Monitoring staff email and internet: The dos and don'ts

Every office generates so much email, IM and internet traffic it's all but impossible for management to keep track of exactly what's being said, seen and done online.

But how can execs be confident that all these digital conversations are necessary and not just time-wasting? Or worse: the cover for data leaks, inappropriate content-sharing or other nefarious or even criminal activities.

Should you be keeping a digital eye on your workforce? (Photo credit: wili_hybrid via Flickr.com under the following Creative Commons licence)

Why monitor staff email?
Some of the reasons an organisation might want to monitor staff use of email and internet sound obvious - assessing skills or performance or keeping tabs on time spent on non-work activities, for instance, or preventing the distribution of inappropriate or illegal content.

Another possible use for monitoring could be to help prevent damage to computer systems by identifying careless internet and email users who are downloading malware or accessing potentially risky websites. It could also help to ensure compliance with health and safety regulations and, more broadly, to reduce the risk to the business from liability for the actions of its employees.

Other reasons to embark on a period of monitoring might include gathering evidence on an untrustworthy employee where there are serious and credible grounds for suspicion.

Beware the legal minefield
But monitoring employees' use of email and the internet means tiptoeing through the legal minefield of data protection. Relevant legislation includes the Data Protection Act (DPA), Ripa 2000 and even the Human Rights Act.

As an employer, you must have an obligation to inform your workforce that you might be monitoring their communications. Unlike workers in the US, employees in the UK do have an expectation of privacy in the workplace, and if you fail to follow best practice you could find your organisation on the wrong side of the law: under Article 8 of the Convention on Human Rights everyone has the right to "respect for his private and family life, his home and his correspondence".

You may think adding a sentence to the company handbook along the lines of 'please be aware your email may be monitored' is enough to protect your organisation from being taken to court - but think again. Your monitoring policy needs to be visible to staff so don't be tempted to bury it where you hope it'll go unnoticed.

Be specific about what you are doing
The more specific the policy is the better too. The TUC argues staff need to be told when, why and how information is being obtained, and who will have access to it.

To avoid any doubt, your monitoring policy should be pre-emptively specific, said Cameron Craig, partner at law firm DLA Piper. "Just saying willy-nilly to all employees that email may be monitored I don't think gives sufficient safeguards," he told silicon.com. "It needs to be quite prescriptive."

An effective monitoring policy might therefore include several explanatory clauses - saying, for instance, you 'may monitor emails for compliance with company policy' and 'to prevent distribution of pornographic or other inappropriate or illegal content'.

Ideally you should regularly broadcast the full policy to all your employees via a medium such as the corporate intranet or a newsletter. Your workforce should be clear about what is acceptable and unacceptable when it comes to using email and the internet - so having an acceptable usage policy in place for both is also advisable. The more often you draw attention to the monitoring policy, and the more education and training you provide your staff about acceptable use, the better.

Covert monitoring of staff communications is only allowed in exceptional circumstances - where, say, criminal activity is suspected, as the Information Commissioner's Office notes in its guidance to employers The Employment Practices Code.

Don't be tempted to dig
Even if you put all these policies in place and regularly broadcast their existence and contents to staff this doesn't mean you have the all-clear to go on a fishing trip to dig dirt. Monitoring has to be proportionate, said Craig, which means reading everyone's emails to catch a paperclip thief is a no-no.

Blanket monitoring of everyone in the company to try and find who has been leaking confidential documents is another example of how monitoring should not be carried out.

As Craig pointed out: "Wholesale monitoring is not proportionate." However if, for instance, you had reasonable grounds to suspect a leak came from a specific division of the company, then you could be fairly confident that carrying out a controlled period of monitoring on that specific group would be OK.

In essence, there has to be a "reasonable purpose" behind the monitoring, and the monitoring must be carried out in a "controlled way" with a "clear objective" in mind when looking at the data, says Craig.

Deliberately reading personal emails should be avoided at all times, except the most exceptional cases, such as where a criminal investigation is taking place. But sensitive personal data - such as medical data, sexual orientation, trade union membership details - can be inadvertently unearthed during the monitoring process and must be treated sensitively and with strict confidentiality to avoid a breach of data protection law.

Continued on page 2...