Internet Newsletter for Lawyers |
|---|
This article, and the associated specimen computer and email use policy (see later) were
written for a lecture which I gave earlier this year. It can be considered either as advice for
clients, or advice for a law firm or chambers itself.
Employees can get up to all sorts of mischief using computers and e-mail. Such hassles include
racial and sexual harassment, downloading of pornography, defamation of management,
customers or competitors, breach of confidence, copyright infringement, inadvertent formation
of binding contracts, excessive time on the internet in working hours and breaches of either the
Computer Misuse Act 1990 or the Data Protection Act 1998. To try to combat these potential
problems and to provide staff with some guidance, employers are increasingly adopting
computer use and e-mail policies. More than half of all businesses in the United States now
have such policies. I can see a mini-boom for lawyers in this country helping draft such policies.
Every business is different and no one size fits all. It is surprising how tough Tribunals are
prepared to be about the dismissal of employees for downloading of pornography, particularly
if there is a policy in force forbidding this. One question that clients often ask me in these
circumstances is whether they are required to notify the Police. In my experience, the Police
are not interested unless the pornography is being sold by the employee or it involves children.
The Telecommunications (Lawful Business Practice) (Interception of Communications)
Regulations 2000 SI 2000/2699 (“the Regulations”) came into force in 2000. The Regulations
state that it is lawful for an employer to monitor and record certain types of communications in
restricted circumstances without the consent of the sender or recipient. Without the Regulations
the employer would be in breach of the Regulation of Investigatory Powers Act 2000. Under the
Regulations an employer who wants to intercept communications must make all reasonable
efforts to inform every person who may use the system that interception may take place. This
is easy with employees as notification of monitoring can be given. It is more difficult with third
parties. One possibility is to include an automatic warning about monitoring at the end of all
external emails.
Employers need to remember that even if interception of messages is carried out by them in
a legitimate manner, any use by them of the information gathered must be proportionate and
in accordance with the data protection legislation (e.g. it should not be passed on to third parties
without good cause or the consent of the employee concerned). The data protection legislation
prohibits the abuse of data about living individuals, e.g. by such data being used for purposes
for which the individual has not consented. The Information Commissioner (who deals with data
protection) has published a code on monitoring at work. Although this code does not have the
force of law it can be used in any enforcement action by the Information Commissioner and may
be referred to in employment tribunal proceedings. The code emphasises that monitoring of
messages should only take place when there is a real business need and the methods used
should not be unduly intrusive into an employee's privacy. Employees have a reasonable
expectation that they can keep their personal lives private which means that they are entitled
to some privacy at work. It is recommended that employers should wherever possible avoid
opening emails, especially ones that clearly show that they are private or personal. Employees
should be aware that monitoring is taking place and told the reasons for it and the means used.
Covert monitoring will only be legitimate in the most exceptional of circumstances such as the
detection of crime or equivalent wrongdoing. It is good practice for this monitoring to be carried
out by someone other than the employee's line manager e.g. by security or human resources.
In this way, such personal information that is picked up about employees can be sifted so that
only the most relevant ever becomes known by those who work with the employee.
The following information must appear on company letters:
For
partnerships of 20 partners or less, the names of the partners must all appear together with an
address for service.
Partnerships of more than 20 may simply say that a list of the partners is
available at a particular address.
Sole traders must give their real name and an address (in
addition to whatever trading name that they have chosen to use).
Businesses who do not abide
by these rules risk looking amateur or newly started (or both). Some employers now provide
employees with two different templates for e-mail messages – one with all the company
information and the other without (making it clear that it is a personal message from the sender
and is not sent on company business).
• it is a criminal offence BOTH by the company concerned AND by the person who authorises
the communication on behalf of the company (Section 349(3) Companies Act 1985)
• if it relates to an order for goods and the company's name is not mentioned in the e-mail the
individual who sent it can be personally liable for the order (Section 349(4) Companies Act
1985)
• difficulties can arise in bringing legal proceedings to enforce a contract made where the
appropriate information has not appeared on the company's notepaper or in the company's
e-mail (Section 5, Business Names Act 1985)
The point can be backed up by reminders on computer screens and regular training. The same
rules should also be applied to any in-coming freelance contractors (often overlooked). Internal
audits should check that security policies are being followed and the side should not be let down
by senior management (as it frequently is). The aim should be that no user of the firm's
computers could reasonably argue that they were not aware of the rules of use.
Jeremy Holt is Head of Computer Law Group at Clark Holt, Commercial Solicitors,
www.clarkholt.com.
A specimen computer and email use policy is provided at
n0605computerspecimen.doc (relative addressing) pr at
www.venables.co.uk/n0605computerspecimen.doc (absolute addressing).
This is in Microsoft Word format and you
are welcome to download it and adapt it for your own organisation.
Back to Contents.
Staff Computer and E-mail Policies
by Jeremy HoltThe Investigation
Employers sometimes wonder whether they have the right to monitor voice calls or e-mail
messages and there are a number of myths about this. There is no legal distinction between
phone calls and e-mail messages for these purposes. Where employers have told employees
that their calls will not be monitored or given an indication that that is the case then monitoring
will be in breach of both the terms of employment and of the Human Rights Act 1998. Not the Answer
Clients sometimes believe that all their ills can be cured by a well-drafted disclaimer at the foot
of an e-mail. E-mail disclaimers are of little value other than to notify the recipient that the
contents of the e-mail are confidential and to offer a method of reporting any misdirection. They
can look particularly silly if a one line message is followed by a seven line disclaimer (large firms
of Accountants please take note). E-mail disclaimers are no substitute either for a proper e-mail
policy within a business or for the information that must be shown on a letter.Overlooked Requirements
From a legal point of view, emails count as "letters" for the purposes of disclosure of information
about the sender.
• the full name of the company
• the registered number of the company
• the address of the registered office
• an indication that that address is the registered office
• the country of registration of the company.
Consequences of Failure
There is no reason to differentiate between a written letter sent by post and a letter sent by
e-mail. Not all businesses are abiding by this at the moment; word seems to be slow to
percolate through. There are a number of consequences of failing to abide by the Companies
Act 1985 and the Business Names Act 1985 in this respect:The Answer
You need to get the security policy across to everyone using the employer's computers (who,
of course, are not necessarily all employees). The staff handbook and employment terms are
a means to that end backed by emphasis on induction. I have read of one employer who gives
new employees a copy of the Computer Misuse Act 1990 when they start (they cost £3.40 each
from TSO, formerly HMSO, telephone 0870 600 5522). They are also available free online from:
www.opsi.gov.uk (the ISBN of the Computer Misuse Act 1990 is 010 541 8900).
email jeremyh@clarkholt.com.