20 February 2006

According to a survey by the DTI, roughly 90% of UK businesses have email and internet access.  Some 22% of those organisations had experienced instances of misuse, and in large companies, that figure rose to 64%.  Another survey found that between a fifth and a quarter of employers have dismissed someone in the last 12 months for email or internet misuse.

Yet how many of those terminations were fair dismissals? Without a properly implemented and enforced internet and email policy, an employer may find it difficult to show that the employee was properly aware of the consequences of misuse and consequently, a dismissal for internet misuse may not be justified. 

Every business which has email and internet access should consider very seriously putting an internet and email policy in place.  The policy should clarify what is acceptable and what is not and must set out the consequences of breaching the policy.  Once that policy has been finalised, it should be rolled out across the business and clearly communicated to all staff.  Once in force, it must be properly enforced when misuse takes place and regularly reviewed to ensure that it is up to date.

The burning question for many businesses however, is how to establish the correct line to take on internet and email usage.  It is often unrealistic to prohibit all personal email and internet usage and so it is essentially a question of getting the balance right.  The first stage should be to assess the risks to the business and consider which steps to put in place to protect it.  The main reported problems with internet and email misuse are accessing indecent or offensive websites (such as pornographic, racist, sexist or illegal sites), downloading or installing unofficial or unauthorised software, gambling or playing games online, internet shopping and excessive use of personal email.

The approach will depend upon the nature of the business and of the employees working with it.  The most frequently used approaches are:

1. Providing a separate computer in a communal area for personal use outside normal working hours
2. Allowing personal browsing and email use on the desktop but only outside work time and excluding access to undesirable sites
3. Allowing personal use at any time provided it adheres to the policy
4. Allowing different levels of access to different employees e.g. according to different security levels.

The key issue is strike a balance between the employer’s interest in running an efficient business and protecting its information and IT on the one hand and on the other hand, the employee’s interest in protecting his/her privacy.  There are various pieces of legislation which govern these issues, including the Data Protection Act 1998, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 and the Human Rights Act 1998.  A good policy needs to be compliant with the each of these.

A properly implemented and enforced policy should encourage efficient working, protect the organisation’s information security (such as by minimising viruses introduced from outside sources, minimising junk mail and reducing careless use disclosure or loss of business documents and laptops) and reduce the employer’s legal liability by encouraging a harassment–free environment and reducing the risks of online defamation.  If your business has not already put such a policy in place, it’s time to start thinking hard about it now.

Contact any member of the employment team if you wish to purchase our internet and email policy for your business.