This chapter discusses policies for the use of email and computers by employees and the health and safety requirements with which an employer must comply. Each section ends with an action plan, and the appendix at the end of the chapter contains a specimen computer use policy.

INTRODUCTION

Employees can cause their employers all manner of problems in their use of computers and email. For example:

• misuse of computer systems can waste staff time and leave businesses (and their management) exposed to claims for discrimination, harassment, defamation or worse;
• failure to include proper business information in electronic communications can result in criminal liability under the Companies Act;
• stringent health and safety requirements about the quality of screens and other computer equipment used by staff must be met.

COMPUTER AND EMAIL USAGE POLICIES

An employer can be held responsible for wrongful actions carried out by employees in the course of their employment. This is the case even if the act is done in a way that has not been authorised by the employer. For example, an employer can be held responsible for employees’ acts involving racial and sexual harassment, downloading pornography, defamation of management, customers or competitors, breach of confidence, copyright infringement, hacking and breaches of the Data Protection Act.

Employers have adopted computer use and email policies to provide staff with some guidance to avoid these problems. Every business is different and no single policy will suit all.

Employers should also remember that, in certain cases, both the employer and the employee are liable for the employee’s wrongful action. It can be useful to remind employees of this in order to encourage them to comply with rules forbidding particular conduct.

The problem with email

Users adopt a more relaxed manner when using email, similar to a telephone conversation rather than a letter. However, the form of the communication is much more permanent and it can be stored and passed on very easily. The thoughts of an employee expressed in an email could be critical later when used to defend, or damage, their employer in legal proceedings. Two graphic examples of what can go wrong come from large firms of solicitors in London (who should really know better). In one, a male solicitor received an email from his (then) girlfriend commenting favourably on their most recent sexual encounter. The explicit content of the email ensured that copies of it were passed on in a chain reaction to millions of people within weeks. In another case, which involved a race discrimination claim, a throwaway comment from the employer about the ideal physical attributes of any new secretary (which was somehow passed on to the claimant, a former secretary, who did not have such attributes) brought a great deal of unwanted publicity to the firm concerned.

Two points should be emphasised. First, if these comments had been spoken (or even expressed in a written letter, which would have been much more difficult to copy and pass on to a large number of people), they would not have caused the trouble that they did. Secondly, the damage to the employer is more likely to be to their public reputation than financially, particularly if the comments expressed are sexual or discriminatory in some way.

The problem that the storage of emails can cause was highlighted in the celebrated Oliver North case in America. Although Oliver North had thought that he could completely delete certain computer data, such data were retrieved by the authorities and used as evidence against him. It is surprising how effective a good computer forensic company can be. In another case a drug dealer was convicted because he had stored details of his drug transactions on his handheld computer and, although he believed that they had been deleted, they were retrieved by the police.

An email message is stored in a number of places: the sender’s machine, the recipient’s machine and (because of the technical manner in which email messages are transmitted across the internet) the machines of any other people to whom it may have been copied. As a result, it is extremely difficult to destroy all records of a message sent.

Staff should be discouraged from commenting by email on any legal dispute in which their employer is involved, in case such comments are used against the employer later in legal proceedings.

Monitoring emails and internet use

Employers sometimes wonder whether they have the right to monitor voice calls or email messages and there are a number of myths about this. For a start, there is no legal distinction between phone calls, faxes and email messages for these purposes; all telecommunications are treated the same and the same rules apply to each medium.

The basic principle (set out in the Regulation of Investigatory Powers Act 2000) is that telecommunications may not be intercepted by employers unless both the sender and the recipient have consented to the interception.

Indeed it is a criminal offence for employers to carry out unauthorised interception and, if they do, they face up to two years’ imprisonment and/or a fine, as well as the possibility of an injunction or damages claim.

However, under a separate set of regulations (snappily entitled the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000), businesses are allowed to intercept communications without consent for certain limited purposes, as long as the messages relate to the business and are on a system provided in connection with the business. The purposes include:

• establishing the existence of facts (e.g. recording transactions in case there is a contractual dispute);
• compliance with regulatory standards;
• detecting crime (e.g. fraud or corruption);
• investigating unauthorised use of the system (e.g. to check that company rules on emails or internet use are being followed);
• checking on the standards of people using the system (e.g. for quality control or staff training);
• protecting the system from viruses or other threats to the system;
• backing up or re-routing emails when a member of staff is on holiday or off sick.

Employers are required to take all reasonable steps to notify users that interception may take place. This is relatively easy with employees because it can be stated in a staff policy. However, it is much more difficult with outsiders sending inbound emails. One method of notification is in outbound email and fax disclaimers. Employers should remember that even if interception of messages is carried out by them in a legitimate manner, any use by them of the information gathered must be proportionate and in accordance with the Data Protection Act (see Chapter 7).

The Information Commissioner has published a code on monitoring at work. Although this code does not have the force of law it will be used in any enforcement action by the Information Commissioner and may be referred to in employment tribunal proceedings. The code emphasises that monitoring of messages should only take place when there is a real business need and the methods used should not be unduly intrusive into an employee’s privacy. Employees have a right to expect that they can keep their personal lives private, which means that they are entitled to some privacy at work. It is recommended that employers should wherever possible avoid opening emails, especially ones that clearly show that they are private or personal. Employees should be aware that monitoring is taking place and told the reasons for it and the means used. Covert monitoring will only be legitimate in the most exceptional of circumstances such as the detection of crime or equivalent wrongdoing. It is good practice for the monitoring to be carried out by someone other than the employee’s line manager (e.g. Security or Human Resources personnel). In this way, personal information that is picked up can be sifted so that only the most relevant information becomes known to those who work with the employee.

Laying down a policy for staff

All businesses should draw up a policy for staff on their use of computers (and access to the internet, if applicable) and notify all staff of it. Unless it is wildly unreasonable, staff cannot argue about such a policy. Their use of the employer’s equipment is conditional upon their following the policy laid down, otherwise they can be in serious trouble. The policy should be emphasised during the induction of new staff. A specimen staff computer use policy is shown in the appendix at the end of this chapter. Note that this policy should not just be restricted to employees; it should also be given to outside contractors and agency staff.

The policy can be backed up by reminders on computer screens and regular training. Internal audits should check that security policies are being followed and the side should not be let down by senior management (it frequently is). The aim should be that no user of the firm’s computers could reasonably argue that they were not aware of the rules for the use of them.

Private email

It is unrealistic for employers to ban completely the private use of email by employees. No doubt the same discussions took place when the telephone first started to be used widely within business.

If private email use is allowed, it is critical that such messages be sent in an appropriate format and that they not appear to be official messages from the company. The best way to do this is in the signature section of the message.

There should be two different formats for the employee to use depending on whether the message is official or private, and private messages should be accompanied by a heading or signature block that states, for example, ‘This message is from Jeremy Holt and is sent in a private capacity’. The next section discusses the signature for business emails. The importance of differentiating between the two kinds of messages, official and private, can be seen if employees send messages to newsgroups or bulletin boards.

Some employers allow employees to set up private web-based email accounts for private emails. In this case, the employer can not monitor such messages and the messages sent do not use the employer’s return address.

Website access

The policy prohibiting staff visits to unauthorised sites (e.g. pornographic or recruitment agency sites) can be reinforced by the use of filtering systems and blocking software (which is surprisingly inexpensive). In the writer’s experience, just the knowledge by the staff that such blocking software is being used is enough to reduce significantly visits to unauthorised sites during work time. Obviously, staff may visit them from their home computers, but this does not waste valuable working time.

It is surprising how tough Employment Tribunals are prepared to be about the dismissal of employees for the downloading of pornography, particularly if there is a policy in force forbidding this. One question that is often asked in these circumstances is whether employers are required to notify the police. Generally the police are not interested unless the pornography is being sold by the employee or it involves children.

There is no doubt that employers can dismiss staff for excessive surfing of the web during working hours. A computer manager at a firm of management consultants was dismissed fairly for using the office computer to do 150 searches for cheap holiday deals. Whilst it may not be practical for employers to check what sites employees have been visiting, peer group pressure does work. If other employees are having to work harder because one is surfing the web, the employer is soon likely to hear about it.

Hacking

Some astute employers give new employees a copy of the Computer Misuse Act 1990 when they start. The Computer Misuse Act makes it a criminal offence to use, access or alter another person’s computer without prior permission, and providing a copy of it underlines to the employee that the company’s systems should not be used other than as permitted in the course of the employment.

Disclaimers on business emails

Businesses sometimes believe that all their ills can be cured by a well-drafted disclaimer at the foot of an email. Email disclaimers are of little value other than to notify the recipient that the contents of the email are confidential and to offer a method of reporting any misdirection. Email disclaimers are no substitute either for a proper staff email policy or for the legal information that must be shown in an email, which is the same as must be shown on a business letter (see box).

There is no reason to differentiate between a letter sent by post and a letter sent by email. Some businesses still fail to follow these rules fully in relation to emails at the moment. This is all the more surprising when the vast majority of business messages are now sent by email rather than by formal business letter. There are a number of consequences of failing to abide by the law in providing the required information in company letters or emails:

• It is a criminal offence both by the company concerned and by the person who authorises the communication on behalf of the company.
• If the communication relates to an order for goods and the company’s name is not mentioned in the email, the individual who sent it can be personally liable for the order.
• Difficulties can arise in bringing legal proceedings to enforce a contract made where the appropriate information has not appeared on the company’s notepaper or in the company’s email.

Action plan on computer use

• Introduce a computer use and email policy. If there is no policy, an employer cannot monitor what is happening except in very limited circumstances.
• Make sure that such a policy is notified to all employees and contractors and that they are reminded of it from time to time (e.g. by banner warnings when logging on to the system), otherwise it will not be possible to rely on it later just when it is needed.
• Ensure that all emails contain the correct business information.
• Devise a system whereby personal emails from members of staff are clearly differentiated from emails on company business. (This might be as simple as requiring the employee to put the word ‘Personal’ in the subject line of any outbound emails that are of a private nature.)

AVOIDING HEALTH AND SAFETY CLAIMS

Health and safety legislation rears its head in relation to the use of computers by staff. Most businesses use computers now and it is critically important to be aware of the health and safety aspects. Failure to abide by such rules can lead to imprisonment or a fine, in addition to the inevitable bad publicity. It also leaves the door open for personal injury claims from present (or, more likely, past) employees. For example, there are well over 200,000 repetitive strain injury (RSI) claims in the UK each year. RSI is now known as ‘upper limb disorders in the workplace’.

The law on health and safety at work

There are general duties on all employers under the Health and Safety at Work etc. Act 1974 and the Management of Health and Safety at Work Regulations 1999 that require the risks to health that may be associated with work to be addressed. In addition, the health risks in relation to work with display screen equipment (DSE) are covered by the Health and Safety (Display Screen Equipment) Regulations 1992 as amended by the Health and Safety (Miscellaneous Amendments) Regulations 2002. The Health and Safety Executive (HSE) publishes specific guidance on the subject. Duty holders must comply with the DSE Regulations and guidance.

The DSE Regulations

The DSE Regulations apply to anyone who regularly uses display screen equipment (which includes screens that display text, numbers or graphics) whether at the work site, off site or in a home-based office. An evaluation of display screen use must be carried out, including an assessment of all workstations.

The requirements are in the form of general targets rather than technical specifications:

• Screens should be flicker-free as far as is possible; brightness and contrast should be adjustable. The screen height and angle should also be adjustable allowing operators to avoid glare and maintain a natural and relaxed posture.
• The keyboard should be designed to allow operators to locate and use keys quickly, accurately and without discomfort. (Some employers offer staff a choice of keyboards such as the Microsoft^® ergonomic or ‘Cherry’ styles.)
• The height of the work surface, the work chair and, if necessary, the foot rest should all be adjustable to allow the user to achieve a comfortable position.
• Lighting should be appropriate for the tasks performed and reflections and glare reduced to a minimum.
• Background noise should be kept at a level that does not impair normal conversation. Normal conversation is regarded as the ability to hold a conversation up to two metres apart without raising the voice.
• Ventilation and humidity should be maintained at levels that prevent discomfort and problems of sore eyes.
• Software must be suitable for the task, easy to use and display information in a format and at a pace that are adapted to users.
• Software must not contain quantitative or qualitative checking facilities of which the user is unaware.

