Employment/Data Protection - Update August 2006

Internet and email monitoring in the workplace & disiplinary issues - do you have a written Data Protection Policy?

A number of problems can arise with employees’ use of computers and in particular with access to the internet and email. This may be something as simple as excessive use of work systems for personal or non-work related matters, or more serious activities such as harassment of fellow workers or theft of data.

One way to tackle these issues is of course the monitoring of the employees' activities. Generally the law provides that employees must be made aware of the possibility of such monitoring and why it is taking place. Where an employer has not told employees that their communications may be monitored, then they run the risk of:-

* breaching both Human Rights and Data Protection legislation: and
*being prevented from sacking an employee (eg, for viewing inappropriate material on the internet) for what would otherwise amount to an offence of gross misconduct for fear of inviting an unfair dismissal claim

Increasingly employers are adopting a Data Protection Policy which includes a computer and email section. These not only help ensure that employees are aware of the potential for monitoring, but can also help address the problems, by providing guidance on acceptable practice. Such a Policy can be tailored to suit business needs as each business will have its own unique systems in place, and indeed its own perception of what activities need to be focused on.

In addition to computer and email use, a Data Protection Policy should provide an overview of data protection law; detail the appointed Data Compliance Officer’s obligations; set out how to notify and re-notify as required by law; detail how to reply to a person’s request to see their personal data; set out the employer’s communications policy; and detail data security measures.

The Data Protection legislation applies to a number of other types of monitoring of employees at work, including cctv monitoring and monitoring of telephone conversations. Indeed any policy dealing with internet and email usage can be drafted to cover these other areas too.

A main theme of the Data Protection legislation is providing a balance between workers’ rights to privacy and the benefit of monitoring to the employer, authorities, or wider public. In deciding what policy is best for their business an employer should consider:

* Why do I want to monitor? - Is it to tackle one particular problem or a number of different issues?
* Which monitoring (and what extent of monitoring) will allow me to address the issue proportionately and fairly?
* Is the intrusion justified by the benifit to me?
* What information do i need to give my employees regarding the monitoring and how will i provide this information to them?

If you do gather information obtained from monitoring employees' communications you should ensure:

* Information is not kept for longer than necessary. Where action is taken against the employee, it may be therefore be appropriate to delete the information when disciplinary procedures have been completed.
* Only the information necessary to address the problem should be kept and any surplus information should be destroyed.
*Information gathered is kept secure. This may mean limiting the number of those who have access to the information to perhaps only one or two employees, and having suitable physical and password security in place.
* Information is used only for the purposes for which it was gathered (unless the monitoring reveals activity that the employer cannot reasonably be expected to ignore, for example criminal activities).