Employers have been left in a state of confusion over whether they can
legally open personal staff e-mails following the publication of the latest
data protection draft code on monitoring.
The draft code on monitoring was published on the Information Commission’s
website last week for a further month-long open consultation, after employers’
organisations protested over the complexity, length, and content of the
original draft.
But HR professionals, the CIPD and the CBI have called for further
clarification of the definitions in the code over when employers can access
employees’ personal e-mails and under what circumstances.
As the code stands, employers can only open personal e-mails if they have
evidence that an employee is breaking the law.
But organisations can open what the code calls ‘private e-mails’, which
might contain business and private information, as long as the ‘private’
section of the message remains unread.
The monitoring code is the third of four being drawn up by the commission
outlining employers’ responsibilities under the 1998 Data Protection Act.
Diane Sinclair, lead adviser on public policy at the CIPD, said the
definitions are unclear and called for clarification to prevent employers
breaching the Act.
"I am confused and do not understand the distinction. I am surprised
the commissioner has introduced this at such a late stage," she added.
The CBI believes employers should be able to access all staff e-mails on business
computers.
Susannah Haan, legal adviser at the CBI, said: "Employers should have
the right to access all e-mails. After all, the business is liable for what is
sent out."
Organisations have until 8 August to respond to the commission over the
draft monitoring code’s content.
Internet and the law
Countdown to confusion
October 2000 – The three-month open consultation for the Data
Protection Act’s code of practices is launched by commissioner Elizabeth France
(right)
July 2001 – A crisis conference held
to reassure employers that the code would be simplified for business
Oct 2001 – The 1998 Data Protection
Act comes in to force
April 2002 – The second draft version
of the monitoring code is published
May 2002 – Employer bodies complain
to government over the commission’s handling of the monitoring code
July 2002 – The third draft version of the monitoring code is
published
Feedback HR response to latest
draft of the data protection code on monitoring
Paul Pagliari, HR director,
Scottish Water (left)
"The definition on e-mails needs to be simple, clear and
unambiguous. At present it does not fit that criteria. I think there will be
some concern from employers who want to act fairly and need to understand all
the facts. Employers want to establish a fair policy, and so any ambiguity must
be removed."
Keith Johnston, HR director, North Bristol NHS Trust
"There is obviously a need for clarification. