How to Monitor Employee Web Browsing and Email Legally

WH IT E PAPER: HOW TO M ONITOR EM P LOY EE W EB BRO W SI N G AN D E MAI L L E G AL LY
How to Monitor Employee Web
Browsing and Email Legally
ABSTRACT
The Internet and email are indispensable resources in today’s business world. However,
they do carry risks, and many companies now recognise a need to monitor how their staff
are using these tools. But what are the laws around this for employers, and how is it to
best implement these kinds of practices?
This white paper provides an overview of some of the issues around monitoring employee
Web browsing and use of email.
PA GE 1
INTRODUCTION
The Internet and email are indispensable resources in today’s business world. However, they do carry risks,
and many companies now recognise a need to monitor how their staff are using these tools. But what are the
laws around this for employers, and how is it to best implement these kinds of practices?
This white paper provides an overview of some of the issues around monitoring employee Web browsing and
use of email.
Please note that this white paper is for indicative purposes only and does not constitute legal advice. You
should seek legal advice before acting on any of the information contained in this white paper.
MONITORING: WHAT IS IT AND WHY DO IT?
With email and Web access now crucial for any business, how does an employer ensure that employees’ use
of these resources is in line with the organisation’s usage policy?
Employers will often want to introduce policies and procedures to monitor employees’ Internet and email use
to ensure that these activities comply with its usage policy. For example, policies and monitoring procedures
could be implemented to check the amount and quality of work being done by employees.
The law does not provide a definition of monitoring. However, the Employment Practices Code provides this
definition:
“activities that set out to collect information about workers by keeping them under some form of observation,
normally with a view to checking their performance or conduct. This could be done either directly, indirectly,
perhaps by examining their work output, or by electronic means.”
Therefore, there is an array of activities which would constitute monitoring. Monitoring can be systematic,
whereby all employees or a specific group of employees are monitored as a matter of routine. It can also be
occasional, where an employer undertakes short term monitoring in response to a particular problem or
need.
There are a range of activities that could be classed as monitoring, e.g.:
•
examining logs of Websites visited to check that individual workers are not viewing or downloading
pornographic or other inappropriate content;
•
randomly opening up individual workers’ emails or listening to their voicemails to look for evidence of
malpractice;
•
using automated filtering software to collect information about workers, for example to find out whether
particular workers are sending or receiving inappropriate emails.
SO WHY MONITOR?
There are many benefits that employers can gain by monitoring employee Internet and email use.
Monitoring allows employers to ensure that employees are not wasting time at work by surfing Websites
unrelated to work, or sending and receiving excessive personal emails. Monitoring also provides a means to
detect misconduct.
An employee may also incur legal liability for the employer where use of the Internet and email is
inappropriate to the business. This could include viewing discriminatory or inappropriate material, sending
harassing emails or even misusing confidential information over the Internet or via email.
PA GE 2
An employer will generally be liable for the acts of employees during the course of employment. This is
through the concept of vicarious liability, a legal principle that imputes liability on employers for wrongful
acts of their employees, if committed in the course of employment or even if sufficiently connected with
employment.
The scope of vicarious liability has been proven to be very wide, and potentially any act connected to
employment will attract liability for the employer. This could include actions on the Internet, sending or
receiving emails and using any IT infrastructure or services that you allow your employees to use for work
purposes, even when employees use them in an unauthorized way.
For more information on the legal risks associated with employee Web access and email use, visit
http://tinyurl.com/cfv9bpx.
Monitoring Internet traffic and email can also have network management benefits as an organization can
plan and manage their network capacity needs.
MONITORING AND THE LAW
There are four main pieces of legislation that employers need to be aware of and comply with before
introducing a monitoring policy.
These are:
•
Regulation of Investigatory Powers Act 2000 (RIPA)
•
Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
•
The Data Protection Act 1998
•
The Human Rights Act 1998
Regulation of Investigatory Powers Act 2000 (RIPA)
The Regulation of Investigatory Powers Act 2000 concerns the interception of communications sent and
received on both private and public telecommunications systems. This includes emails, telephone calls and
Internet use.
If a person intercepts a communication being sent or received on a private or public telecommunications
system, without the consent of sender and intended recipient, he is likely to be committing a criminal
offence. However, an employer can legally intercept communications without the consent of sender and
recipient if it is for a purpose set out in the Lawful Business Practice regulation.
Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP
regulations)
The lawful purposes provided by the regulations allow employers to monitor and record communications
as long as they have made ‘all reasonable efforts to inform’ every person using the telecommunications
systems that communications will be monitored and it is for one or more of the specified purposes.
Specified purposes are:
1. to establish the existence of facts;
2. to ascertain compliance with applicable regulatory or self-regulatory practices or procedures;
3. to ascertain or demonstrate effective system operation technically and by users;
4. national security/crime prevention or detection;
5. confidential counselling/support services;
6. investigating or detecting unauthorised use of the system; or
7. monitoring communications for the purpose of determining whether they are communications
relevant to the business.
PA GE 3
These purposes allow most monitoring provided it is business related. Nevertheless, this does not legitimise
deliberate interception of personal communications. It does, however, permit the interception of personal
communications in the course of establishing whether it is a business-related communication. Consent
would be required if personal communications where to be intercepted for any other purpose.
Data Protection Act 1998
Information gathered and recorded in the course of monitoring employees is likely to be covered by
Data Protection legislation. The Data Protection Act (DPA) applies when it is possible to identify a living
person from data, either on its own or in connection with other data. The data protection rules apply to
computerised and physical copies of data.
Data protection controls how such information can be collected, handled and used. It gives the data subject
(the person whose data is collected, handled and used) rights such as access to the information and a right to
a remedy should something go wrong.
Personal Data must be:
1. processed fairly and lawfully;
2. processed for specified and compatible purposes;
3. adequate, relevant and not excessive;
4. accurate;
5. not kept for longer than necessary;
6. processed in accordance with certain rights;
7. kept secure; and
8. not transferred outside the EEA other than as authorised by the DPA.
At the heart of data protection principles is fairness, and this means being open about the nature, extent and
reasons for monitoring.
Human Rights Act 1998
Employers should be aware of the Human Rights Act, and in particular Article 8 of this act which creates a
right to respect of private and family life. However, this right must be balanced with the rights of others and
in the interest of public safety and crime prevention. Interference with Article 8 may also be permissible “in
accordance with the law” as found in RIPA and Lawful Business Practices regulations..
Therefore, in the workplace employees may have an expectation that their personal communications will
remain private. To overcome this, steps should be taken to inform all employees that communications, both
business and personal, will be monitored.
PA GE 4
MONITORING LEGALLY: THE KEY STEPS
The legislation regarding monitoring can be somewhat complicated to understand, and it is often difficult
to ensure that monitoring is being done within the limits of the law. The Information Commissioner’s
Office (ICO) has drafted guidance for employers on complying with the laws and provides statements of
good practice for monitoring employees. The code can be found at http://tinyurl.com/anp38cq and it is
recommended that its guidance be followed.
The code highlights these three key points:
1. Monitoring is usually intrusive.
2. Workers legitimately expect to keep their personal lives private.
3. Workers are entitled to some privacy in the work environment.
The rest of this paper is dedicated to outlining the necessary steps that any employer wishing to monitor
employees should take. This is intended to be informative; however, employers should always acquaint
themselves fully with the relevant legislation and the employment practices code. Further advice may also be
sought from professional advisors.
Carry out an impact assessment
This is the means by which employers can judge whether a monitoring arrangement is a proportionate
response to the problem it seeks to address. Any adverse impact of monitoring on individuals must be
justified by the benefits to the employer and others. An impact assessment assists employers in identifying
and giving appropriate weight to the other factors they should take into account when considering whether
and how to monitor.
An impact assessment involves:
•
identifying the purpose behind the monitoring;
•
identifying any likely adverse impact and the degree of intrusiveness involved;
•
considering alternatives to monitoring or alternative ways of carrying it out;
•
taking into account the obligations that arise from monitoring;
•
deciding whether monitoring is justified.
This need not be a lengthy or burdensome process, and it is acceptable for this to be a mental evaluation.
However, in the case of complaints from employees regarding monitoring, written documentation of the
impact assessment carried out can be useful.
Decide on your approach to monitoring
If the outcome of the Impact Assessment shows monitoring is justified, then the next step is to decide how
monitoring will take place. It is advised that a minimalist approach is taken; that is, never monitor more than
is needed to meet the aims of monitoring. For example consider:
•
Would it be sufficient for the purposes of monitoring to record email traffic as opposed to actual content
of emails?
•
Could the monitoring be automated?
