The use and abuse of email by employees is a concern for all responsible HR departments – for legal, moral and commercial reasons. Geoff Webster, CEO at FAST Corporate services, looks at the legislation affecting monitoring and how to implement an email usage policy.

The extent to which emails should be monitored is difficult for a business to establish, and they usually take one of two approaches. Neither of which may have the desired outcome. The heavy-handed 'big brother is watching you' tactic is likely to put staff on the defensive, and could alienate you from even the most law-abiding staff; but burying your head in the sand could put the business at risk in the long run.

So what can you do? Few directors would go as far as John Cauldwell, owner of retail outlet Phones4U, who completely banned email but there is a case for limiting its use and monitoring it for any potentially damaging consequences. How do the various pieces of legislation affect what you may and may not look at, and how far do you go before your employees start quoting George Orwell?

Legislation
HR professionals are familiar with an increasing multitude of legislation, regulations and rules governing the conduct of business and data. However many could be forgiven for choosing to bury their heads in the sand when it comes to monitoring rules, but it is worth bearing in mind that ignorance is no defence in a court of law.

It’s important to fully understand new laws and be aware of updates to existing ones, then to create policies and procedures for employees to ensure that they also understand the boundaries and the consequences of non-compliance.

By definition, monitoring email traffic means that communications must be intercepted, and as such, there are certain rules that must be adhered to.

Despite the general understanding that interception without consent is against the law, the Regulation of Investigatory Powers Act and the Lawful Business Practice Regulations made under it, set out certain circumstances when interception may take place without the consent of the sender and recipient.

These rules deal purely with the issue of interception, but it should also be borne in mind that the Data Protection Act and Human Rights Act deal with more general information processing issues, and must also be satisfied.

The Human Rights Act(1998)
There are two main points to be aware of, which are set out under Section 8:

• staff have the right to respect for their private and family life, home and correspondence
• businesses have permission to interfere with this right to privacy only in the interests of national security or the prevention of disorder or crime

The Data Protection Act (1998)
This came into force in 2000 and is in place to protect personal data (defined as 'that which identifies one individual from another'). Email monitoring must comply with the following seven principles:

• Personal data should be obtained only for specified times and lawful purposes and should not be processed in any manner incompatible with that purpose
• Personal data should be adequate, relevant and not excessive
• Personal data should be accurate and where necessary kept up-to-date
• Personal data should not be kept for longer than is necessary for the purpose of which it was obtained
• Personal data should be processed in accordance with the rights of the data subjects under the Data Protection Act
• Personal data should be held using appropriate technical and organisational measures
• Personal data should not be transferred to a country or territory outside of the European Economic Area unless that country ensures an adequate level of protection for personal data

The Regulation of Investigatory Powers Act (2000)
The apparently contradictory advice given by the Human Rights Act and Data Protection Act is clarified to some extent by the Regulation of Investigatory Powers Act.

This states that the interception of communications in the course of transmission without consent is prohibited except in specific limited circumstances such as covert surveillance and national security.

Lawful Business Practice Regulations (2000)
These regulations clarify matters to an even greater extent by setting out exactly when interception can take place without consent:
• To establish the existence of facts relevant to the business
• To establish compliance with practices relevant to the business
• To set standards which should be achieved by persons using the business’ telecoms systems
• To prevent or detect crime
• To investigate or detect the unauthorised use of the telecoms system
• To monitor communications to determine whether or not communications being undertaken are relevant to the business

Implementing a monitoring policy
The reaction of staff to the introduction of an email monitoring policy will be a worry to all businesses. It is not easy to draw a line between personal and work-based communication, as monitoring emails between staff and their trade unions, for example, may give rise to problems.

Employees may feel that monitoring is an intrusion into their personal life, and it may undermine the confidence and mutual respect between employer and employee.

Before laying down the law, it is therefore important to identify the business case for monitoring and assess the benefits that it is likely to bring.

Policies and procedures
It is vital that staff have a good understanding of the reasons why the business must implement an email monitoring strategy from the outset. Firstly, the business must identify which of its rules and standards are enforced partly or wholly through monitoring, such as a ban on sending and receiving pornographic material.

Secondly, ensure that policies and procedures include what staff may and may not do when using electronic communication tools. These policies should be backed up with disciplinary processes to ensure that staff understand the seriousness of the issue.

Policies and procedures should be written down and issued to staff for signature to ensure that workers are aware of the nature and extent of any monitoring.

They should also be reminded of their existence via the company intranet, handbook or noticeboard and be informed when any significant changes are introduced to the monitoring policies.

Managing information
Ensuring that any information collected through email monitoring is dealt with correctly should also be carefully planned. If sensitive data, (which includes matters involving health, racial origin, trade union activity or sex life) is collected, then the Data Protection Act must be satisfied.

It is also important to establish who is allowed access to personal information. The best approach is to give access only to those people who are necessarily involved and it may be appropriate to grant access to security personnel over line managers who have more of a personal involvement with staff.

When this has been arranged, guidelines and training on how to handle and manage this information, according to the appropriate laws, must be carried out.

It is important to use personal information collected for the sole purpose for which monitoring was introduced. If the information reveals something else that the business cannot ignore, then it must be handled carefully, with authorisation from senior management.

If information gathered has a negative reflection on employees, then the business must give them a chance to explain their conduct and give them time to make representations if they choose, before taking action. It is also important to bear in mind that information gathered can easily be mis-interpreted and even deliberately falsified. Therefore, the process must be managed with sensitivity and privacy, and judgements should not be made lightly.

Common-sense should prevail
The key to introducing policies to staff is reasonableness. If you suddenly ban personal emails and say that all work-related correspondence will be checked in the manner of ‘big brother’, then you are bound to end up with a mutiny on your hands. Equally, choosing to bury your head in the sand might leave the organisation open to litigation, police investigations and negative publicity.

Apart from the time it would take to read every single email coming into and going out of the business, this approach is not consistent with other communications policies. Most companies do not read every letter or listen to every phone call.

The rules don’t have to be rigid – many companies permit company email accounts to be used for personal reasons, provided it doesn’t impact on their ability to do their jobs. A tolerant and common-sense approach, and a good explanation of the business case for monitoring, should not give you any problems.

Top tips for email monitoring:

• Ban the receipt and sending of pornographic, obscene and offensive material
• If necessary, monitor absent employees’ inboxes
• Frankly inform employees of the monitoring policy
• Ensure that all employees sign off all written policy documents
• Do not open email which is clearly identified as personal
• Advise staff to delete personal emails
• Restrict/regulate the storage of email
• Act on personal data received only if it shows gross misconduct
• Give employees the opportunity to explain their conduct
• Do not go over the top