Internet Newsletter for Lawyers
March/April 2005, by Delia Venables

The Law Management Section of the Law Society has produced an "Internet Toolkit" written by Rupert Kendrick.

Managing Internet Risk
by Rupert Kendrick

A story in The Times, 1 February 2005, carried a headline "Lesbian wins unfair dismissal case over e-mails to her lover". The story was about an employee who was dismissed for allegedly sending and receiving over 300 messages, some of which were sexually explicit or contained bad language. She won her claim for unfair dismissal. Why? Because "the employee had been given no prior warning that her behaviour warranted criticism and undoubtedly if she had been, she would have stopped," according to the tribunal chairman.

The need to formulate and enforce clear policies for the proper use and management of all Internet technologies has never been more important, particularly with the arrival of the Companies (Audit, Investigations and Community Enterprise) Act 2004 relating to corporate governance. Clear policies are required in areas of Internet technology that are both disparate, yet closely linked. It is unlikely that any firm's Internet technology is under proper management control, unless there are policies in place governing:

  • use of e-mail;
  • use of the world wide web;
  • monitoring of employees' use of Internet technology;
  • management of its web site;
  • provision of services electronically;
  • management of its data;
  • management of disaster recovery and business continuity;
  • management of mobile technologies.

    How does a firm create policies for such a diverse range of issues and how can a policy sensibly be devised which is tailored to the needs of a particular practice, large or small? This problem confronted me when completing my book, Managing Cyber-Risks (Law Society Publishing 2002). How could I draft template policies as examples for a wide range of different firms? The answer was - I couldn't.

    I therefore broke down Internet technology into a series of protocols. Of those above, four appear in the book, and the others I have added, to complete an "Internet Toolkit" - a series of protocols containing key features. Not all of these will apply to every firm, so, to convert the protocol into a formal policy, the firm will need to select the relevant features for inclusion.

    Below is an extract from the protocol on monitoring employees' use of the Internet in the workplace.

    ----

    The protocol should specify the firm's code of conduct in writing in relation to monitoring and be made available to all personnel using Internet technologies:

  • specifying whether or not internal and external electronic business communications are being monitored;
  • recording impact assessments performed for the purposes of justifying monitoring activities;
  • acknowledging the employees' right to privacy;
  • expressing clearly the purpose of the intended monitoring;
  • explaining why monitoring is a justified and proportionate response;
  • identifying the technological monitoring steps being taken;
  • identifying the business communications being monitored;
  • identifying who is responsible for implementation;
  • identifying who will have access to collected data;
  • providing assurances as to the lawful use of data;
  • identifying procedures for challenge by the data subject;
  • identifying disciplinary measures for non-compliance;
  • requiring the relevant personnel to provide written acknowledgment of the requirement to comply with the protocol; and/or
  • securing the freely given consent by the relevant personnel to monitoring.

    Legal Compliance
    Data Protection Act 1998; Regulation of Investigatory Powers Act 2000; Telecommunications (Lawful Business Practices) (Interception of Communications) Regulations 2000; Part 3 of the Information Commissioners Code of Practice The Use of Personal Data in Employer/Employee Relationships; Human Rights Act 1998

    Technology Reference
    www.waterfordtechnologies.com

    Case Reference
    Halford –v-United Kingdom (1997 IRLR 471) The legal references enable the law to be checked in more detail. The technology reference is simply an example of 'where to look next' (not a recommendation as such).

    -----

    There are 8 Protocols available so far (the topics listed above) with more to come. These are available to members of the Law Management Section of the Law Society.

    Rupert Kendrick is a solicitor and legal IT journalist. He specialises in Internet risk management and is Editor of Managing Risk published by Web4Law Ltd, www.web4law.co.uk.
    Email RupertKendrick@aol.com.

    Note from Delia: The LMS was set up in 1998 to help firms manage their practices efficiently. It provides practical guidance, information and support on the full range of practice management disciplines including HR, finance, marketing, IT, business development, client care, quality and risk. The cost of membership is £110 for a sole practitioner, £130 for an individual solicitor or £315 for corporate membership. This is a worthwhile investment for all firms.

    See the LMS website at lms.lawsociety.org.uk for more details.

    Back to Contents.