•
Is it sufficient to record time spent online as opposed to content and sites visited?
•
Could preventative monitoring, such as Web content filtering, be used to block access to certain
websites?
PA GE 5
Once a decision has been made about what and how to monitor, it should be ensured that RIPA and LBP have
been complied with. The code sets out ways that employers can ensure that they are following the law. One
of the key requirements of the legislation is notifying users that communications may be intercepted and
monitored.
Establish a communications policy
Simply telling employees that they will be monitored is not usually sufficient, in terms of the requirements of
RIPA, LBP and DPA. Therefore, this information should be set out in an “electronic communications policy”.
It should detail when information about employees will be obtained, how the information gathered will be
used and by whom. It should also outline the purpose for gathering information i.e. to ensure that employees
are not sending or receiving excessive personal emails or surfing inappropriate Websites.
This policy should be communicated to all employees, and employees should be notified of any updates. It is
good practice to educate staff on the risks associated with Internet and email, along with periodic updates and
reminders about the policy. This allows employees to gain a deeper understanding about why monitoring is
important, and also what rights and obligations they have in terms of electronic communications within the
workplace.
The communication policy should include:
•
That the company’s communications systems and facilities are to be used by employees for business
purposes;
•
State guidelines on the extent of personal use that employees are permitted to make, and state any
conditions on this use (e.g. within employee’s breaks only);
•
Highlight the company rules and procedure for using email and the Internet particularly regarding
activity which is illegal, offensive or in any way brings the company into disrepute, and that breach of
these rules is in breach of the communications policy;
•
Make clear that the handling (downloading, uploading, storing or distribution) of offensive,
discriminatory, obscene or copyrighted content on the company communication system is in breach of
the communications policy;
•
Cross reference with existing company policies such as equal opportunity or anti-discrimination policies
and with any existing disciplinary procedure.
It is important to set out in the policy what personal usage, if any, employees may make of communications
systems. However, employers should probably not expect that employees will never make personal
communications within the work place - this is not a practical nor reasonable expectation.
It is vital that the usage set out in the policy is adhered to in practice and that there is consistent enforcement
of the policy. Employees will tend to ignore a written policy if in practice employers “turn a blind eye” at any
breach of policy.
There is an obligation to notify third parties that the organization’s communications are monitored. This can
be achieved by incorporating a notification into your terms of business, in an email disclaimer attached to
every outgoing email or on your organization’s website.
PA GE 6
Link to disciplinary procedures
The electronic communications policy should be linked with disciplinary procedures. This will allow an
employer to take disciplinary action against employees flouting the communications policy, thereby making
the communications policy much more effective.
It is vital that when disciplinary action is taken regarding breaches in the communication policy that
employees cannot claim ignorance of what the policy prohibits and what is judged to be acceptable use. This
can be due to failure to properly circulate the policy to all employees, and if this is the case an organization
may not be able to prove that all employees were aware of their rights and obligations under the policy. It can
then be difficult to bring disciplinary action.
When promulgating the communications policy consider whether it would be appropriate to require
documented acceptance by employees. This could be achieved by requiring employees to sign a copy of the
policy.
CONCLUSION: KEY POINTS
•
Always be open to employees about monitoring- the why, how and when.
•
Acquaint yourself with RIPA, LBP regulations and the Data Protection Act.
•
Adopt and communicate an electronic communications policy.
•
Apply the policy consistently.
ABOUT BLOXX
Headquartered in the UK with sales offices in Holland, the USA and Australia, Bloxx provides Web and email
filtering and security for medium and large organizations in both the business and public sectors. Bloxx has
achieved unrivalled sales growth year-on-year to become a leading Web filtering provider with an estimated
5 million+ users worldwide. Leading UK investment groups Archangel Investments Ltd and Braveheart
Investment Group Plc have invested in Bloxx. For more information, visit http://www.bloxx.com.
To find out more about the significant benefits Bloxx Content Filtering and security
products will provide for you and your organization, contact us on +44 (0)1506 426976,
email [email protected], or visit www.bloxx.com
Copyright © 2013 Bloxx Ltd. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic
medium without the written consent of Bloxx. Specifications are subject to change without notice. Information contained in this document is
believed to be accurate and reliable; however, Bloxx assumes no responsibility for its use.
LU14031 3
For further information please call Bloxx on +44 (0)1506 426 976 visit www.bloxx.com or email [email protected]
PA GE 7