures to screen or eliminateinappropriate content from the network.
The use of technical measures raises a number of increasingly controversiallegal and ethical issues. Although to date employers, at least in the privatesector, have been regarded as free to implement monitoring of employees’Internet activities, at any rate so long as employees are made aware of thefact, the freedom to monitor is likely to be increasingly constrained in thefuture.
The potential constraints on freedom to monitor currently emanate from threedifferent sources:
1. Review of the Interception of Communications Act 1995 (now the Regulationof Investigatory Powers Bill).
2. The EuropeanConvention on Human Rights and the implementation of the Human Rights Act 1998(due to come into force on 1 October 2000).
3. Implementationof the Data Protection Act 1998 (in force as from 1 March 2000).
1. Regulation of InvestigatoryPowers Bill
As part of its review of the Interception of Communications Act 1985 (‘IOCA’),the Home Office proposed that the criminal offence of unlawful interception ofcommunications, which currently extends only to public telecommunicationssystems, should be applied to private networks. Since this would preventemployers intercepting the communications (including e-mail traffic) of theiremployees on their own networks, the Home Office proposed that there should be astatutory exception allowing employers to continue to monitor communications inthe workplace for legitimate business reasons.
The IOCA consultation has matured into the Regulation ofInvestigatory Powers Bill. The Bill, which is currently at the Committee stagein the House of Commons, will (if enacted in its current form) create a regimewhich will in most cases control, by regulations to be laid before Parliament bythe Secretary of State, the circumstances in which an employer may interceptcommunications on its network.
The Bill does not apply to all private telecommunications networks,but only to those that are ‘attached’ to a public telecommunicationsnetwork. However, what constitutes ‘attachment’ is unclear. TheGovernment’s own Explanatory Note to the Bill is confused on this point. Itseems likely, however, that only a private network with no means at all ofcommunicating with a public telecommunications system would be excluded.
The scheme of the Bill, insofar as relevant to monitoring of employeecommunications, is as follows.
Criminal Liability. The Bill extends to private telecommunicationsnetworks the existing criminal offences of intercepting communications on apublic telecommunications network.
The main relevant exception for private networks is that itexcludes from the scope of the offence interception by a person with the rightto control the operation or the use of the system, or by someone who has theexpress or implied consent of such a person to make the interception. Thisshould exempt most employers from the scope of the criminal offence.
Civil Liability. Section 1(3) creates a new tort which would, unless theinterception is within the scope of regulations to be issued by the Secretary ofState, render an employer liable to be sued for damages or an injunction if theemployer intercepts messages on its own network, or expressly or impliedlyconsents to another person doing so. There is an exception for consent tointerception, but this is so limited that it is unlikely to be of greatassistance.
The Bill is drafted sufficiently widely that the tort would coverboth intercepting messages in transit across the network and also retrievingmessages from a mailbox.
The Bill potentially would apply to the monitoring of activities on a network,such as collecting data about which Web sites a person has visited. However,under s 2(5) collection of addressdata is excluded from the definition of interception.
The tort consists of ‘interception without lawful authority of acommunication on a private telecommunications network by, or with the express orimplied consent of, a person having the right to control the operation or theuse of a private telecommunication system’. This is actionable at the suit ofthe sender or recipient, or intended recipient, of the communication.
Under s 2(2), a person:
‘intercepts a communication in the course of its transmission by means of a telecommunications system if, and only if, he –
(a) so modifies or interferes with the system, or its operation,
(b) so monitors transmissions made by means of the system, or
(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system, as to make some or all of the contents of the communication
available, while being transmitted, to a person other than the sender or intended recipient of the communication.’
To be lawful the person having controlwould seem to need to be acting within the exceptions provided by s3(1) or regulations made under s 4(2).
Under s 3(1),interception by a person is authorised if the communication is one which is orwhich that person has reasonable grounds for believing is, both:
(a) a communication sent by a person who has consented to the interception; and
(b) a communication the intended recipient of which has so consented.
The double requirement of consent byboth sender and intended recipient will mean that in practice this provisionwill be of little assistance to employers.
