Employees, computers and e-mails are a potent mix. They can cause all manner of problems for employers. Such hassles include racial and sexual harassment, downloading of pornography, defamation of management, customers or competitors, breach of confidence, copyright infringement, inadvertent formation of binding contracts, excessive time on the Internet in working hours and breaches of either the Computer Misuse Act 1990 or the Data Protection Act 1998. To try to combat these potential problems and to provide staff with some guidance, employers are increasingly adopting computer use and e-mail policies. Every business is different and no one size fits all. It is surprising how tough employment tribunals are prepared to be about the dismissal of employees for downloading of pornography, particularly if there is a policy in force forbidding this. One question that clients often ask me in these circumstances is whether they are required to notify the police. In my experience, the police are not interested unless the pornography is being sold by the employee or it involves children.
Monitoring of e-mails
Employers sometimes wonder whether they have the right to monitor voice calls or e-mail messages and there are a number of myths about this. There is no legal distinction between phone calls and e-mail messages for these purposes. Where employers have told employees that their calls will not be monitored or given an indication that that is the case then monitoring will be in breach of both the terms of employment and of the Human Rights Act 1998.
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) state that it is lawful for an employer to monitor and record certain types of communications in restricted circumstances without the consent of the sender or recipient. Without the Regulations, the employer would be in breach of the Regulation of Investigatory Powers Act 2000. Under the Regulations, an employer who wants to intercept communications must make all reasonable efforts to inform every person who may use the system that interception may take place. This is easy with employees as notification of monitoring can be given. It is more difficult with third parties. One possibility is to include an automatic warning about monitoring at the end of all external emails.
Employers should remember that, even if interception of messages is carried out by them in a legitimate manner, any use by them of the information gathered must be proportionate and in accordance with the data protection legislation (eg it should not be passed on to third parties without good cause or the consent of the employee concerned). The data protection legislation prohibits the abuse of data about living individuals (eg by such data being used for purposes for which the individual has not consented).
The Information Commissioner has published a code on monitoring at work. Although this code does not have the force of law, it can be used in any enforcement action by the Information Commissioner and may be referred to in employment tribunal proceedings. The code emphasises that monitoring of messages should take place only when there is a real business need and the methods used should not be unduly intrusive into an employee’s privacy. Employees have a reasonable expectation that they can keep their personal lives private, which means that they are entitled to some privacy at work. It is recommended that employers should, wherever possible, avoid opening e-mails, especially ones that clearly show that they are private or personal. Employees should be aware that monitoring is taking place and told the reasons for it and the means used. Covert monitoring will only be legitimate in the most exceptional of circumstances such as the detection of crime or equivalent wrongdoing. It is good practice for the monitoring to be carried out by someone other than the employee’s line manager (eg security or human resources). In this way, such personal information that is picked up about employees can be sifted so that only the most relevant ever becomes known by those who work with the employee.
Terms of a computer and e-mail use policy
The terms of a specimen computer and e-mail use policy are shown below. If you would like an electronic copy of these terms, you can either get it from the SCL Web site (www.scl.org) or you can email me (jeremyh@clarkholt.com). The following comments about the policy may be of assistance.
1. The policy is relatively liberal – eg in clause 8 staff are allowed to send personal e-mails. There are two principal reasons for this:
(a) it is virtually impossible to stop staff doing this, and
(b) whatever rules are laid down this will largely be ignored by senior management thereby making it very difficult to justify a dismissal for breach before an employment tribunal (lawyers acting for employees are always quick to point out inconsistencies in this respect).
The employer’s best ally in this area is the other staff. If a member of staff is spending an excessive amount of time on the internet, in my experience, the employer is likely to hear about it from other staff very promptly.
2. The most important clause in the terms for the reasons stated above is clause 18, warning staff that monitoring could take place.
SPECIMEN COMPUTER AND E-MAIL USE POLICY
We do not wish to restrict in any way your use of our computer system – indeed we encourage it. However we regard the integrity of our computer system as key to the success of our business. To avoid misunderstanding and confusion all employees must abide by the following policies. Breaches of this policy will be taken seriously and could amount to gross misconduct. You should direct any queries about this policy to the HR Department.
1. Licensed Software
Only properly licensed software may be loaded onto our system. You are not allowed to use within the company any material that you either know, or suspect to be, in breach of copyright. In addition, you are not allowed to pass such material on to anyone else. It is important to bear in mind that breach of copyright for business purposes can be a criminal offence both by the company and by the individual concerned. No software may be loaded onto our system without first obtaining the express permission of the IT Department. Software includes business applications, shareware, entertainment software, games, screensavers, and demonstration software. If you are unsure whether a piece of software requires a licence, please contact the IT Department. The copying of software media and manuals is also prohibited.
2. Networks
You are not allowed to make any change to the connection or configuration of your PC. None of our PCs may be connected to a customer’s network without both permission from the IT Department and written permission from the customer concerned. In addition, none of our PC’ may be connected to a public network, e.g. internet, without permission from the IT Department.
3. Disks
You must not use disks from unknown sources or from home computers. All data disks must be virus checked before they may be used on our computer system.
