Organisations need a clear policy on the use of the internet and mobile phones by employees at work. The employees then need to be informed of the policy and that they are being monitored, writes Eamon McGrane
You've been hard at work for most of the day when suddenly you have an idle few minutes.
Time to put in some aimless web surfing? Or maybe phone a friend or send an e-mail.
Whatever way you choose to kill time do you know your actions could be monitored? And you could be breaking or breaching company policy by doing so.
For an employer, the most important thing in these circumstances is to come up with an acceptable usage policy of company resources such as internet, e-mail and telephone (including mobile phones).
The employee then needs to be informed of the policy and the fact that they are being monitored.
Failure to do either of these things can land the employer in a legal quagmire should they attempt to take action against an employee for abusing those resources.
Mike Harris director of technology and security risk services, Ernst & Young says HR departments in the workplace need to consider what is acceptable usage when writing and implementing a policy around this.
"Most organisations will allow personal time on the internet and e-mail but it has to be limited, so the question is then how does somebody know what constitutes acceptable usage and what are the organisation's rights and the employees' rights around the monitoring part of things? What does acceptable usage mean to the organisation and to the employee? What expectations can they have?"
The Data Protection Commissioner has guidelines around these concepts although there is nothing concrete in the Data Protection Act about monitoring.
"What they (the data commissioner) would say is you should outline what monitoring or surveillance the organisation is carrying out.
"Who's responsible for monitoring - is it HR or the IT department? You need to explain to people what you're doing: are you monitoring all e-mail, are you searching for keywords in the e-mail and so on.
"And where will the surveillance take place? All the time or periodically? Employees need to know this and have it explained to them," says Harris.
According to Harris proportionality is also important in this area. In other words the amount of monitoring a company does has to be proportional to the risk involved. For example in a call centre - what the employees say on the phone is very important and so it's essential the calls are monitored.
Similarly, it's imperative for many companies to monitor e-mails for viruses and information leaking out because there's a bigger risk to the organisation in those circumstances.
Mobile phone surveillance hit the headlines recently during the Joe O'Reilly trial. Companies would usually monitor employees in this way to ascertain where they are so it would be useful for example for an organisation with a lot of sales people on the road.
Again it must be spelled out to the employee that their mobile phone will be monitored. Typically the company would text the phone to tell them that they were doing it.
Harris says there are two ways of tracking a phone. One is where you make a call or receive a text. The phone company will have a record of the base station closest too you.
The other way is by triangulation. Some phones are constantly talking to the network so the phone company can use triangulation and have a record of the location of the mobile phone.
"The bottom line for any kind of monitoring is consent and employee knowledge that it is going on - that's the main thing.
"An organisation will get in trouble if they don't have a clear policy and guidance," says Harris.
