Following on from last month’s feature looking at social media, this month we are taking a look at the broader aspects of IT and Communications and the important aspects of related workplace policies.

An effective IT and Communications Policy should outline the standards you expect from your employees when using your company’s technology and systems. It should clarify how you may monitor usage and the action that may be taken for not following those standards.

As with any policy this is an opportunity to reflect your organisation’s values and to tailor specific details to the nature and working practices of your organisation, and the technology and systems you use. While an IT policy will tend to be quite prescriptive in nature compared to other policies in the Employee Handbook, it is nevertheless advisable to leave some flexibility in wording to cover the evolving nature of technology and devices that may be used.

Information security considerations

With the ever-increasing value of data and the modern workplace heavily reliant on systems and technology to process or store commercially sensitive material, information security is key.

You will therefore want to ensure your policy covers permitted access to systems, password requirements and the IT security practices you expect your employees to follow. This may include, for example:

• Any requirements to secure devices (e.g. locking screens, logging off or locking laptops away)
• What technology or devices can be connected to your firm’s network
• Any provisions around accessing firm systems from a personal device, at home, or from another remote location
• Securing technology on the move or travelling (e.g. locking devices, using privacy screens, not accessing firm systems via public networks)
• Guidance around downloading attachments or software
• What to do if a virus is suspected, or a suspicious email or attachment is received
• Password security, including clear rules on the make-up of passwords and password sharing

Your policies should be well supported by training around information security and how to spot potential problems such as phishing. This should not just be part of the induction process as periodic reminders or refreshers can also help instil a culture of appropriate IT use.

Personal use of firm systems or internet at work

As an employer you will need to decide on your approach to personal use of firm systems or electronic devices and personal use of the internet at work.  A blanket ban may be unpopular and unrealistic, particularly in industries where employees may work long hours or travel extensively. If you do decide to permit personal use, you will still want to make it clear in your policy that access is primarily for business use and maintain the option to restrict it in the future by highlighting that personal access is a privilege that may be revoked.

You may wish to set time periods during which personal use is acceptable, for example, breaks or outside working hours. Nevertheless, some case law has shown that a policy referring to use only outside core working times was not clear enough (Grant and another v Mitie Property Services UK Ltd (unreported) 2009).

Even if you do allow some personal use you may wish to make it clear that there are certain types of sites you will not permit access to, e.g. Webmail, social media, chat forums, audio or video streaming sites. This can also be implemented via web blocking software. You may, however, wish to include procedures for gaining access to sites where the use supports your business needs, or develop tiers of access for different teams or by seniority.

Phones

As well as information security concerns, mobile phones can lead to issues around personal calls, data usage, roaming charges and how bills are handled. Covering these issues off in your policies is therefore advisable.

Email

Email is an essential communication tool in most workplaces. Your policy can help you set standards for the use of email and remind employees that email can be forwarded on, which means there is no control over who will ultimately see them. Outlining what kinds of communication or business commitments can be made via email can help you manage exposure to commercial or legal risks. In some cases, an email can be considered a contractual commitment.

Incorporating guidelines around emails from unknown senders, attachments, junk mail or chain emails can also help with information security management.

The right to a “private life” in the context of workplace monitoring.

Monitoring employees is a complex area and will often throw up questions about how it can sit alongside an employee’s Article 8 right to a private life under the European Convention on Human Rights (ECHR). As a minimum, it is important to ensure that your monitoring activities are proportionate, justifiable for business needs and only to the extent permitted by law. Depending on the industry, an employer may have to undertake some form of monitoring in order to comply with legal and regulatory obligations such as financial services.

The European Court of Human Rights (ECtHR) has previously clarified that communications from business premises as well as from home can fall within the article 8 right to privacy.

Your IT and communications policy should clearly set out whether monitoring will take place in work, what type of activity may be monitored (e.g. email, web pages visited, voicemail, searches carried out, files accessed), how it can be monitored and when. In the case of Barbulescu v Romania (Application no. 61496/08 [2017] ECHR 742, the Grand Chamber of the ECtHR held that Mr Barbulescu had a reasonable expectation of privacy in circumstances where he was aware of his employer’s strict rule against personal use of its IT systems (and had even signed a form to confirm he had read and understood it), but had not been told in advance about the nature and extent of the monitoring, or the possibility that his employer could review the content of his communications.

In the UK, monitoring is already overseen by domestic data protection legislation which places important limitations on an employers’ power to monitor employee communications. Part 3 of the Information Commissioner’s Employment Practices Code recommends that ahead of any monitoring being put in place, employers should carry out an impact assessment to ensure that they balance the need to protect a worker’s privacy against the interests of the business.

The code suggests that workers should have a reasonable expectation of privacy even if accessing a personal email account on their employer’s computer systems, and such emails should only be monitored in exceptional circumstances. With regard to work related emails, you may wish to clarify in your policy that personal/private emails sent and received should be clearly marked as such.

In respect of company issued mobile phones, while it’s perhaps reasonable to expect some monitoring of use on a company phone in the office, it is considered best practice to make it clear to employees what may be monitored, or recorded (particularly in organisations where there may be regulatory reasons for recording). Any recording without notification could be considered a breach of privacy.

Misconduct related to IT or communications use

Where you wish to prohibit particular types of internet use, email or communications you should make this clear in your policy. If a breach of your standards may be considered misconduct and lead to dismissal you should ensure this is stated in your policy.

When considering any misconduct related to IT or communications use, it is important your policy is applied consistently and fairly. A full investigation and disciplinary process in line with the statutory procedures and your own disciplinary policy should be carried out in all cases.

In the same way as with any other misconduct related dismissals, the importance of a thorough investigation is critical to protecting the fairness of a decision to terminate someone’s employment. Investigating IT misuse can be complicated, and it will often be necessary for HR to work closely with IT or even external specialists to establish the source of inappropriate material or the extent of misuse.

Uncovering inappropriate content, such as pornographic material on an employee’s computer or account may not always provide a definitive answer to the question of culpability and may require more in depth analysis. In the case of Choksi v Royal Mail Group Ltd ET/2201335/2014 a Tribunal held that the decision to dismiss an employee after pornographic images were found on a work related cloud store account that had been set up specifically for him, was unfair. In reaching its decision the tribunal took account of there being little in the way of technical information about the history of the inappropriate files or how they came to be on that particular account. The employee had maintained that he did not put the images there, and suggested that because there was a common practice of sharing passwords, they could have been put there by someone else.

As outlined in previous articles in this series, ensuring policies are clear on what constitutes unacceptable conduct, and that they are consistently applied can be critical to an employer’s defence of an unfair dismissal claim. It is no different when it comes to matters relating to IT misuse. In the case of Scarlett and another v Gloucester City Council ET/140395/12, a Tribunal held that the dismissal of two employees for using the internet for personal reasons during working hours had been unfair, and instead they should have been issued with warnings and given a chance to improve their behaviour.  The case raised two important issues:

• That the employees had made no secret of their personal internet use during working hours, and their line manager had adopted a relaxed approach to such use.
• Gloucester City Council’s IT and communications policy did not cite excessive personal use of the internet as gross misconduct.

Conclusion

A clear policy setting out the standards for technology use is essential for modern workplaces. Writing a policy can give you the opportunity to consider how you can address information security concerns, protect the company’s brand and reputation, and ensure employees’ online behaviour fits with your other policies such as dignity at work.