4. Viruses
Generally, more damage to files is caused by inappropriate corrective action than by viruses themselves. If a virus is suspected you should do nothing more until instructed. The matter must be reported immediately to the IT Department. The most likely way that our computer system will be infected by a virus is by an external message. Any outside material must be properly virus checked before being loaded on to our computer system. Many viruses are now spread by email messages and use the address book of the recipient to pass it on to other people. Some of these viruses are activated when an attachment to the message is opened. Creators of these viruses frequently encourage the user to open the attachment simply by using a header such as “You must read this!” You should not open any attachment of this type and must generally be suspicious of any message that is received from an unknown source. In other words, only open mail when you know it is from a reliable source. If you receive email warnings about viruses please ignore the instructions they contain.
In the majority of cases they are hoaxes and the instructions, if followed, will damage our computer system.
5. Customer Procedures
If you use a customer’s computer system you must observe the customer’s rules relating to their computers. In the absence of any such rules our rules should be followed.
6. Access
You are only allowed access to those parts of our computer system which you need in order to carry out your normal duties.
7. Inappropriate Material
You must not view or download or pass on any pornographic material on our computer system or place obscene or offensive screensavers on your PC. In line with the normal rules that apply to you as an employee, you are not allowed to send racist, sexist, blasphemous, defamatory, obscene, indecent or abusive messages on our computer system, either internally or externally. Do be careful and think carefully before sending any questionable messages that could reflect badly on us as a company.
8. Use of the internet at work
The primary reason for our providing you with access to the internet and/or email is to assist you in your work for us. You are allowed to send personal emails in a similar way to the way that minor incidental personal telephone use is allowed. However, personal emails should be kept to a minimum and the company’s footer MUST NOT be shown on a personal email. Such activity should not be excessive and must not affect your ability to work properly for us during normal working hours. You are not allowed to go onto the internet for your own purposes during normal working hours. You are allowed to do so outside normal working hours (and during your lunch hour).
You are not allowed to send unsolicited emails or email messages to multiple recipients or use email for personal gain. You are also not allowed to use the company’s internet access and email system to sign up for online shopping or internet membership schemes or chatrooms.
9. Orders
You must not order anything on our behalf by email without proper authorisation. You should always bear in mind that an email from the company has the same legal effect as a letter from the company on the company’s notepaper. This underlines the importance of being careful with what you say in an email in case it is misunderstood.
All company emails must contain our standard footer which will be notified to you from time to time. As stated above, personal emails must not contain the company’s standard footer.
10. Confidentiality
Before sending any confidential information by email consider carefully whether appropriate steps have been taken to maintain such confidentiality. Email is not inherently a more secure medium of communication than traditional means, and can be easily copied, forwarded and stored.
11. Security
Do not give internal passwords to anyone outside the company. In addition, you must not give any customer-related security information to anyone other than the customer unless specifically authorised in writing by the customer in advance.
12. Records
Keep proper records of our dealings with outsiders. It is always possible that what appears to be a relatively trivial point could be of immense significance later.
It is not possible to foresee what will subsequently need to be checked so keep a complete record of all transactions.
13. Data Protection
If you have access to data about individuals you must bear in mind at all times the provisions of the Data Protection Act 1998. Guidance on these may be obtained from the HR Department.
14. Passwords
Use passwords at all times and change them at the intervals notified to you. Do not select obvious passwords. All passwords must be kept confidential.
15. Backups
Regular back-ups must be carried out in accordance with the rules laid down from time to time. Critical information should not be stored on the hard disk of your workstation in case it is lost.
16. Misuse
Misuse of computers is a serious disciplinary offence. The following are examples of misuse:
(a) fraud and theft
(b) system sabotage
(c) introduction of viruses and time bombs
(d) using unauthorised software
(e) obtaining unauthorised access
(f) using the system for unauthorised private work or game playing
(g) breaches of the Data Protection Act 1998
(h) sending abusive, rude or defamatory messages via email
(i) hacking or
(j) breach of the company’s security procedures or this policy.
This list is not exhaustive. Depending on the circumstances of each case, misuse of the computer system may be considered gross misconduct, punishable by dismissal without notice. Misuse amounting to criminal conduct may be reported by us to the Police.
17. Breaches
All breaches of computer security must be referred to the IT Department. If you suspect that a fellow employee (of whatever seniority) is abusing the computer system you may speak in confidence to the HR Department. You are responsible for any actions that are taken against us by a third party arising from restricted and/or offensive material being displayed on or sent by you through our computer system.
18. Monitoring
The company reserves the right to intercept and monitor your communications, including email, internet and telephone calls. This right to monitor may be exercised, for example, for the purpose of deciding whether communications are relevant to the business, for the purpose of preventing or detecting crime or to ensure the effective operation of the system.
In addition, the company reserves the right to monitor communications in order to determine the existence of facts, to detect unauthorised use of the system and to decide the standards which ought to be achieved by employees using the system.
19. Improvements
We welcome suggestions from you for the improvement of this policy. These should be directed to the HR Department.
Jeremy Holt is the head of the Computer Law Group at Clark Holt Commercial Solicitors in