HR and IT must work together to implement practical technology and policies
for staff e-mail and internet use. Sue Weekes reports
In the time it takes you to reach the end of this sentence, around three million
e-mails will have flown out of in-boxes across the UK. According to figures
from the London Internet Exchange, 1.3 million are sent every second in this
country, with the average person receiving a new e-mail every five minutes –
and some of us far more than that.
"A bulging in-box has become the equivalent of a male posing
pouch," says Monica Seeley, co-author of the recent book, Managing E-mail
in the Office.
Without doubt, e-mail provides organisations with the most powerful communications
tool there has ever been. Like every other department in the organisation, HR
can reap the benefits of this business-critical medium, but it also delivers a
minefield of issues right on the profession’s doorstep.
Leakage of sensitive corporate information, staff being abused in
colleagues’ e-mails, harmful viruses entering the network via attachments and
loss of productivity due to high volume of personal e-mailing, are no longer
just issues to be debated. They are actually happening in the workplace every
day of the week.
If Jo Moore’s ‘bury bad news’ message wasn’t enough to convince HR
professionals of the potential perils of careless e-mailing, then BBC2’s
E-mails You Wish You Hadn’t Sent repeatedly demonstrates the disruption an
ill-judged piece of digital correspondence can bring to the workplace.
It is no longer just about anecdotal evidence and supposition. A survey of
212 employers carried out by Personnel Today and KLegal last September revealed
that there were 358 disciplinary cases for internet and e-mail use compared
with a combined total of 326 for dishonesty, violence and health and safety
This is despite a fifth of employers monitoring e-mail usage on a daily
basis, compared with 11 per cent 18 months ago. The rise in figures clearly
demonstrates that HR can no longer abdicate its responsibility for tackling
these issues to IT.
"The whole topic has been dominated by the IT function and HR has let
IT lead," says Jonathon Hogg, a member of the management group at PA
Consulting Group. "But now it’s swinging towards HR because of the
disciplinary procedures that need to be put in place." Hogg’s views and
the survey’s findings are backed up by the practical experience of barrister
Jonathan Naylor of the Employment, Pensions and Benefits Group at business law
firm Morgan Cole.
"HR and IT have different perspectives and there can be a mismatch
between their needs," he says. "But we have definitely seen an
increase in the number of people being disciplined for such offences in the
past six months. This is leading to a greater awareness on the part of HR and
the decision to tackle it rather than sweep it under the carpet."
However, this is perhaps easier said than done. For a start, while a raft of
clever security, monitoring and filtering software exists to impose
restrictions and controls, current legislation such as the Human Rights Act
(1998), the Data Protection Act (1998) and the Regulation of Investigatory
Powers Act, currently conflict each other when it comes to e-mail.
For instance, the latter was brought in last year, and allows employers to
monitor staff phone calls, e-mails, faxes and internet use in certain
situations; yet the Human Rights Act throws this into a grey area as it states
individuals have a ‘reasonable expectation of privacy’. It is hoped that the
code of practice being set out by the Information Commissioner’s Office (ICO)
will bring some clarity to proceedings, but this remains to be seen.
Legislation is important in such a discussion, but HR and IT’s mission is to
put preventative measures in place that eliminate problems before they get to
the legal stage. Typically, these will be policy and procedural-based, and will
be supported by appropriate technological controls, such as firewalls and
Your organisation may already have an e-mail policy in place, but rapid
technological advances emphasise the importance of revising this regularly. If
you have not yet established an internet usage policy, it is a good chance to
bring the two together as Scottish Water did after its merger (see box).
Geoff Haggart, vice-president of EMEA at internet security company Websense,
which specialises in employee internet management solutions, says the e-mail
monitoring market is more mature than internet monitoring, but there is every
need for policies to be reviewed constantly to keep abreast of what is now
possible at the desktop.
"We have things such as instant messaging and personal storage sites
now, for example, and the use of attachments is much bigger now," he says.
Similarly, the use of web-based e-mail such as Hotmail and Yahoo accounts
have grown rapidly in recent years, and were cited by IT professionals as one
of their top three concerns, along with personal web surfing and software
downloads in the Emerging Internet Threats survey, conducted by Websense and
Infosecurity Europe 2003 (the latter are organisers of Europe’s largest
information security event).
Other worrying statistics highlighted by the survey, which focused on
internet usage rather than e-mail, was that 94 per cent of IT departments
admitted to dealing with security issues as a result of employees’ use of the
internet, and 71 per cent of policies made no provision for guidance on the use
of personal storage sites – potentially a lethal area when it comes to
breaching corporate security, Haggart believes.
"An employee could save a Word document to a personal storage site so
they could work on it from home, and in doing so, allow a confidential document
to go out on the web," he explains. "HR needs to brush up on the
availability of things like this when putting policies together."
HR cannot be expected to get to grips with every facet of cyber
vulnerability any more than it can be expected to know the pros and cons of the
vast range of products available to combat it. What it must do, is consult with
IT about the main areas of concern, and return to IT once a policy is drafted
to find out whether the technology exists to support its aspirations.
It would seem that ‘being reasonable’ in both technical and policy-related
approaches to e-mail controls is the key to success. Certainly when it comes to
personal e-mail or internet use, you just have to accept that staff will use it
for personal reasons on occasions, just as they use the company phone. Banning
it completely is hardly a management vote-catcher, and is more likely to damage
the company brand than yield any positive results.
If workers are told their e-mails may be monitored, and company policy
details that they may be liable to disciplinary action if caught abusing the
system, this will be enough of a deterrent for much of the workforce.
Drafting a policy with the help of the legal department, then getting
employees to agree to it (typically by clicking an ‘I agree’ box when they log
on to the system) isn’t necessarily difficult. The problem lies in making staff
aware of the policy’s details and ensuring it is being communicated and
enforced by line managers as well as the HR department. After all, who hasn’t
clicked an ‘I accept’ box when loading software without reading it?
"At the moment, the vast number of companies have an ‘acceptable use’
policy in place, but they have to consider whether that policy is really
effective and whether it is being enforced," says Naylor. "The HR
profession is generally aware of the relevant legislation, but it has to be
proactive in distilling information down to line managers who don’t always know
The security and misuse issues that surround e-mail are big enough for HR to
deal with, but they should also be aware that the extent to which this vital
communications channel has entered our lives and culture is also changing the
way people work and operate – and it isn’t something that can be controlled by
policies and software.
What is required is a roadmap to help bring some order to the way we use
e-mail so that you manage your in-box, rather than the other way round.
Otherwise, we all run the risk of becoming little more than e-mail response
Case study: Scottish Water
When North, East and West of Scotland
Waters merged into Scottish Water, it gave HR director Paul Pagliari an
opportunity to develop a single e-mail and internet usage strategy to replace
the mixture of different policies that he had inherited. There is no great
mystery to putting an e-mail policy in place, he says. The key is ensuring
there is "no ambiguity in the policy".
"It’s about being upfront with people, and being honest
and reasonable, " he adds.
Scottish Water accepted that it had to allow reasonable use of
the web and e-mail for personal reasons, but staff have to ask their line
manager for permission to register for it. This is a one-off request, he says:
"It requires a positive act of communication and therefore is far more
On registration, staff can read the policy on screen and must
click an ‘I accept’ button. Afterwards, a screen with the policy set out pops
up whenever the computer is idle. "We follow this up with occasional
e-mail monitoring," says Pagliari. "We haven’t had to discipline any
employee, but make it clear we would
have no hesitation in following through with action if we needed to."
So what technology is available?
Monitoring and security products can
be broadly grouped into three different levels: those that work on the outer
perimeter of a company network, such as firewalls, which can block everything
from internet shopping to e-mails with a specific word in them; those that work
on server level, and those that work at desktop level, which are often largely
It is likely that you will decide to engage an external
specialist along with IT. Computer Associates (CA) is market leader in what is
called the 3A market – which stands for authentication, authorisation and
administration (of all kinds of data).
Simon Perry, vice-president of CA’s security strategy, explains
that the company is typically called in to tell HR what is technically
possible, but warns that "perfect security most likely comes through
absolute inconvenience," he says. "We sometimes have to suggest that
people ratchet down a bit."
Implementing controls is one thing and measuring how effective
they are is another, but Clearswift – which has a 23 per cent share of the
global content-filtering market – recently launched what it describes as the
industry’s first ‘black box’ service to check corporate e-mail security.
Called ClearDetect, it establishes any areas of vulnerability
by scanning e-mail traffic via the black box which sits alongside the corporate
network. Data collected can include the volume of e-mail traffic (including
attachments), and compliance and confidentiality violations.
"In beta-testing, trial customers who thought they were
safe found pornography, sensitive information being leaked and even employees
running their own businesses," says Clearswift chief marketing officer,
The eight principles of data protection
There are eight enforceable
principles of good practice outlined by the Information Commission. Anyone
processing personal data must comply.
Data must be:
1 Fairly and lawfully processed
2 Processed for limited purposes
3 Adequate, relevant and not excessive
5 Not kept longer than necessary
6 Processed in accordance with the data subject’s rights
8 Not transferred to countries without adequate protection.
Personal data is defined as facts and opinions about the
individual and includes information regarding the intentions of the data
controller (usually the employer) towards the individual, although in some
limited circumstances, exemptions will apply. Processing now incorporates the
concepts of ‘obtaining’, holding’ and ‘disclosing’.
Source: the Information Commission
Other useful websites
Freedom of Information
The Lord Chancellor’s department’s site has all you ever wanted
to know on the Freedom of Information Act
British Computer Society (BCS)
Get the BCS’ view on the impact the European Union Directive on
Data Protection will have on us