The Regulations give users the right to eye tests for display screen work, at the cost of the employer. A user can request a test when they first become a user and at regular intervals afterwards. If the tests show that the user requires spectacles or contact lenses for VDU work, then the employer is responsible for the cost of providing one pair of basic spectacles or contact lenses.

Action plan on health and safety

Employers should do the following to stay out of trouble:

• Assess which workstations require analysis and conduct an appropriate audit to ensure compliance with the minimum requirements.
• Consult with employees to discuss health and safety issues as well as their working environment and set up a reporting procedure to respond to any problems.
• Inform staff of their rights concerning eye tests and the provision of glasses or contact lenses.
• Arrange appropriate training for staff in their use of their workstations and equipment.
• Keep a ‘paper trail’ of all the actions taken by the employer in order to provide a defence against any future personal injury claims by employees.
• Carry out pre-employment health screening, effective sickness absence management and exit health screening to ensure employees’ fitness and capabilities for work.
• Be aware of the requirements of the Disability Discrimination Act 1995 (e.g. providing modifications and adaptations for staff deemed disabled). (The Disability Employment Advisor from the local Placement and Counselling Team in the Employment Service can assist in this.)
• Vary work activities and ensure adequate breaks from work and between tasks.

There is no antidote for employers against an RSI claim, but employers can reduce the risk of successful claims by meeting health and safety obligations, in particular concentrating on posture, ergonomics and working methods.

If you find all this rather tedious and you would like help, ask an occupational health professional. They can provide you with useful advice (beyond simply the minimum legal requirements), such as ways to help staff to avoid back problems. To find an occupational health professional, ring the HSE Information Line to get the details of your local HSE office and the Employment Medical Advisory Service (EMAS). Although they cannot make individual recommendations, they can provide you with details of providers in your area. Occupational health professionals are more likely than lawyers to know the Health and Safety regulations and they are far cheaper.

APPENDIX: SPECIMEN POLICY FOR COMPUTER AND EMAIL USE

We do not wish to restrict in any way your use of our computer system–indeed we encourage it. However, we regard the integrity of our computer system as key to the success of our business. All employees must abide by the following policies to avoid misunderstanding and confusion. Breaches of this policy will be taken seriously and could amount to gross misconduct. You should direct any queries about this policy to the Human Resources Department.

Licensed software

Only properly licensed software may be loaded onto our system. You are not allowed to use within the company any material that you either know, or suspect to be, in breach of copyright. In addition, you are not allowed to pass such material on to anyone else. It is important to bear in mind that breach of copyright for business purposes can be a criminal offence both by the company and by the individual concerned. No software may be loaded onto our system without first obtaining the express permission of the IT Department. Software includes business applications, shareware, entertainment software, games, screensavers and demonstration software. If you are unsure whether a piece of software requires a licence, please contact the IT Department. The copying of software media and manuals is also prohibited.

Networks

You are not allowed to make any change to the connection or configuration of your PC. None of our PCs may be connected to a customer’s network without permission from the IT Department and written permission from the customer concerned. In addition, none of our PCs may be connected to a public network (e.g. the internet) without permission from the IT Department.

Disks

You must not use disks from unknown sources or from home computers.

All data disks must be virus-checked before they may be used on our computer system.

Viruses

Generally, more damage to files is caused by inappropriate corrective action than by viruses themselves. If a virus is suspected you should do nothing more until instructed. The matter must be reported immediately to the IT Department. The most likely way that our computer system will be infected by a virus is from an external message. Any outside material must be properly virus-checked before being loaded on to our computer system. Many viruses are now spread by email messages and use the address book of the recipient to pass it on to other people. Some of these viruses are activated when an attachment to the message is opened. Creators of these viruses frequently encourage the user to open the attachment simply by using a header such as ‘You must read this!’ You should not open any attachment of this type and must generally be suspicious of any message that is received from an unknown source. In other words, only open mail when you know it is from a reliable source. If you receive email warnings about viruses please ignore the instructions they contain. In the majority of cases they are hoaxes and the instructions, if followed, will damage our computer system.

