E-mail policies - the need for new systems to control and monitor electronic communications

E-mail policies

Anna Jones considers the need for new systems to control and monitor electronic communications

You have just been told that one of your employees has been downloading pornographic material from the Internet and e-mailing it to a number of female employees, while another employee, in the course of installing his own Internet access software, has infected your computer network with a dangerous virus. As your IT staff work overtime to limit the damage, you have to decide what should be done with the employees involved. One of the first questions you need to ask is whether your company has an e-mail/Internet policy. If the answer is yes, and the policy is comprehensive, your tasks should be significantly eased.

The vast majority of businesses these days use computers. Many employers have equipped their employees' computers with both internal e-mail facilities and access to the Internet. These are useful tools for communication, research and commercial purposes. However, they are also a significant investment for employers and can cause significant damage when an employee misuses or abuses them.

The problems which can arise from e-mail and Internet use are not new, but the likelihood of such problems arising and the potential damage is certainly greater. Messages can be copied to the whole company or even all over the world at the touch of a button. Employees are less guarded, as there is no immediate witness to overhear or see their actions. Employees often wrongly think that no one can trace their e-mail and Internet activities. In reality, most companies have back-up routines which mean that messages will continue to exist for a considerable period on hard drives or even hard copies and can therefore be retrieved. If a court orders an employer to retrieve such messages, the retrieval process may cause substantial cost and disruption and the messages themselves may be used in evidence against the employer. In a recent case, a damaging defamatory rumour concerning a competitor's financial position was circulated by internal e-mail to the employees of a company. Although all the employees had deleted their copies of the defamatory e-mail, the message could be and was (at the order of the court) retrieved from the hard drive, forcing the company to make an expensive and hasty settlement of the libel claim. Although a policy cannot provide an absolute cure for such problems, it can highlight the dangers to employees and enable the employer to deal more effectively with offending employees.

An e-mail/Internet policy needs to cover 3 main areas: first, regulating legitimate business use; second, describing what constitutes misuse and what the consequences are for employees who misuse; and, third, monitoring use.

Use

There are a number of pitfalls that need to be avoided when employees use external e-mail for legitimate business purposes:

Content

Employees may be prone to use inappropriately informal and unguarded language, which may nevertheless bind the employer contractually or expose it to legal liability to third parties. The information which must be included in business correspondence (e.g. company registered name, number and address) needs to be included in e-mails.

Confidentiality

The use of e-mail for sending confidential information needs to be regulated. The interception of external e-mail is child's play for some people.

Viruses

It has been estimated that half of the UK's businesses would close within 6 weeks if their computer networks were out of action for any significant length of time. Downloading from the Internet and the opening of external e-mail can introduce dangerous and potentially business-destroying viruses to an employer's computer network. Procedures need to be put in place and observed to minimise the risk of this happening.

Misuse

Employees may use the e-mail system or Internet for personal purposes, wasting work time and possibly clogging up the system with unnecessary messages. They may download software onto their work computers in breach of copyright, for which employers may be criminally liable in certain circumstances. They may use external e-mail to communicate information against the employer's interests, perhaps disclosing trade secrets, or making defamatory statements.

E-mails may also be used as an all-too-easy and discrete means of bullying or harassment, by sending insulting messages or by circulating offensive material downloaded from the Internet: a recent survey has suggested that e-mail is now one of the main vehicles for workplace bullying and harassment. Distribution of obscene material could also be a criminal offence under the Obscene Publications Act 1959, for which an employer can, in certain circumstances, be liable.

All of these activities may damage the employer in terms of lost productivity or legal liability. The employer may even be found guilty of a criminal offence. Of course, messages sent to different parts of the world may fall foul of defamation or obscenity laws in other jurisdictions which are stricter than in the UK.

An e-mail policy dealing with misuse is important for 2 reasons. First, if employees have been warned what type of conduct is unacceptable and may lead to summary dismissal, an employer will find it easier to persuade a tribunal that it has acted fairly in dismissing for such conduct. Second, the implementation of such a policy may help the employer to defend claims that it is liable for harassment carried out by one of its employees. Such claims could arise under discrimination legislation (the Sex Discrimination Act 1975, the Race Relations Act 1976 and the Disability Discrimination Act 1995), as a claim for personal injury or as an unfair/wrongful constructive dismissal claim.

The discrimination legislation provides that employers are liable for the acts of their employee committed in the course of their employment, whether or not they are done with the employer's knowledge or approval. Employers are likely to be held liable for all e-mail abuse using work computers, even where the harasser had no work-related reason to e-mail the victim. However, an employer does have a defence to liability if it has taken such steps as were reasonably practicable to prevent the acts concerned. An e-mail policy which directly addresses the issue of harassment would assist in establishing this defence, although other steps (including publicising and enforcing the policy properly) would also be required.

Where employees claim that e-mail harassment has caused them severe stress and, ultimately, injury to their mental health, employers may become vicariously liable for the acts of their employees done 'in the course of their employment' under common law principles of vicarious liability. However, the phrase 'in the course of employment' is given a more restrictive meaning in this context than under discrimination legislation. Employers will only be liable for acts which are authorised tasks carried out in an improper manner.

E-mails containing work instructions phrased in an abusive manner will be 'authorised tasks' whereas sending pornographic pictures downloaded from the Internet are unlikely to be 'authorised tasks'. However, if the employer has failed to take reasonable steps to prevent e-mail harassment by its employees, it may be held directly liable. Again the publication of a clear policy that such conduct is unacceptable will help to avoid liability. The same principles of vicarious and direct liability will apply to constructive dismissal cases.

Monitoring

The ability to monitor employees' e-mails enables employers to detect misuse and to deal with it through a disciplinary process, hopefully before loss or liability has been incurred. Monitoring or reserving the right to monitor may also amount to a 'reasonable step' to protect staff against e-mail harassment. However, if employers wish to monitor e-mails, they should reserve the right to do so expressly and openly and obtain their employees' consent. The ideal place to do this is in an e-mail policy which employees are asked to sign, acknowledging their acceptance of its terms. This not only serves as a deterrent to misuse but may also be necessary to avoid committing breaches of contract or criminal offences. It is likely that the duty of trust and confidence implied into all employment relationships may cover rights to privacy for personal e-mails. If an employee reasonably believes that he is entitled to use e-mail for personal purposes and that his e-mail communications are private, accessing those communications could amount to a fundamental breach of contract by the employer, entitling the employee to resign and claim constructive dismissal. Further, covert monitoring could in some circumstances also involve breaches of the Interception of Communications Act 1985 and data protection legislation or the Human Rights Act 1998, when in force. Employers should therefore make it clear in their e-mail policies that they reserve the right to monitor employee e-mails to counteract any right to privacy.

All of the above issues highlight the need for a comprehensive e-mail and Internet policy to minimise the increased risks inherent in this medium. It may also be appropriate to introduce a general computer policy to deal with issues such as the use of computer games, unauthorised access to confidential files, and the implementation of security procedures to impede unauthorised users.