Nick Hobden and Ben Stepney discuss some steps that can be taken to prevent misuse of IT in the workplace, focusing on social networking sites, blogs and the regulation of workers use of the internet.
In February, a 16-year-old from Essex was dismissed three weeks into her job after she described it as "boring" on her Facebook page. In March, a prison officer in Leicester was dismissed for gross misconduct after it emerged that he was using Facebook to make friends with inmates and former prisoners. We have a new phenomenon – Facebook misconduct dismissals.
The increasing use of blogs, social networking sites and access to the internet in general present employers with many challenges when dealing with the misuse of IT in the workplace.
The issues for HR
As an employer is generally liable for the acts of its workers during the course of their employment, a blog that is written during work time or that can be traced back to the employer’s computer system could expose an employer to various legal claims.
Blog entries may contain language that is insulting or demeaning and so potentially unlawful towards other workers, which could end up forming part of discrimination or other employer misconduct claim. The issue for employers is to what extent this can be monitored and the risks accompanying such monitoring.
"Blog entries may contain language that is insulting or demeaning and so potentially unlawful towards other workers."
Under the Data Protection Act 1998 (DPA), electronic forms of workplace surveillance involve the processing of personal data, and so will be subject to the DPA. Opening up individual worker’s emails or examining logs of websites visited amount to ‘monitoring’.
The European Convention on Human Rights grants workers a degree of privacy in the workplace. In general, any interference with privacy must be no more than is reasonably necessary and the employer should have good reasons for doing so. Any monitoring of workers electronic communications will need to factor in this principle.
There is also the risk that an employer could be found to have discriminated against a worker if the worker feels that they have been unfairly targeted for monitoring as a result of their sex, race, age, disability, religion or sexual orientation. An employer who is over-zealous in its monitoring of a worker could even be found to have breached the duty of trust and confidence owed to the latter, potentially resulting in a constructive dismissal claim.
Implementing policies to address IT misuse
The implementation of an electronic communications policy that specifically includes blogging, social networking sites and the use of the internet to browse websites will help to manage the risks outlined above.
Such a policy will reduce the scope for misunderstandings as to what is permitted, help educate workers about the legal risks they might be inadvertently taking, and inform workers how their privacy will be respected.
It will make it easier to take disciplinary action if an employee is in breach and may go some way to protecting the company from claims by third parties. A good policy will restrict taking part in blogging or social networking sites where the participation could be traced back to the employer during office time or might be likely to cause embarrassment to the employer.
"Workers must be made aware of the consequences of breaching the policy and that disciplinary action will be taken, which could result in dismissal."
A policy would not be able to prevent workers from blogging outside of work, but it can set guidelines for what is acceptable if workers choose to discuss their work. Employers should consider the example of Microsoft, which actively encourages its workers to maintain blogs that comment on the company’s products. Many organisations have their own corporate blogs and find that these can be useful marketing tools.
Another step employers should consider is inserting a clause into contracts of employment stating that bringing the employer into disrepute is a ground on which an employee could be disciplined or dismissed.
Regulating the use of the internet
For a policy to be successful, an employer needs to be able to check that it is being complied with. This will usually take some form of monitoring of electronic communications in the workplace.
Under the DPA, workers must be made aware of the extent to which their employer will be monitoring its IT systems and the employee’s use of email and the internet at work.
The Information Commissioner’s Office Employment Practices Code gives guidance on monitoring at work in the context of the DPA. Monitoring should only be undertaken where:
- The advantage to the business outweighs the intrusion into the workers’ affairs;
- Employers carry out an impact assessment of the risk they are trying to avert;
- Workers are told of the nature and extent of the monitoring;
- Information discovered is only used for the purpose for which it was carried out; and
- Information is kept secure.
Under the Regulation of Investigatory Powers Act 2000, any covert monitoring is likely to be unlawful unless undertaken for the prevention or detection of crime.
Disciplinary measures for misuse
Workers must be made aware of the consequences of breaching the policy and that disciplinary action will be taken, which could result in dismissal. The policy must always be applied consistently and fairly in compliance with the principles of fairness set down in the Employment Rights Act 1996 and case law relating to unfair dismissal.
Employers will no doubt develop their own elaborate policies, but as a guide, if there is a suspicion that workers are using networking sites in breach of the IT policy, it is worth reminding them of the policy and that disciplinary action will follow any breaches. A worker who continues to breach the policy cannot then be surprised if strong disciplinary action is taken.
A first disciplinary offence under the policy could result in a warning. Dismissal should only be considered if an employee consistently breached the policy or if the employee’s conduct amounted to gross misconduct.
Employers should bear in mind that taking disciplinary action against an employee for the content of their blog may result in adverse publicity. Waterstones’ decision in 2005 to dismiss an employee for making inappropriate comments about the company on his blog attracted much media attention.
Nick Hobden is a Partner and Head of the Employment Department, and Ben Stepney is a trainee solicitor, at law firm Thomson Snell & Passmore.
