Exploring the dark side of cyberspace

A spate of sackings for downloading and distributing pornography has brought
this most pernicious of workplace issues into the open. Employers can no longer
afford to turn a blind eye, warns Jessica Learmond-Criqui

The Internet is cyberspace heaven for voyeurs of sexually explicit images.
Never before have such images been so easily accessible and storable. Now
experience is bearing out what many employers have feared – that employees are
abusing their computing equipment to surf the Web for pornographic images and
store or distribute them on their employer’s equipment.

City bank Merrill Lynch and telecommunications giant Orange recently hit the
headlines for sacking dozens of employees for using their equipment during
working hours to access and distribute by e-mail "offensive" images
among colleagues and other contacts. Indeed there has been a whole spate of
sackings and disciplinary warnings by large multinationals.

There are wide implications for the employer that continues to turn a blind
eye to this kind of activity. Not only might the employee be committing a
criminal offence for which he may be prosecuted, but the employer may be taken
to be tacitly approving of such activity by not having systems in place to
prevent it.

There is also liability for sexual harassment to consider. The downloading
and viewing of sexually explicit images in the workplace by male workers has
been held to constitute sexual harassment if it makes the working environment
uncomfortable for a female co-worker, such as in the case of Morse v Future
Reality (ET case no 54571/95). In the United States, this kind of sexual
harassment by e-mail has been the subject of million-dollar compensation
payments.

One might imagine that an employee would never use his or her employer’s
equipment for the sale and distribution of pornographic images for personal
gain. But think again. East Anglian law firm Birketts issued a warning to other
employers to beware after its IT manager admitted running an Internet child
porn racket from the firm’s offices. The employee made tens of thousands of
pounds while running the web site during work time. He was released on
conditional bail until 31 March 2001, when he will be sentenced.

In the current legal environment there is a trend of making employers
accountable for employees’ actions. It may not be long before employers are
expected to act as police to counter the increase in pornographic traffic over
the Internet.

This is an issue which will not go away and could result in embarrassment or
worse if employers bury their heads in the sand or in controversy if they
summarily sack employees for engaging in such activity. It is essential that
employers understand the difficulties for them and for their employees to avoid
not only liability but also losing valuable staff and attracting adverse
publicity which may devalue their brand images.

Criminal offences

Many employees may need to be made aware of criminal offences they are in
danger of committing with the use of computer equipment. Essentially, the
access of adult sites for one’s own personal use is not, in itself, a criminal
offence. However, when such material is attached to an e-mail and sent to
another person, whether a work colleague or otherwise, then it breaks the
boundary between legal and illegal conduct and becomes a criminal offence.

The Obscene Publications Act 1959 makes it a criminal offence, punishable by
prison or a fine, to send material (including by e-mail) to another person,
whether or not for personal gain, which tends to deprave and corrupt the
recipient. This is a test left not to the recipient to decide, but to the
courts. The answer is likely to be positive in all cases of pornographic
images.

Child pornography is another matter. It is an offence simply to have a
pornographic image of a child in one’s possession, whether or not for the
purposes of gain (section 160 of the Criminal Justice Act 1988). It is also an
offence if such images are kept with a view to being distributed or shown to
others under section 1 of the Protection of Children Act 1978.

In his defence, an employee can show he had not seen the photograph and did
not know or have any cause to suspect it to be indecent, or that the photograph
was sent to him without any prior request made by him or on his behalf and that
he did not keep it for an unreasonable time.

This will protect the truly innocent. However, if he prints or stores such
information on disk, then he can be convicted of possession and of
"making" photographs because downloading, even from sites outside the
UK, is considered to be the "making" of a photo (R v Bowden, 2000, 2
WLR 1083).

It is not only the employee who could be committing an offence in possessing
pornographic images of children: employers too could be criminally liable.
Section 3 of the PCA 1978 makes companies guilty of an offence if they have in
their possession pornographic pictures of children and it is proved the offence
occurred with the consent, connivance or was attributable to the neglect on the
part of any director, manager, secretary or other officer of the company. In
such a case, both he or she and the company would be guilty of an offence,
liable to imprisonment for six months or a fine.

As yet, there have not been any cases of prosecutions under the PCA 1978
where such pictures exist on an employer’s equipment. But the PCA 1978 is still
untested where an employer has an IT policy which permits it to monitor
Internet use and there are pictures of child pornography being imported onto
its system.

It may prove to be impracticable for the police to prosecute employers under
the PCA 1978, but this is nonetheless a risk which a prudent employer is
unlikely to want to take.

