Keeping an eye on your staff

1.Monitoring Employees Communications ñ RIPA the basics

The Regulation of Investigatory Powers Act 2000 (RIPA) (with regulations) puts the interception of communications on a statutory footing and ensures compliance with the Human Rights legislation.

It came about as a result of a 1997 case in which a Ms. Halford, a senior police officer in Liverpool, was in dispute with her employer. Her private calls made from inside police premises on the police private network were monitored. Until then it was accepted that interception of public telephone calls was unlawful but this did not apply to a private network. She applied to the European Court of Justice, which ruled that under the Convention of Human Rights she had a right of respect for her privacy from interception of her calls by a public authority such as the police.

RIPA makes it a criminal offence to intercept calls from a private telephone system such as your office telephone system unless the person has a right to control the system or has the consent of the person making the call. IT Professionals can face civil liability for unauthorised interception.

A company monitoring its employeesí calls with their consent is acceptable, as is:

- Monitoring incoming calls for training or record purposes provided that is reasonable and the callers are told ä Occasionally looking at employeesí emails or listening to calls to make sure they are not abusing the system

However companies should not go over the top in monitoring the calls or emails of their employees.

Acceptability depends on the industry the company is in and the objective of the monitoring. Banks will require a high level of monitoring whereas a Big Brother type regime in a trading companyís office (as much as it may please the architect of the system) is over the top! Whatever the case, companies should include a clear statement of their intention in their policies and make sure employees know this is the practice.

The act allows law enforcement agencies to get permission to monitor. It also provides for a statutory framework for surveillance by police etc.

However, the police must first have an interception warrant: so ask to see it. The only situation where they can demand data from you without a warrant is where they have the consent of one of the parties to the communication being intercepted and the surveillance was authorised under the Act. Where there is no warrant you should be sceptical and you may feel more comfortable with assurance from a more senior police officer.


2. Email Monitoring is Essential

It is time for corporations to look beyond their own, sometimes ridiculously pious, corporate value statements and take a reality check - sex, harassment and gossip are rife in corporate life. In the past, no investigations meant few problems came to light.

But the risks have increased because:

- Employeesí commitment and ability to record, circulate and store evidence of their bad habits

- Access on the internet to illegal or inappropriate material (pornography and illegal software) ä The ability to retrieve this information is not only enhanced by system/forensic techniques but also the simple 10 data access request

- Victims are not prepared to keep quiet, supported by a news-hungry and fearless press ä The compensation culture is flamed by corporationsí reluctance to be involved in litigation.

The fallout for companies is:

- Increased employment tribunal proceedings. The damages that employees can expect have been raised to 50,000 which makes employees far more likely to take issue if they should be subject to harassment or bullying.

- Data subject access requests under the Data Protection Act are a very cheap, informal and seemingly extensive form of disclosure of documents concerning what has been said about that employee.

- Police investigations ñ warrants are rapidly granted to police to enter corporate premises at any suggestion of child pornography. IT Professionals who hang on to such material can be themselves liable under the act.

- Defamation proceedings. It cost Norwich Union 450,000 plus its own costs to settle a defamation action which started due to an email rumour that their employees allegedly started about another companies financial viability.

- Bad publicity. A sexually explicit email forwarded by one solicitor to another was soon copied millions of times. ä The smoking gun email. It is common in litigation for disclosure to take place. This is the procedure where both sides produce all documents (including letters, emails) to the other party. It is now a regular occurrence to find an email blowing your case out of the water.

Companies can either wait for this potential tidal wave to occur or take preventative action. Many of the problems stem from employees trying to be funny. I am not suggesting that humour be banned in the workplace although that may seem, at times, the HR Departmentís preferred option.