Customer procedures

If you use a customer’s computer system you must observe the customer’s rules relating to their computers. In the absence of any such rules, our rules should be followed.

Access

You are only allowed access to those parts of our computer system that you need in order to carry out your normal duties.

Inappropriate material

You must not view or download or pass on any pornographic material on our computer system or place obscene or offensive screensavers on your PC. In line with the normal rules that apply to you as an employee, you are not allowed to send racist, sexist, blasphemous, defamatory, obscene, indecent or abusive messages on our computer system, either internally or externally. Do think carefully before sending any questionable messages that could reflect badly on us as a company.

Use of the internet at work

The primary reason for our providing you with internet access to use websites and/or email is to assist you in your work for us. You are allowed to send personal emails in a similar way to the way that minor incidental personal telephone use is allowed. Such activity should not be excessive and must not affect your ability to work properly for us during normal working hours. Personal emails should be kept to a minimum and the company’s footer must not be shown on a personal email.

You are not allowed to send unsolicited emails or emails to multiple recipients or to use email for personal gain. You are also not allowed to use the company’s internet access and email system to sign up for online shopping, internet membership schemes or chat rooms.

Business emails

You must not order anything on our behalf by email without proper authorisation.

You should always bear in mind that an email from the company has the same legal effect as a letter from the company on the company’s notepaper. This underlines the importance of being careful with what you say in an email in case it is misunderstood. All company emails must contain our standard footer, which will be notified to you from time to time. As stated above, personal emails must not contain the company’s standard footer.

Confidentiality

Before sending any confidential information by email consider carefully whether appropriate steps have been taken to maintain such confidentiality.

Email is not inherently a more secure medium of communication than traditional means, and emails can be easily copied, forwarded and stored.

Security

Do not give internal passwords to anyone outside the company. In addition, you must not give any customer-related security information to anyone other than the customer unless specifically authorised in writing by the customer in advance.

Records

Keep proper records of our dealings with outsiders. It is always possible that what appears to be a relatively trivial point could be of immense significance later. It is not possible to foresee what will subsequently need to be checked so keep a complete record of all transactions.

Data protection

If you have access to data about individuals you must bear in mind at all times the provisions of the Data Protection Act 1998. Guidance on these may be obtained from the HR Department.

Passwords

Use passwords at all times and change them at the intervals notified to you.

Do not select obvious passwords. All passwords must be kept confidential.

Backups

Regular backups must be carried out in accordance with the rules laid down from time to time. Critical information should not be stored on the hard disk of your workstation in case it is lost.

Misuse

Misuse of computers is a serious disciplinary offence. The following are examples of misuse:

• Fraud and theft;
• System sabotage;
• Introducing viruses and time bombs;
• Using unauthorised software;
• Obtaining unauthorised access;
• Using the system for unauthorised private work or game playing;
• Breaches of the Data Protection Act 1998;
• Sending abusive, rude or defamatory messages via email;
• Hacking;
• Breach of the company’s security procedures or this policy.

This list is not exhaustive. Depending on the circumstances of each case, misuse of the computer system may be considered gross misconduct, punishable by dismissal without notice. Misuse amounting to criminal conduct may be reported by us to the police.

Breaches

All breaches of computer security must be referred to the IT Department. If you suspect that a fellow employee (of whatever seniority) is abusing the computer system you may speak in confidence to the HR Department. You are responsible for any actions that are taken against us by a third party arising from restricted and/or offensive material being displayed on, or sent by you through, our computer system.

Monitoring

The company reserves the right to intercept and monitor your communications, including email, internet use and telephone calls. This right to monitor may be exercised, for example, to decide whether communications are relevant to the business, to prevent or detect crime or to ensure the effective operation of the system. In addition, the company reserves the right to monitor communications in order to determine the existence of facts, to detect unauthorised use of the system and to decide the standards that ought to be achieved by employees using the system.

Improvements

We welcome suggestions from you for the improvement of this policy. These should be directed to the HR Department.