E-mail policy - monitoring employee communications
Introduction
The most important law is contained in the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (TICR). If you think this is hardly hot news, think again! Only as the courts have interpreted a sensitive new area like this does the "real law" emerge. Furthermore, the Data Protection Registrar has just published "The Employment practices data protection code: part 3: monitoring at work". Here is a resume of the current law and our advice.
The law applies to all communications but we are concerned here only with e-mail because that is what causes employers such distress.
Current law
The TICR may authorise an interception of e-mail. If -mail is intercepted, then monitoring is covered by the RIPA. Any sort of monitoring constitutes processing of personal data under the Data Protection Act (DPA). Your contracts of employment should include provision for irrevocable consent by your employees to process their personal data.
Interpretation of the Regulations / Code
The new Code is intended to help you to comply with the Data Protection Act and to encourage you to adopt good practice. The code is not law, but if you comply with the Code, you can be reasonably sure that you are complying with the law. In any question of compliance with the law, the Code will be taken as the model procedure. We therefore recommend that you read it and comply.
The Code aims to strike a balance between the legitimate expectations of workers that personal information about them will be handled properly and the legitimate interests of employers in deciding how best, within the law, to run their own businesses. It covers such issues as the obtaining of information about workers, the retention of records, access to records and disclosure of them. Not every aspect of the Code will be relevant to every organisation - this will vary according to size and the nature of its business. Some of the issues addressed may arise only rarely - particularly for small businesses.
Areas covered by the Code pertinent to Internet usage and email communications include:
- Randomly opening up individual workers' e-mails or listening to their voice-mails to look for evidence of malpractice;
- Using automated checking software to collect information about workers, for example to find out whether particular workers are sending or receiving inappropriate e-mails;
- Examining logs of websites visited to check that individual workers are not downloading pornography;
- Keeping recordings of telephone calls made to or from a call centre, either to listen to as part of workers training, or to simply to have a record to refer to in the event of a customer complaint about a worker;
- Systematically checking logs of telephone numbers called to detect use of premium-rate lines;
- Videoing workers outside the workplace, to collect evidence that they are not in fact sick;
- Obtaining information through credit reference agencies to check that workers are not in financial difficulties Outside the Code.
How to monitor an employee appropriately
The recommended approach is that the employer should make an impact assessment, which will result in a document setting out the scope and effects of the monitoring carried out. The assessment will reveal how far the actual monitoring is necessary and what safeguards, warning to staff and records might be appropriate.
The only practical way to ensure compliance is to appoint a suitable person to the role of monitoring officer with responsibility for both compliance with the code and employee understanding of the monitoring being undertaken.
The bottom line is that monitoring must be reasonably necessary, and wherever possible, transparent.
The difficulty with email monitoring is that most employees receive private messages to their business mailbox. The business is entitled without question to access communications sent and received in the course of business. It may not be entitled to intercept, read or copy messages, which are not business, related, even if sent to a business mailbox.
This puts the business managers in a difficult situation. It may be virtually impossible to monitor business messages without inadvertently monitoring private messages.
Furthermore, since the mail boxes of most of us are half full each day of Spam proposals we will not here discuss, it may well be quite impractical to set out a policy which provides the complete privacy to employee messages which the Code apparently requires.
Our advice is briefly:
- Read the Code and ignore areas that do not apply to your particular organisation;
- Make notes of where you can and where you cannot apply the Code;
- Put the same person in charge of compliance as deals with undertaking the monitoring;
- Formulate an assessment, and keep it in hard copy; diarise to update it in 12 months time;
- So far as possible, without prejudice to the business, publicise the code to your staff;
- If you say you collect information for one purpose, do not use it for another;
- It is better to have a generous system, harshly policed than a harsh system that is badly enforced.
- If you really want to be brutal, we do not see why you should permit staff to send or receive any message of any description from work without express permission in each instance! Whether your staff will wear that is a question for you!
Remember, the Code is not intended to prevent you from monitoring, but to suggest how you should do so while respecting the rights of individual employees.
An article like this can never be up to date for long; so if you have a question, do contact us.
We have recently updated the Net Lawman document: EMP104 Computer use, email, Internet and communications policy. It is an affordable price for some essential insurance.
| 
