Guy Hollebon of solicitors Bevans takes a look at how the number of employment tribunal claims regarding the issue of email and internet misuse are increasing.
Email and Internet misuse is becoming increasingly widespread and employment tribunal claims surrounding the issue are increasing. In this article we look at how employers can minimise the risk of a claim being brought and whether they can monitor email and internet use.
The first lines of defence for any employer are the written policies and procedures which are usually contained in a staff handbook or on an intranet. It is imperative that there is a clear policy on email and internet use. This should cover matters such as the levels of email and internet use that are acceptable – in most organisations there will not be an absolute ban on using the email and internet for private purposes.
The policy should also specify any restrictions on the type of material that is accessed or sent. The policy should be specific and should give examples of the sort of material that will be viewed as offensive. This will ensure that staff understand what they can and cannot view and send and will cut down on arguments over whether something is “offensive”.
The policy should also make it plain what the consequences of breaching the policy will be. This is vital if disciplinary action is being taken against a member of staff for accessing or sending inappropriate material, as any dismissal will need to be justified and fairly conducted. While it is not normally appropriate to dismiss for a first offence a statement in the policy that the penalty for non-compliance will be dismissal will help to justify the decision as being a fair one.
As well as having a policy on email and internet use the organisation should ensure that its equal opportunity and diversity policies refer to the possibility of discriminatory conduct being evidenced through viewing inappropriate internet sites and sending offensive emails. Consideration should be given to training staff on equality issues and highlighting common problem areas such as sending sexist or racist emails. In addition the disciplinary policy may, if appropriate, specify that gross misconduct includes viewing offensive material on the internet and sending offensive emails.
So is this enough for an employer to avoid any problems? By having proper policies and procedures in place the employer should have done enough to provide a safe place of work and to avoid vicarious liability. It is also important that the employer does actually follow its policies. It is not enough to have the paper protection if, in reality, the policies are never followed and sending and viewing inappropriate material is commonplace.
However, by having a policy it does not necessarily prevent the conduct occurring. Often, employers are concerned that staff are spending too much time using the email or internet for personal use and need to check whether this is the case. Employers may also want to take more pro-active steps to ensure that offensive material is not being sent or viewed. Many employers will want to monitor employees’ use of email and internet and this raises difficult questions of privacy.
The Data Protection Act affects how and when employers may monitor staff use of the email and internet. The Information Commissioner has issued a Code of Practice dealing with data protection and employment issues. Part 3 of the Code deals with Monitoring at Work. The Code is not a definitive statement of the law but rather is guidance to employers to help them comply with the Act itself. Many commentators have argued that the Code goes further than the Act requires and creates extra obligations for employers which make it almost impossible to run a business commercially and effectively. To some extent this is correct as the Code does contain many suggestions which may not be easy for an organisation to comply with quickly and cost effectively. We shall now examine the Code in more detail and look at ways that an organisation can comply without too much additional cost and time.
The Data Protection Act itself does not outlaw monitoring but it does require that the impact of the monitoring on staff is justified by the benefits to the employer. Therefore, whether an employer can monitor staff use of the email and internet will mean undertaking a balancing exercise to check that the benefits outweigh the intrusion into the workers’ private lives. The Code recommends carrying out an “Impact Assessment” to determine if and how to carry out monitoring. This involves identifying the purpose for the monitoring and any likely adverse impacts of it. The organisation should then consider alternatives to monitoring and finally conclude whether monitoring is justified.
It should not take too long to carry out an Impact Assessment and by doing so it will ensure that the organisation has addressed important considerations such as whether all staff need to be monitored or only certain high risk groups and will also ensure that any monitoring will be aimed at reducing specific risks rather than being too onerous and intrusive into employees private lives. The Code says that the Impact Assessment does not need to be in writing although the author of this article considers that this is important as it serves as irrefutable evidence that such an Impact Assessment was carried out and will help an organisation show that it was acting reasonably in carrying out monitoring.
If monitoring is to be undertaken staff should be told about the nature and purpose of email and internet monitoring. This should be in the organisation’s email and internet use policy. The Code of practice suggests that monitoring of electronic communications should be confined to address/ subject headings unless there is a valid and defined reason which makes it essential for the entire email needs to be monitored.
Whether an organisation needs to undertake monitoring at all will depend on the specific risks that the organisation faces. If monitoring is required then it must be done in a way that is proportionate to the risks it is aimed at eliminating. One final point is that there may be situations where the commercial reality of the situation means that swift and decisive action is required. For example, if an organisation suspects the Financial Director is selling confidential information to a competitor, an organisation will almost certainly be justified in looking at entire emails even if this has not been specified in a policy.
In these cases, if the employee brings a claim of unfair dismissal and tries to argue that information which was obtained unlawfully cannot be used to justify the dismissal, the Employment Tribunal will look at whether the evidence obtained in breach of the Data Protection Act and the Code is relevant and if it is that will outweigh any arguments about breach of privacy.
By way of a conclusion, employers should ensure that they have appropriate policies and procedures in place dealing with email and internet use/misuse and these policies should be followed. An employer should consider carefully whether monitoring of email and internet use is required before undertaking such monitoring.