Creating a pornography web site using work equipment which may be accessed
by others is an offence subject to imprisonment. In the case of R v Fellows and
R v Arnold, 1997, 2 All ER 548, Fellows did precisely that and was imprisoned
for three years.

Finally, it is an offence to send through public telecommunications systems
a message or other matter which is grossly offensive or of an indecent, obscene
or menacing character under section 43 of the Telecommunications Act 1984. This
would apply to pornographic images attached to e-mail. The penalty is six
months’ imprisonment or a fine.

Taking action

If turning a blind eye is no longer an option, how should employers deal
with this sensitive and damaging problem? Can they sack employees for gross
misconduct without risking wrongful and unfair dismissal claims? And how far
can they monitor an employee’s computing activities?

The employer who does not have a formal IT policy puts itself at risk of
wrongful and unfair dismissal claims by employees sacked for downloading
pornographic images.

It is a question of degree whether a dismissal will be fair in light of the
material accessed. Summary dismissal for gross misconduct where employees
accessed adult pornography for private purposes has been held to be unfair in
the absence of an appropriate IT policy.

However, summary dismissal for the access and distribution of adult
pornography for personal gain or the access of other types of pornography
including child pornography is far more likely to be deemed fair.

It is also worth noting that if others within the organisation continue to
view the material in question after employees are sacked, this may result in
further claims of discrimination if sex or race factors are relevant.

How far employers can go in monitoring the use of their equipment by
employees has been the subject of a frenzy of activity by lawmakers and
watchdogs, which has now left employers unsure whether routine monitoring can
be justified.

Since 24 October, an employer must by law have an IT policy or something
similar in order to intercept employees’ communications, provided that such
access is for, among other things, the prevention or detection of crime, the
detection of unauthorised use of equipment or to determine whether
communications are relevant to the business.

Otherwise, the employer will be committing a criminal offence punishable by
a prison term or fine. Seeking to prevent and detect the downloading or
distribution of pornographic images would fit within any of these purposes.
This results from new legislation, the Regulation of Investigative Powers Act
2000, which came into force on that date.

However, confusingly, a new draft code of practice from the Data Protection
Commissioner proposes that businesses which routinely monitor the content of
communications could fall foul of the Data Protection Act, and that it is rare
routine monitoring will be justified. Breaches of the code may be the subject
of fines by the Data Protection Commissioner. The DPC counsels employers to
inform their employees they may monitor their activities before doing so and to
balance decisions on monitoring with employees’ right to privacy and autonomy.
It is thought the commissioner’s advice may be modified to bring it into line
with the new regulations before it is officially launched.

The Human Rights Act 1998 which came into force on 2 October should not be
forgotten, either. Article 8 gives individuals, among other things, a right to
respect for private life. Following the case of Alison Halford v UK, this seems
to extend to the use of company telecommunications. But the right can be
transgressed if the interference is legal and required for, among other things,
the prevention of disorder or crime, the protection of health or morals, or the
protection of the rights and freedoms of others.

How the Act, which overlays all legislation, will be interpreted in relation
to monitoring generally remains to be seen.

Jessica Learmond-Criqui is partner and head of the employment and
benefits group at Fladgate Fielder

Pornography: what the data protection code says

– Set out clearly the limits on Internet access.

– Specify clearly restrictions on material that can be viewed and copied:
are restrictions limited to pornographic images of children, or to obscene
material that it is an offence to publish but not to possess? What about
"top shelf" material that some may find distasteful but many would
not regard as pornographic?

– Do not monitor sites viewed unless it is clear the business purpose cannot
be achieved by other means, such as simply recording time spent accessing the
Internet.

– As far as is practicable, enforce your Internet access policy by technical
means (such as forensic software that scans computer systems for graphics files
or those containing excessive skin tones) rather than monitoring.

– Ensure monitoring is justified by a realistic analysis of the risks faced.
For instance, if monitoring can be justified on the basis of protecting the
employer from criminal liability or preventing employees engaging in criminal
activity, is there evidence such activity is actually taking place or is likely
to take place?
If it is to prevent offence to other employees, is there evidence that such
offence or distress will be caused, rather than mere embarrassment? Could the
problem be dealt with through normal grievance procedures?

– Information obtained from monitoring should be disregarded unless it
reveals activity posing a significant risk to you as an employer.

– In using the results of monitoring, take account of the ease with which
web sites can be visited unwittingly through unintended responses of search
engines, miskeying, and so on.

– Ensure as far as is practicable that if employees are allowed to use the
Internet for personal reasons, no record is kept in the system of sites visited
or content viewed.

Where this is not technically possible, ensure employees are aware of what
is retained and for how long.

Comments are closed.