How to Monitor Employee Web Browsing and Email Legally
Transcription
How to Monitor Employee Web Browsing and Email Legally
WH IT E PAPER: HOW TO M ONITOR EM P LOY EE W EB BRO W SI N G AN D E MAI L L E G AL LY How to Monitor Employee Web Browsing and Email Legally ABSTRACT The Internet and email are indispensable resources in today’s business world. However, they do carry risks, and many companies now recognise a need to monitor how their staff are using these tools. But what are the laws around this for employers, and how is it to best implement these kinds of practices? This white paper provides an overview of some of the issues around monitoring employee Web browsing and use of email. PA GE 1 INTRODUCTION The Internet and email are indispensable resources in today’s business world. However, they do carry risks, and many companies now recognise a need to monitor how their staff are using these tools. But what are the laws around this for employers, and how is it to best implement these kinds of practices? This white paper provides an overview of some of the issues around monitoring employee Web browsing and use of email. Please note that this white paper is for indicative purposes only and does not constitute legal advice. You should seek legal advice before acting on any of the information contained in this white paper. MONITORING: WHAT IS IT AND WHY DO IT? With email and Web access now crucial for any business, how does an employer ensure that employees’ use of these resources is in line with the organisation’s usage policy? Employers will often want to introduce policies and procedures to monitor employees’ Internet and email use to ensure that these activities comply with its usage policy. For example, policies and monitoring procedures could be implemented to check the amount and quality of work being done by employees. The law does not provide a definition of monitoring. However, the Employment Practices Code provides this definition: “activities that set out to collect information about workers by keeping them under some form of observation, normally with a view to checking their performance or conduct. This could be done either directly, indirectly, perhaps by examining their work output, or by electronic means.” Therefore, there is an array of activities which would constitute monitoring. Monitoring can be systematic, whereby all employees or a specific group of employees are monitored as a matter of routine. It can also be occasional, where an employer undertakes short term monitoring in response to a particular problem or need. There are a range of activities that could be classed as monitoring, e.g.: • examining logs of Websites visited to check that individual workers are not viewing or downloading pornographic or other inappropriate content; • randomly opening up individual workers’ emails or listening to their voicemails to look for evidence of malpractice; • using automated filtering software to collect information about workers, for example to find out whether particular workers are sending or receiving inappropriate emails. SO WHY MONITOR? There are many benefits that employers can gain by monitoring employee Internet and email use. Monitoring allows employers to ensure that employees are not wasting time at work by surfing Websites unrelated to work, or sending and receiving excessive personal emails. Monitoring also provides a means to detect misconduct. An employee may also incur legal liability for the employer where use of the Internet and email is inappropriate to the business. This could include viewing discriminatory or inappropriate material, sending harassing emails or even misusing confidential information over the Internet or via email. PA GE 2 An employer will generally be liable for the acts of employees during the course of employment. This is through the concept of vicarious liability, a legal principle that imputes liability on employers for wrongful acts of their employees, if committed in the course of employment or even if sufficiently connected with employment. The scope of vicarious liability has been proven to be very wide, and potentially any act connected to employment will attract liability for the employer. This could include actions on the Internet, sending or receiving emails and using any IT infrastructure or services that you allow your employees to use for work purposes, even when employees use them in an unauthorized way. For more information on the legal risks associated with employee Web access and email use, visit http://tinyurl.com/cfv9bpx. Monitoring Internet traffic and email can also have network management benefits as an organization can plan and manage their network capacity needs. MONITORING AND THE LAW There are four main pieces of legislation that employers need to be aware of and comply with before introducing a monitoring policy. These are: • Regulation of Investigatory Powers Act 2000 (RIPA) • Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 • The Data Protection Act 1998 • The Human Rights Act 1998 Regulation of Investigatory Powers Act 2000 (RIPA) The Regulation of Investigatory Powers Act 2000 concerns the interception of communications sent and received on both private and public telecommunications systems. This includes emails, telephone calls and Internet use. If a person intercepts a communication being sent or received on a private or public telecommunications system, without the consent of sender and intended recipient, he is likely to be committing a criminal offence. However, an employer can legally intercept communications without the consent of sender and recipient if it is for a purpose set out in the Lawful Business Practice regulation. Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP regulations) The lawful purposes provided by the regulations allow employers to monitor and record communications as long as they have made ‘all reasonable efforts to inform’ every person using the telecommunications systems that communications will be monitored and it is for one or more of the specified purposes. Specified purposes are: 1. to establish the existence of facts; 2. to ascertain compliance with applicable regulatory or self-regulatory practices or procedures; 3. to ascertain or demonstrate effective system operation technically and by users; 4. national security/crime prevention or detection; 5. confidential counselling/support services; 6. investigating or detecting unauthorised use of the system; or 7. monitoring communications for the purpose of determining whether they are communications relevant to the business. PA GE 3 These purposes allow most monitoring provided it is business related. Nevertheless, this does not legitimise deliberate interception of personal communications. It does, however, permit the interception of personal communications in the course of establishing whether it is a business-related communication. Consent would be required if personal communications where to be intercepted for any other purpose. Data Protection Act 1998 Information gathered and recorded in the course of monitoring employees is likely to be covered by Data Protection legislation. The Data Protection Act (DPA) applies when it is possible to identify a living person from data, either on its own or in connection with other data. The data protection rules apply to computerised and physical copies of data. Data protection controls how such information can be collected, handled and used. It gives the data subject (the person whose data is collected, handled and used) rights such as access to the information and a right to a remedy should something go wrong. Personal Data must be: 1. processed fairly and lawfully; 2. processed for specified and compatible purposes; 3. adequate, relevant and not excessive; 4. accurate; 5. not kept for longer than necessary; 6. processed in accordance with certain rights; 7. kept secure; and 8. not transferred outside the EEA other than as authorised by the DPA. At the heart of data protection principles is fairness, and this means being open about the nature, extent and reasons for monitoring. Human Rights Act 1998 Employers should be aware of the Human Rights Act, and in particular Article 8 of this act which creates a right to respect of private and family life. However, this right must be balanced with the rights of others and in the interest of public safety and crime prevention. Interference with Article 8 may also be permissible “in accordance with the law” as found in RIPA and Lawful Business Practices regulations.. Therefore, in the workplace employees may have an expectation that their personal communications will remain private. To overcome this, steps should be taken to inform all employees that communications, both business and personal, will be monitored. PA GE 4 MONITORING LEGALLY: THE KEY STEPS The legislation regarding monitoring can be somewhat complicated to understand, and it is often difficult to ensure that monitoring is being done within the limits of the law. The Information Commissioner’s Office (ICO) has drafted guidance for employers on complying with the laws and provides statements of good practice for monitoring employees. The code can be found at http://tinyurl.com/anp38cq and it is recommended that its guidance be followed. The code highlights these three key points: 1. Monitoring is usually intrusive. 2. Workers legitimately expect to keep their personal lives private. 3. Workers are entitled to some privacy in the work environment. The rest of this paper is dedicated to outlining the necessary steps that any employer wishing to monitor employees should take. This is intended to be informative; however, employers should always acquaint themselves fully with the relevant legislation and the employment practices code. Further advice may also be sought from professional advisors. Carry out an impact assessment This is the means by which employers can judge whether a monitoring arrangement is a proportionate response to the problem it seeks to address. Any adverse impact of monitoring on individuals must be justified by the benefits to the employer and others. An impact assessment assists employers in identifying and giving appropriate weight to the other factors they should take into account when considering whether and how to monitor. An impact assessment involves: • identifying the purpose behind the monitoring; • identifying any likely adverse impact and the degree of intrusiveness involved; • considering alternatives to monitoring or alternative ways of carrying it out; • taking into account the obligations that arise from monitoring; • deciding whether monitoring is justified. This need not be a lengthy or burdensome process, and it is acceptable for this to be a mental evaluation. However, in the case of complaints from employees regarding monitoring, written documentation of the impact assessment carried out can be useful. Decide on your approach to monitoring If the outcome of the Impact Assessment shows monitoring is justified, then the next step is to decide how monitoring will take place. It is advised that a minimalist approach is taken; that is, never monitor more than is needed to meet the aims of monitoring. For example consider: • Would it be sufficient for the purposes of monitoring to record email traffic as