Monitoring staff use of email and the internet

How far can employers go when monitoring the use of email and internet by staff and where do you draw the line? Anne Hughes of Fox Solicitors discusses the issue and looks at some recent case studies

In a world where everyone is glued to their smartphones and addicted to Facebook and Twitter, there are still a few people (usually those over 20) who want their personal communications to remain private.

There has been much controversy recently over the government’s proposals to introduce new laws allowing it to snoop on all electronic communications of UK citizens without a warrant. But how do people feel about their employers snooping on their personal communications?

Carrying a Blackberry 24/7 means that the line between your work and your private life becomes more blurred, and most of us use work email for personal use.

iPads are the latest “must have” executive accessory for work and play, and many people don’t think twice about forwarding confidential company documents to their personal email accounts so that they can access them away from their desks.

This helps us cram more working hours into our days, and so has an obvious upside for business. But there are downsides too.

Sensitive confidential information may be lost or stolen. As staff “tweet” about their day, or post comments on Facebook about their boss’s latest antics, their right to freedom of expression and privacy comes into direct conflict with the company’s interests to protect its professional reputation.

This has led to a string of employment tribunal cases hitting the news in the past couple of years.

Wetherspoons

A manager of a Wetherspoons pub claimed that she had been unfairly dismissed when she was sacked for posting negative comments about the pub’s customers on her Facebook page (Preece v JD Wetherspoons plc).

She claimed that her right to freedom of expression had been infringed. There was a sigh of relief from many employers when the tribunal decided that Wetherspoons had acted lawfully.

Although Preece had a right to freedom of expression under Article 10 of the European Convention on Human Rights, the tribunal decided that the action taken by Wetherspoons was justified in view of the risk of damage to its reputation.

Wetherspoons was in a much stronger position to defend this claim because it had a clear written HR policy which stated that the company may take disciplinary action should the contents of any blog, including pages on sites such as MySpace or Facebook "be found to lower the reputation of the organisation, staff or customers and/or contravene the company's equal opportunity policy".

TeleTech

Last year in Northern Ireland, an employee (Mr Teggart) brought a claim against TeleTech UK Limited after being sacked for posting obscene and lewd comments about the promiscuity of a female colleague on his Facebook page (Teggart v TeleTech UK Limited).

The comment mentioned TeleTech and was read by Teggart’s Facebook friends, including some work colleagues. Although the female colleague about whom the comment was posted did not see it herself, she heard about it.

In March 2012, the Northern Ireland industrial tribunal decided that Teggart had been fairly dismissed. It did not matter that he actually posted his comments on Facebook in his own time and outside work.

The tribunal said that Tele Tech had not infringed Teggart’s rights to freedom of expression and privacy. The reasoning was that Teggart abandoned any right to consider his comments as being "private" when he posted them on Facebook.

The right of freedom of expression must be exercised responsibly, and it did not give Teggart the right to make comments which damaged his colleague’s reputation and infringed her right not to suffer harassment.

Written policies

The difficulty for employers is balancing an employee’s rights against those of others (including other employees and the company itself). There have been cases when tribunals have decided that employers have got it wrong.

An employer can be far more confident taking action to monitor, investigate and take disciplinary action against employees if there are clear written policies in place beforehand, so that everyone knows where they stand.

Here are some pointers:

• The business should have a clear internet and electronic communications policy for staff, which lays down the ground rules and explains the consequences of failure to comply.
• Staff should be required to be familiar with the policy and warned that a breach of it will be treated as serious misconduct, which could lead to dismissal.
• If employees are expected to work away from the office, they should be provided with a secure way of accessing the confidential information needed to get the job done. It’s a constant challenge to keep pace with IT, so that employees are not tempted to find their own practical shortcuts to get the job done. Many employers have invested in software like Citrix, to enable employees to securely log-in to their work desktop remotely. Some employers are now offering employees a downloadable “app” for their personal iPhones, so that they can also securely access their work emails from their phones. The aim is to enable employees to work flexibly (to maximise their productivity) whilst minimising the risk to confidentiality.
• If you want to monitor an employee’s use of emails and internet at work, the Employment Practices Code published on the Information Commissioner's Office's website is essential reading (www.ico.gov.uk). Do not assume that the company has the right to inspect all communications sent and received (and internet content accessed) from the employee’s computer and blackberry just because the devices belong to the company. If the company generally allows (or tolerates) employees using their work computers to send personal emails and to access social networking websites for personal use, there may be a legitimate expectation of privacy in respect of those activities.

Confidential information

If it is discovered that an employee has forwarded confidential information to their personal email account, the company will want to make sure that the information has not been misused or leaked.

Often, an employer’s first step is to carry out an investigation - including a forensic IT investigation and an interview with the employee concerned. Then, the company may ask the employee to give written undertakings to confirm that the information has not been misused or disclosed to any third parties. The company can then decide whether disciplinary action is appropriate.

Personal computer

If the company believes that there may be company information stored on an employee’s personal computer or other device, it may wish to inspect those devices and delete the relevant information. This may form part of the disciplinary investigation.

However, it is obviously not that simple because most employees will regard this to be a gross intrusion into their privacy. In reality, most of us store a huge amount of personal information and photographs on our personal computers, belonging to us and our families.

Any proposed process for inspecting an employee’s personal devices must show respect for their privacy and property. Here are some tips on best practice:

• Appoint an independent IT expert, who will inspect the employee’s devices only with their consent and under their supervision. Unless the employee gives their consent, the company is unlikely to have the right to inspect the employee’s personal devices without a court order.
• The scope of the IT expert’s job should be very clearly defined and explained to the employee in advance.
• The IT expert should enter into a separate confidentiality agreement with the employee, agreeing not to disclose to any third party information belonging to the employee.
• In return for the employee’s co-operation, the company may be willing to indemnify the employee in respect of any damage to their device, software or personal data (including deletion).

This generation of staff has learnt how to multi-task so that we are almost constantly online. It seems that we are still working out where the dividing line should be, between work and our private lives. The challenge for employers now is to help staff understand when it is appropriate to switch on and off from work, and when to keep the two separate.

Anne Hughes is a senior associate at Fox Solicitors which specialises in the law relating to employment, partnership and discrimination