Employee Internet use can be both beneficial and detrimental

For many employees, email and the Web are indispensable business tools.

When you give your employees internet access, you give them a resource that has the potential to reap enormous business benefits.

But it also has enormous potential to be misused and – in some instances – that misuse can be damaging for the business.

We all have our favourite story about that highly inappropriate email that got into the public domain causing huge embarrassment to both the business and the individuals concerned.

There are also examples of employee blogs that have in some cases resulted in the blogger being dismissed.

One of the earliest cases in UK was that of Ellen Simonetti, a flight attendant, whose “Queen of Sky” blog about her experiences led to her being fired by Delta Air Lines for content that they deemed inappropriate.

The problem is that often people ‘’say” things in email and on-line which they might not otherwise feel comfortable communicating to others in person.

A combination of informality coupled with a lack of inhibition creates a potentially dangerous situation.

What might start out as a jokey email can result in a defamation action.

In one such case, in an out-of-court settlement Norwich Union paid £450,000 to Western Provident Association because of libellous comments on its internal email system about Western Provident Association’s alleged financial problems.

Email is also a common feature in workplace harassment cases.

While it is often one employee harassing another, under the Sex Discrimination Act, the employer can be liable for acts of his employees, whether or not done with the employer’s knowledge or approval.

Breaching confidentiality

Aside from corporate embarrassment and bad publicity, poor IT governance can have an immediate financial impact.

In July 2009, The Financial Services Authority (FSA) fined HSBC over £3 million for not having adequate systems and controls in place to protect their customers’ confidential details from being lost or stolen.

The FSA found that large amounts of unencrypted customer details had been sent via post or courier to third parties.

Confidential information about customers was also left on open shelves or in unlocked cabinets and could have been lost or stolen.

In addition, staff were not given sufficient training on how to identify and manage risks like identity theft.

Use of social networks can impact business in terms of employee productivity.

A recent study suggested that up to 233 million hours may be lost every month as a result of employees spending time on social networks, costing firms over £130m a day.

It can also jeopardise confidential information.

In a recent case involving Hays Specialist Recruitment, the employee stored his business contact information on LinkedIn, the on-line social networking site.

Hays alleged that the employee had uploaded business contacts from the company’s confidential database to his LinkedIn account.

The employee argued he had been encouraged to join LinkedIn and that, once a business contact had accepted the invitation to join his network, the information ceased to be confidential as it could be seen by all his contacts.

How can an employer protect itself from all these various risks?

Banning the use of the technology is unlikely to be the answer.

When the law firm Allen & Overy tried to ban its employees from using Facebook, there was an internal backlash because the lawyers said that they needed Facebook to enable them to network with friends and businesses contacts which would develop business for the firm.

Also, there is no “one size fits all solution”.

Every business is different.

In one case, an investment banker was summarily dismissed by the bank’s HR for viewing adult websites while at work after a report from the IT department.

His immediate boss complained to HR about the dismissal as HR were unaware that he was a leading analyst for the adult entertainment industry and that access to websites with adult content was essential for his work.

The most important way that businesses can manage risk in this area is by developing an IT and communication policy.

Such a policy will clearly define appropriate and inappropriate use of the technology.

Each business will need to define the limits of its own policies.

A key benefit of having a policy is to use it to educate users about the risks for the organisation of inappropriate use and to provide guidance as to how the technology should properly be used.

The policy should clearly outline what is and what is not permissible.

It should also seek, best it can to inform readers as to the consequences that might arise from what appears to be a harmless use of IT.

For example, it may attention to the fact that emails that are thought to be private can be quickly circulated to many people both within and outside the organisation and so should not contain anything that would be embarrassing.

Importantly, policies will provide that, in the event of a breach of the policy, there could be serious disciplinary consequences which might include dismissal.

Having a policy is one thing but it is also desirable to be able to monitor performance of the policy.

This may mean reviewing employees’ emails and web browsing histories.

However, this can be problematic because, under data protection laws, businesses cannot monitor their employees email and internet use in a way which is invasive of their privacy.

If disciplinary action is taken against an employee based on evidence obtained through unfair monitoring then, far from this enabling the employer to dismiss the employee, it could lead to an unfair dismissal claim being made by the employee against the employer.

So how can employers monitor abuse of their systems and gather evidence that may be needed for disciplinary proceedings?

The starting point is that employees have a legitimate expectation that they can keep their personal lives private and that they are entitled to a degree of privacy in the work environment.

If employers wish to monitor their employees, they should be clear about the purpose and be satisfied that the monitoring arrangement that they adopt is justified by real benefits that are delivered.

A key theme, therefore, is “proportionality”.