Under s 4(2), theSecretary of State has power to issue regulations to authorise conduct which heconsiders to be legitimate practice required for the purposes of:
‘monitoring or keeping a record of –
(a) communications by means of which transactions are entered into in the course of that business; or
(b) other communications relating to that business or taking place in the course of its being carried on’.
This provision is designed to reflectArticle 5 of Directive 97/66/EC concerning data protection andtelecommunications. The need for such regulations in terms of legitimising manycommercial practices and avoiding potential tortuous liability means thatemployers will be concerned to know the extent to which the Home Office hasalready begun drafting such regulations.
The real impact of these provisions will become apparent only once the Bill hasbecome law and the proposed regulations authorising monitoring for particularbusiness purposes are published.
2. Human Rights Act 1998
The need to extend the IOCA criminal offence to private networks was justifiedby the Home Office as being required by the decision of the European Court ofHuman Rights in Halford.5 The decision established thatcommunications (in that case telephone calls) made by an employee from businesspremises (in that case the Merseyside Police Authority) may be covered by theright of privacy under Article 8 of the European Convention on Human Rights andFundamental Freedoms. Article 8(1) provides that ‘everyone has the right torespect for his private and family life, his home and his correspondence’.Article 8(2) provides that there shall be no interference by a public authoritywith the exercise of this right except in accordance with the law in certainspecified circumstances.
One of the factors that the court took into account when decidingthat Ms Halford had a reasonable expectation of privacy for her telephone callswas that she had not been warned that her telephone calls made using theinternal telephone system were liable to be intercepted. The court found that nodomestic law provided protection against interference by a public authority on aprivate network, so that any interference by a public authority could not be‘in accordance with the law’.
On its facts, the case concerned interference by a public authoritywith Ms Halford’s telephone calls. The case did not address the difficultquestion of the extent (if any) to which Article 8 of the Convention requiresthe State to secure rights of privacy as between private persons in the privatesphere (‘horizontal effect’). To the extent, therefore, that the Home Officejustified the proposed extension of IOCA criminality to the wholly privatesphere by reference to Halford alone, that reliance appears to have beenmisplaced.
When the Human Rights Act is fully implemented, the question of thedegree of horizontal effect of Article 8 of the Convention will become a matterof direct concern to the courts, and will be addressed in the context of theparticular provisions of the Act. What is clear is that the acts of publicauthority employers can already give rise to breaches of the Convention and thepublic authority employers will become directly subject to the Convention whenthe Act comes into force. The Home Office has issued a circular containingguidelines for public authorities on how to comply with the Halforddecision in the context of telephones.
However, an employer acting within the scope of regulations underthe Regulation of Investigatory Powers Bill, when it becomes law, or within thescope of the forthcoming Code of Practice under the Data Protection Act 1998ought to be reasonably protected from a human rights challenge, since the actswould be authorised by law.
3. Data Protection Act 1998
The Data Protection Registrar (as she then was – now Commissioner) announcedon 14 July 1992 that she would be circulating for consultation a draft Code ofPractice governing the uses of personal data by employers. This would includeemployee surveillance such as interception of e-mail. Failure to comply with theCode could be visited with enforcement action by the Registrar or a claim forcompensation by an individual who suffered as a result.
This action followed a detailed report from the Personal PolicyResearch Unit commissioned by the Registrar. No draft Code has yet beenpublished. However, it is clear that e-mail is likely to contain personal data(and may contain sensitive personal data) and that employers are thereforesubject to the general requirements to observe the data protection principlesand the requirements of the Act generally in respect of such data.
Internet Access and E-mail Policies
As with any other piece of equipment or machinery provided for use at work,employers should have clear rules governing the use of e-mail and Internetaccess. As well as providing auseful management tool, well drafted e-mail policies to which employees havesigned up will provide employers with defences to employee harassment claims(see below) and evidence of employee consent to use of personal data for thepurposes of the Data Protection Act (see above). Rules will need to be tailoredto particular business needs but there are some common general principles.
Common Policy Terms
Here are some examples of common policy terms.
• Only staff who have been granted written permission may access the Internet for any purpose or send external Internet e-mail.
• Internet access and e-mail are provided for business use. Employee e-mail communications are not considered private.
