We are seeing more and more incidents of disciplinary action being taken against employees over alleged misuse of the office e-mail, Internet or telephone system, resulting frequently in unwelcome publicity. Most recently, it was reported that 24 employees of a Shannon company had been suspended while an investigation was being carried out, according to a company representative, into "allegations of abuse of its e-mail and Internet systems".
Over the past year there has been a growing list of such reports from the UK. Seventy-seven staff at the Royal & Sun Alliance Offices in Liverpool were suspended for distributing sexually explicit cartoons of Bart Simpson, Kermit the Frog and Fozzy Bear; six staff in the Cable & Wireless Birmingham office were dismissed for distributing "obscene" e-mails; and 14 staff at the Bristol Rolls-Royce company were dismissed for sending e-mails containing "inappropriate material".
Other cases are also instructive. In Cheshire an employee lost her industrial tribunal unfair dismissal hearing against her employer which had dismissed her for using her office PC to make around 150 personal searches on the Internet.
And, of course, there is the almost legendary exchange of e-mail between Claire Swire and her lawyer boyfriend, Bradley Chait, from one of London's biggest law firms, discussing their sex life, which hit the Internet and went global in a matter of minutes and was front page news the next day.
Incidents like these underline the importance for employers to put in place and implement official office policies on voicemail, email and Internet usage. At a minimum, such a policy should make it clear that the voicemail, email and Internet systems are owned by the company, and that accordingly, all information, data and messages which are issued and transmitted using the equipment are also its property.
The policy should make it clear that the equipment may only be used for business purposes, and by staff who have been authorised to use the equipment. It needs to be made particularly clear that the creation, communication or forwarding of messages that are defamatory, obscene, sexually orientated, abusive, threatening, harassing, racially offensive, or which disclose personal information without authorisation are prohibited.
Likewise, it should be made clear that the equipment may not be used to access or view websites that contain sexually orientated, abusive, obscene, defamatory or otherwise offensive material. A good policy would also specify that the equipment may not be used to distribute or download software, and that no attempt should be made to gain access to another staff member's voicemail or e-mail messages without express prior permission.
Employees also need to be reminded that they should take care with what they say in a voicemail or e-mail message, as incorrect or improper statements can give rise to both personal and company liability. Readers may recall the 1997 case concerning an e-mail issued by an employee of Norwich Union Healthcare which was allegedly defamatory of Western Providence Life Assurance, and which resulted in Norwich Union Healthcare paying £450,000 sterling (#707,992) damages.
An important component of an employer's right to enforce policy is the ability to monitor employee communications. This raises the issue of employee privacy. The Data Protection Commissioner in his 1999 annual report commented specifically on the whole issue of monitoring employee e-mails and the tracking of employees' Web browsing. He confirmed that an employer was entitled to exercise reasonable control and supervision over employees and their use of business resources.
E-mail services paid for by the employer, he said, clearly constitute a business resource, and he would not interpret data protection law in a way which would prohibit an employer from openly exercising fair supervisory or control functions in this regard. He confirmed that employers were entitled to promulgate policies to protect their property and good name, and to ensure that they did not become inadvertently liable for the misbehaviour of their employees. However, he cautioned that employees retained privacy and data protection rights that must be respected by an employer.
He said much would depend on the culture of the particular employment when it came to considering the application of data protection principles to a complaint by an individual employee, that his employer had contravened the legislation. For instance, if a culture had developed within an organisation that was consistent with the use by employees of e-mail as a personal resource, then this might well limit the ability of the employer to monitor employee e-mails.
Accordingly, if employees uses the office e-mail system for personal purposes on the understanding, tacit or otherwise, that the confidential nature of the e-mails would be respected, then the accessing of those e-mails without the permission of the employee could amount to a breach of the data protection principle that personal data be "obtained and processed fairly". The Data Protection Commissioner said that similar principles could be applied with regard to monitoring the Web browsing habits of employees.
The Data Protection Commissioner pointed to useful guidance provided by the International Labour Organisation's Code of Practice on the Protection of Workers' Personal Data. This provides that workers should be informed in advance of the reasons for monitoring, the time schedule, the methods and techniques used and the data to be collected, and that the employer must minimise the intrusion on the privacy of workers. Secret monitoring should be permitted only if it is in conformity with legislation, or if there is suspicion on reasonable grounds of criminal activity or other serious wrongdoing. Continuous monitoring should be permitted only if required for health and safety or the protection of property.
On the issue of privacy and telephone calls, the successful European Court of Human Rights case taken by Assistant Chief Constable Alison Halford (who was then the highest ranking female police officer in the UK) against the British government, arising from the monitoring by the Merseyside police of personal calls made by her from her office phone, is pertinent.
Her claim was based on Article 8 of the European Convention on Human Rights. ("Everyone has a right to private and family life, his home and his correspondence.") The court ruled there was an abuse of Article 8, and made a unanimous finding that the notion of "private life" and "correspondence" in Article 8 could cover calls from business premises as well as at home, particularly in circumstances where there was an expectation of privacy.
Don McAleese is head of the Information Technology Law Group, Matheson Ormsby Prentice Solicitors.