Part of the solution is the increased monitoring of staff email, but the legislation leaves IT Professionals crying out for simple guidelines. The Federation Against Software Theft (FAST), which runs a program to help companies become voluntarily software compliant, has issued the following ten email monitoring guidelines for IT managers:

1.No pornography
High minded corporate value statements encouraging zero tolerance policies have caused well publicised mass sackings of employees for using pornography. However morally satisfying a purge may be, what can be a good way of getting rid of troublesome employees sets a precedent that must be applied to the good employees too. It is better to accept that some employees would like to do this if they could get away with it. It is a matter of convincing them the monitoring of the system is such that they will be caught. Dismissal in the run of the mill case is not necessary.

2.Frankly inform employees of the monitoring policy
If employees are going to stop putting the company at risk they are going to need to get used to an honest approach. Monitoring them should not be done on the sly or as undercover surveillance. It is also wise to involve employees and unions in drawing up the policy.

3.Delete personal emails
If personal email is permitted, advise employees to protect their privacy by deleting personal emails. Employees are responsible for their own belongings - the same rules should be applied to their email.


4.Restrict and/or regulate employees storage of email
Storage should be tightly controlled, whilst having a culture that deters employees from making inappropriate remarks in emails. Some industries are regulated so that they must keep all communications for a number of years. In these companies an efficient email storage system is essential.

5.Do not open personal email
There may well be exceptions to this but as a general rule personal emails are a potential can of worms.

6. Act on personal data revealed ONLY if it shows gross misconduct The IT Professional should be cautious but not timid - a good monitoring policy will support firm action. However if the IT Professional becomes aware of information of a clearly personal nature, then he does not need to dwell on it.

7.If necessary, monitor absent employeesí inboxes
Business does not stop when the employee goes on vacation.

8.Document awareness programs
When problems arise, employees usually deny knowing the policy existed. Awareness programs can include employee contacts, intranets, boot camps, training days, tasks that require signing or acknowledging changes.

9.Give employees the opportunity to explain the conduct
Sometimes the most suspicious circumstances can have a reasonable explanation.

10.Do not go over the top
Balance business risk against employee privacy. Whilst wishing to be seen to be firm, an officious IT Professional can be part of the problem rather than part of the solution.

3.A word about Employment Tribunals

My experience has been that the Tribunal will try its utmost to get the employer to settle the matter by making some form of payment. As a generalisation therefore it may be better to make a serious attempt to negotiate a settlement prior to incurring legal costs. However, for those employers who are going to show their ex-employee who is boss (even after they have left the company). The Tribunal offers a relatively cheap means of fighting it out and the issues normally in dispute do not use up company resources to the same extent as a civil trial. The downside is that you will be playing out your moment of justice before a fairly unsympathetic audience of tribunal members.

Another drawback is some employers see the tribunal as a bit of a lottery. The cases sometimes seem to conflict:

ïAn employee downloaded pornography, had a brief interview and was sacked for gross misconduct.
Held: Unfair as it was not investigated and the manager did not adhere to the companyís code of conduct.

ïEmployee got stuck in a porn site. Interviewed and code of conduct referred to.
Held: Dismissal fair.

ïEmployee had unauthorised access to wage data.
Held: Dismissal fair. It would have been easier if the company had a written security policy.

ïA long standing employee hacked into a company database containing customer information, altering 90 secure passwords to do so. He did not do it for personal gain but to do his job more effectively.
Held: Unfair dismissal.

ïEmployee looked up travel companies to arrange a holiday.
Held: Dismissal fair.

ïCompany concerned about internet abuse by all employees compiled a list of offenders and categorised into bad, very bad etc. Then dismissed those in bottom two categories.
Held: Fair.

The conclusions that I have made are:

1. In Tribunals the procedure you adopt in investigating and deciding the conduct is very important. The Off with his head ñ knee-jerk reaction is not the preferred method.

2. Remember: evidence collected after the employee is dismissed will not be admitted in the tribunal even if it shows that you were right. This suggests collect the evidence first and then dismiss with firm reasons for doing so.

3.There are few sure winning cases.