• The employers’ e-mail system is not to be used for unlawful, inappropriate, defamatory or obscene material. All information leaving the company in electronic form must reflect the standards
and policies of the employer. No information which is illegal, unlawful, or likely to expose the employer to liability is to be stored on or transmitted by means of the employer’s systems.
• No file may be downloaded (i.e. saved) to the employer’s system from an Internet site unless doing so is expressly permitted by the terms of the site.
• No confidential, sensitive or otherwise proprietary information is to be communicated by e-mail over the Internet. Messages sent to recipients off site, if sent over the Internet and not
encrypted, are not secure.
• Employees should be aware that merely deleting information may not remove it from the system and deleted material may still be reviewed by the employer and/or disclosed to third parties.
• The employer reserves the right to monitor the e-mail system (and other electronic material) at its discretion in the ordinary course of business. Note that in certain situations, the employer
may be compelled to access and disclose messages sent over its e-mail system, or stored on its computers.
• Employees are not to disclose to others their e-mail password, provide e-mail access to an unauthorised user or access another user’s e-mail box without authorisation.
These general terms should be appropriate in virtually all cases and should be communicated to all employees so that they are aware of their existence and the reason for them.
Work Rule Or Contract Term?
In practical terms it will be more suitable for the employer to have theInternet access and e-mail policy as a separate document which can be updatedfrom time to time as changes in law and changes in practice require. We are allfamiliar with staff handbooks containing disciplinary and grievance procedures,maternity policies and equal opportunities policies, for example.
If this is the course adopted does the policy become incorporatedinto the contract with its terms enforceable as contract terms or not? In theabsence of express agreement, the standard test is whether it is reasonable toinfer from the circumstances that both parties must have intended the policy tohave contractual force.6 From the employer’s point of view, for theavoidance of doubt, new employees should sign to acknowledge acceptance of theircopy of the staff handbook or to confirm that they have read the relevantpolicies on commencement of their employment. When the policies change,employees must be made aware of those changes and acknowledge them (particularlyif the changes are to their detriment) if the employer wishes to rely upon themas contractual terms at a later date.
When introducing a new policy, it may be more appropriate for theemployers if it does not have contractual force but is simply a rule regardingconduct for employees working within the scope of their individual contracts. Inthe case of Dryden v Greater Glasgow Health Board,7 theemployee was a smoker. Until 1991 areas in her workplace were specifically setaside for smokers but in that year the employers, having consulted with theworkforce, introduced a prohibition on smoking. The employee resigned andclaimed constructive dismissal on the basis that the introduction of the newpolicy constituted a material breach of her contract of employment. Her claimfailed. It was held that the policy had no contractual effect and could not beused as a foundation for a constructive dismissal claim. The rule had beenintroduced for a legitimate purpose.
Similarly, in the case of D’Silva,8 the Councilvaried its code of practice on staff sickness so that procedures which hadformerly applied after ten days’ absence, were now to apply after five days’absence in any 12-month period. Additionally, the procedure on long-termsickness was changed to apply after six months’ absence rather than 12.Employees complained that this amounted to an unlawful variation in theircontract terms as their consent had not been obtained but the Court of Appealheld that the code of practice was meant to lay down good practice and wasrequired to be flexible and thus was not an appropriate foundation forcontractual rights for individual employees.
The best advice is that it should be made clear in any contractualdisciplinary procedure that breach of the Internet access and e-mail policy mayamount to an instance of gross misconduct which may lead to dismissal. Employersshould be free to alter the wording of the non-contractual policy itself fromtime to time but will need to ensure that those changes and the reasons for themare communicated to employees.
E-mail and Related Dismissal Cases
Unauthorised access
In deciding whether unauthorised access to any computer system constitutesgrounds for dismissal, a tribunal will look closely at the circumstances of theparticular case.
In the case of Joinson,9 Mr Joinson’s passwordgave him access only to a particular part of the data held on his employer’scomputer system. He gained access to other more sensitive data by learninganother password from his daughter who also worked for the same company. He wassummarily dismissed. He had no improper motive. He had simply been ‘playingaround with the system’. Although at first instance his summary dismissal wasconsidered unfair, on appeal the EAT overturned that decision – ruling that,if an employee deliberately uses an unauthorised password to enter a computerknown to contain information to which he is not entitled, this in itselfconstitutes gross misconduct.