opposed to actual content of emails? • Could the monitoring be automated? • Is it sufficient to record time spent online as opposed to content and sites visited? • Could preventative monitoring, such as Web content filtering, be used to block access to certain websites? PA GE 5 Once a decision has been made about what and how to monitor, it should be ensured that RIPA and LBP have been complied with. The code sets out ways that employers can ensure that they are following the law. One of the key requirements of the legislation is notifying users that communications may be intercepted and monitored. Establish a communications policy Simply telling employees that they will be monitored is not usually sufficient, in terms of the requirements of RIPA, LBP and DPA. Therefore, this information should be set out in an “electronic communications policy”. It should detail when information about employees will be obtained, how the information gathered will be used and by whom. It should also outline the purpose for gathering information i.e. to ensure that employees are not sending or receiving excessive personal emails or surfing inappropriate Websites. This policy should be communicated to all employees, and employees should be notified of any updates. It is good practice to educate staff on the risks associated with Internet and email, along with periodic updates and reminders about the policy. This allows employees to gain a deeper understanding about why monitoring is important, and also what rights and obligations they have in terms of electronic communications within the workplace. The communication policy should include: • That the company’s communications systems and facilities are to be used by employees for business purposes; • State guidelines on the extent of personal use that employees are permitted to make, and state any conditions on this use (e.g. within employee’s breaks only); • Highlight the company rules and procedure for using email and the Internet particularly regarding activity which is illegal, offensive or in any way brings the company into disrepute, and that breach of these rules is in breach of the communications policy; • Make clear that the handling (downloading, uploading, storing or distribution) of offensive, discriminatory, obscene or copyrighted content on the company communication system is in breach of the communications policy; • Cross reference with existing company policies such as equal opportunity or anti-discrimination policies and with any existing disciplinary procedure. It is important to set out in the policy what personal usage, if any, employees may make of communications systems. However, employers should probably not expect that employees will never make personal communications within the work place - this is not a practical nor reasonable expectation. It is vital that the usage set out in the policy is adhered to in practice and that there is consistent enforcement of the policy. Employees will tend to ignore a written policy if in practice employers “turn a blind eye” at any breach of policy. There is an obligation to notify third parties that the organization’s communications are monitored. This can be achieved by incorporating a notification into your terms of business, in an email disclaimer attached to every outgoing email or on your organization’s website. PA GE 6 Link to disciplinary procedures The electronic communications policy should be linked with disciplinary procedures. This will allow an employer to take disciplinary action against employees flouting the communications policy, thereby making the communications policy much more effective. It is vital that when disciplinary action is taken regarding breaches in the communication policy that employees cannot claim ignorance of what the policy prohibits and what is judged to be acceptable use. This can be due to failure to properly circulate the policy to all employees, and if this is the case an organization may not be able to prove that all employees were aware of their rights and obligations under the policy. It can then be difficult to bring disciplinary action. When promulgating the communications policy consider whether it would be appropriate to require documented acceptance by employees. This could be achieved by requiring employees to sign a copy of the policy. CONCLUSION: KEY POINTS • Always be open to employees about monitoring- the why, how and when. • Acquaint yourself with RIPA, LBP regulations and the Data Protection Act. • Adopt and communicate an electronic communications policy. • Apply the policy consistently. ABOUT BLOXX Headquartered in the UK with sales offices in Holland, the USA and Australia, Bloxx provides Web and email filtering and security for medium and large organizations in both the business and public sectors. Bloxx has achieved unrivalled sales growth year-on-year to become a leading Web filtering provider with an estimated 5 million+ users worldwide. Leading UK investment groups Archangel Investments Ltd and Braveheart Investment Group Plc have invested in Bloxx. For more information, visit http://www.bloxx.com. To find out more about the significant benefits Bloxx Content Filtering and security products will provide for you and your organization, contact us on +44 (0)1506 426976, email [email protected], or visit www.bloxx.com Copyright © 2013 Bloxx Ltd. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Bloxx. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable; however, Bloxx assumes no responsibility for its use. LU14031 3 For further information please call Bloxx on +44 (0)1506 426 976 visit www.bloxx.com or email [email protected] PA GE 7