Why your business needs an Internet and email policy
This article will be useful reading to all managers and employers
Most businesses provide Internet access to their employees with the aim of faster and improved communication between businesses and within offices and departments. However, as you may well have experienced, it can be a double-edged sword. The Australian Privacy Commissioner has published Guidelines on Workplace Email, Web Browsing and Privacy. The guidelines do not have the force of law, but they complement commonwealth privacy laws and provide ‘best practice’ strategies.
As well as a time-waster, other issues arise when employees click the ‘send’ button too readily, without perhaps thinking about confidentiality. Further, free-rein of the Internet allows employees to download almost anything they like. Without a clear written policy, it is difficult for you to maintain security. And lastly of course, employers are liable for the acts and omissions of their employees – this puts you in a tricky situation.
It is therefore advisable for all businesses to have an Internet and email policy. It is also essential to monitor the use of email and Internet use in some way.
General requirements of a workplace Electronic Communications Policy
The policy should:
- Be made available to staff (management should ensure it is known and understood by staff). Ideally the policy is linked from a screen the user sees when they log onto the network;
- Be explicit as to what activities are permitted and forbidden;
- Clearly set out what information is logged and who has rights to access the logs and content of staff email and browsing activities;
- Refer to computer security to the extent that improper use of email may pose a threat to system security, to privacy and to the legal liability of the organisation;
- Outline in plain English how the organisation will monitor staff compliance with company rules on acceptable use of email and web browsing; and
- Be reviewed regularly in accordance with the development of the Internet and information technology.
Drafting your policy
When drafting your internet and email policy, the following general principles should be considered:
- Use of email and Internet should be consistent with employee responsibilities and should comply with all your other rules and procedures;
- Avoid permitting activities which might be illegal, offensive or likely to have negative repercussions;
- Decide the extent to which employees can use the Internet and email for personal purposes. Set down the parameters clearly and specify the consequences of misuse/abuse of the system, including disciplinary action and summary dismissal;
- Depending on the nature of your business, a higher level of security (for example, encryption) could be useful on the use of email as a means of sending business information;
- Hacking and/or unauthorised modification of computer material is a criminal offence. Ensure you policy repeats this.
Your vicarious liability
An employer can be held liable for any representations made or contractual arrangements entered into by its employees if the employee was acting under your authority. So if an employee sends an obscene joke around the office to which someone takes offence, you, the employer could be liable when the person who took offence makes a discrimination claim. So set out clearly all activities which are prohibited.
- Casual contractual undertakings given in a business context may bind you unintentionally;
- You could be sued for inaccurate statements or misrepresentations;
- Some statements may amount to defamation;
- Unlawful or unfair processing of personal data may cause the firm to be in breach of its data protection obligations;
- Illegal or unlawful activities may incur criminal liability.
An employee's electronic address at work identifies not only the individual, but also the business. Therefore, any activity engaged in by an employee on-line may negatively impact on your business.
Monitoring email and Internet use
There are currently no laws prescribing the prohibition of monitoring an employee’s emails or Internet use. However, there is controversy about whether the Commonwealth.
Telecommunications (Interception) Act 1979 applies, as it does to other communication, to email and Internet use. Whether it does, depends on the interpretation of the word ‘telecommunications’. At any rate, if you plan to monitor an employee’s email or Internet usage, you should do so with caution and respect:
- Take all reasonable steps to inform the recipient and caller that the email and/or phone call will be intercepted;
- Be open about monitoring. Limit personal use and set out any restrictions clearly. Ensure that employees know that their email and Internet use will be monitored before they begin using it or before monitoring begins;
- Do not intrude on the privacy of the employee and provide a mechanism for employees to delete email from the system;
- Limit monitoring to an automated process. Do not monitor the content of emails unless the traffic record alone is not sufficient and do not open emails which are clearly personal;
- Any personal information that is found that concerns employees must be used fairly;
- Establish a business purpose for monitoring (for example, to ensure that working time is used productively), and ensure that the impact on staff is not out of proportion;
- Do not monitor web sites visited/content viewed unless the business purpose cannot be achieved by recording the time spent on the Internet;
- In using the results of monitoring, take into account the ease with which sites can be visited by accident, and always give the employee an opportunity to explain or challenge the results;
- If you permit employees to access the Internet for personal reasons, ensure that no record is kept of the sites visited. If this is not technically possible, you must ensure that employees are made aware of what is retained and for how long.
Dismissal for breach of the electronic communications policy
An employer may dismiss an employee for misuse of workplace Internet or email resources provided the employer:
- Clearly demonstrates the use was an unauthorised use as defined by the electronic communications policy (otherwise the employer could be said to have impliedly authorised the usage);
- Investigates the employee in accordance with any workplace disciplinary policy (if existing) and workplace relations law; and
- Gives the employee the opportunity to respond to the allegations.
What should I do?
- Review your current procedures regarding email and Internet use;
- If you don't have an email policy, you should get one which takes into account the issues raised here;
- Remember you can monitor email and Internet use, as long as your purpose falls within the circumstances set out above and you have made your employees and all recipients aware that the communication may be intercepted;
- If you implement a new policy, notify all employees that there will be a change of their contract terms, identify the date of implementation and give employees an opportunity to review the policy. Any policy can only be effective if it has been brought to the attention of employees and they follow it. So you must not only rely only on the policy but also educate your employees on the correct use of email and the Internet. So you can not turn a blind eye to abuse of an existing policy then expect to suddenly enforce it against one or a number of employees.
Please note that the information provided on this page:
- Does not provide a complete or authoritative statement of the law;
- Does not constitute legal advice by Net Lawman;
- Does not create a contractual relationship;
- Does not form part of any other advice, whether paid or free.
We would love to hear what you think about this article and how we could improve it. Please do let us know. However, we shan't be able to reply to your specific questions. If you have a question about a document, please contact us.
If you have noticed a bug or a mistake on this page, or just want to give us feedback, we'd love to know. Nothing is too small or too big. Send your message on this feedback page.