By contrast, in the case of BT v Rodrigues, Mr Rodrigues wassummarily dismissed for having obtained unauthorised access to computer data buthis dismissal was found to have been unfair. He wanted access for legitimatework-related purposes and, although he had not been authorised to use thecomputer to access the information he had acquired, he would have been entitledto that information if he had asked for it over the telephone.
In both cases the Employment Appeal Tribunal stressed thatemployers should make it abundantly clear to employees in disciplinary codes orother company literature that computer misuse would automatically result insummary dismissal so that employees should be aware of the seriousness of theiractions. ‘Playing around’ on the PC may in fact involve activity analogousto finding the key to and then opening the Managing Director’s secure filingcabinet.
Offensive non-business related use
Using Internet facilities at work to access pornographic material may notnecessarily justify dismissal on grounds of gross misconduct. Much will dependon the circumstances. In the case of Parr v Derwentside District Council,decided in 1998, the local authority employer did not accept the employee’sclaim that he had accessed a pornographic Web site by mistake when it could beestablished that he had accessed the site for a considerable period and had thenre-visited it. In view of the fact that the employer was a local authority withstandards to uphold, the tribunal was satisfied that the dismissal was fair.However, other employers may find it harder to convince a tribunal. In the caseof Dunn v IBM United Kingdom Limited, also decided in 1998, the employeewas summarily dismissed for gross misconduct. He admitted that he had accessedpornography via the Internet and made printouts of downloaded pictures. However,the tribunal found that his dismissal was not fair because he had admitted theoffences without appreciating that the consequence would be his dismissal andthe tribunal did not feel that any disciplinary procedure had been properlyapplied. In these circumstances, summary dismissal was inappropriate but theapplicant’s compensation was reduced by 50% to take account of the fact thathe had contributed by his behaviour to his own dismissal.
Harassment
Employees who access or transmit pornography while at work may use it to harassunlawfully their colleagues in the workplace. Their employers may be liable fortheir unlawful actions.
In the case of Morse v Future Reality Limited, decided in1996, the female applicant was required to share an office with several men whospent a considerable amount of their time poring over sexually explicit orobscene images downloaded from the Internet, facilities available to them atwork. She accepted that these activities were not directed at her personally,but they did cause her to feel uncomfortable. Eventually she resigned and made aclaim against her employers of sex discrimination on the grounds of harassment– citing the pictures, bad language and general atmosphere of obscenity in theoffice as the basis of her complaint. The tribunal held that her claim was wellfounded. No-one had taken any action to prevent the behaviour complained of. Shewas awarded three months’ lost earnings and £750 for injury to feelings.
Summary for Employers
E-mail and Internet access create new responsibilities as between employer andemployee. Contract terms, works rules and policies must be reviewed to ensurethat they are up-to-date and appropriate. If employers do not create and applyclear rules, they may find themselves on the receiving end of unfair dismissalclaims. These may be made by employees dismissed for unauthorised Internet use,or by employees affected by unauthorised Internet use by others.
Endnotes
1. See, forinstance, R v Fellows, R v Arnold [1997] 2 All ER 548.
2. Ruling atSouthwark Crown Court, 30 June 1999.
3. See egAlphacell Ltd v Woodward [1972] 2 All ER 475; National Rivers Authority v AlfredMcAlpine Homes East Ltd [1994] 4 All ER.
4. The‘identification principle’ was enunciated by Lord Reid in Tesco SupermarketsLtd v Nattrass [1972] AC 153 at p 170.
5. Halford vUnited Kingdom [1997] IRLR 471.
6. Petrie vMacFisheries Limited [1940] 1 KB 258.
7. Dryden vGreater Glasgow Health Board [1992] T IRLR 469, EAT.
8. WandsworthLondon Bor. Council v D’Silva [1998] IRLR 193, CA.
9. Denco Limited vJoinson [1991] 1CR 172.
Penelope Christie is a partner at Bird &Bird.She may be contacted at penny.christie@twobirds.comor via 020 7415 6000.