What steps do employers need to take to ensure that monitoring of e-mails is done in accordance with employment legislation? Lucy McLynn, a solicitor in the Employment Department at Bates, Wells and Braithwaite, looks at the legal framework and offers practical advice to help employers avoid the potential liabilities that may arise from employees’ inappropriate use of e-mail.
There is something about the informality of e-mail that seems to prompt employees to use it in ways that they would not dream of using any other medium of communication. The tabloid newspapers regularly report cases of sexual exploits broadcast by e-mail, discriminatory e-mail comments being discovered by their subject, or pornographic material being circulated by e-mail around the office.
Short of banning employees from using e-mail entirely, which is impractical in most modern workplaces, what can an employer do to prevent the potential liabilities that may arise from its employees’ inappropriate use of e-mail?
Many employers seem to think that it is acceptable to scrutinise all e-mails sent by their employees on the work system, on the basis that the system belongs to the employer and therefore the employee can have no expectation of privacy. However, this is a misguided and unlawful position.
Under the Regulation of Investigatory Powers Act 2000, any interception of electronic communications (which includes e-mails) is unlawful unless both the sender and receiver of the communication have consented, or the interceptor has reasonable grounds for believing that this is the case. This is unlikely to be the case with employees’ external e-mails, as the other parties to those e-mails will not usually have consented to e-mails addressed to or sent from them being monitored.
The employer will therefore need to rely on the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, which permits interception of telecommunications without consent for a number of specified purposes, including investigating “the unauthorised use of the system”.
It is, therefore, very important that employers have communicated to their employees what use of the computer system is/is not authorised within the workplace. Also, it is a requirement of the Regulations that the interceptor must have made “all reasonable efforts” to notify the internal users about the interceptions which may be made.
Data protection implications
Employers also need to bear in mind their duties under the Data Protection Act 1998, which requires explicit consent for processing sensitive personal data (e.g. data about someone’s sexual life, religion, trade union membership, disability).
Most employers will have ensured that they have written consent from employees to process such data in any event, as processing of this kind of data is usually necessary within the employment relationship. The difficulty again, is with third parties, who may send incoming e-mails to an employee which the employer wishes to monitor, but which contain sensitive personal data about the third party.
Employers should avoid processing such data unless it can be said that it is necessary for the employer to do so to “exercise a right in connection with employment” (e.g. investigating a potential disciplinary matter), where consent would not be necessary.
Right to privacy
Finally, employers should take into account the Human Rights Act 1998, which does provide a “right to privacy”.
Although the Human Rights Act only directly affects employees within the public sector, it will be taken into account by an employment tribunal (itself a public body) in deciding, for example, how reasonable it was for an employer to dismiss an employee on the basis of personal e-mails which he or she has sent in the belief that they would not be read by the employer. It is therefore very important for this right to be expressly counteracted by employers informing employees that they should have no expectation of privacy when using computers within the workplace.
So what steps does an employer need to take to ensure that monitoring of e-mails is done in accordance with all of this legislation?
1. Implement an e-mail policy which clearly sets out what use of the system is and is not authorised. This should deal with the permissible level of personal use, as well as outlawing discriminatory and obscene materials.
2. Set out the circumstances in which e-mail monitoring may take place, and make it clear that employees should not have an expectation of privacy.
3. Ensure that the policy is read by all employees – preferably either with a hard copy being signed by them, or by use of an “I accept” button on the computer system.
4. If some personal use is going to be permitted on the work computer system, require employees to identify personal e-mail as such in the subject line.
5. Avoid blanket monitoring of e-mail content and target monitoring at areas where there is reasonably perceived to be a risk of unauthorised use.
6. In the first place, monitor e-mail traffic rather than e-mail content, as this in itself may be sufficient to identify problems (e.g. if an employee whose job ought not to require more than the occasional use of e-mail sends an excessive number of e-mails).
7. If monitoring traffic does not provide adequate information about employee e-mail use, scrutinise the subject bar rather than the content. This should, in many cases, remove the need actually to read the content of the e-mail. If a policy of personal e-mail being identified as “personal” in the subject line is adopted:
(i) if there is compliance with the policy then the employer should be able to identify when there has been excessive use of personal e-mail without reading e-mail content, or
(ii) if there is not compliance, but e-mails are clearly personal from the subject line, then there would, in any event, be a breach of the e-mail policy.
8. Bear in mind that e-mails which can clearly be identified as "private" from the subject line should not be opened, even if there is a complete ban on sending personal e-mails. The employee would clearly be in breach of the policy, without the need to read the content of the e-mail.
9. If none of the above steps have identified the suspected abuse of the e-mail system, undertake an “impact assessment” (the description by the Information Commissioner in the Code of Practice on Employee Monitoring) before monitoring the content of an e-mail. This involves weighing up the need to undertake the monitoring against the intrusion on the employee’s privacy. Ensure that the necessity for reading the e-mail’s content can be clearly established.
10. Remember that it will be necessary to follow disciplinary procedures in the usual way before taking any action against an employee who has been abusing the e-mail facility. Ensure that the e-mail policy (and disciplinary procedure) spell out the fact that a breach of the policy will result in disciplinary action.
11. Do not assume that a breach of the e-mail policy will amount to gross misconduct. Assess every case on its own merits and, as always, keep in mind the need for comparable treatment between employees who have committed similar misdemeanours.
Hopefully following these guidelines will help your company to ensure that e-mail is used and monitored lawfully, and you will not become the next e-mail disaster story to fill the pages of the tabloids!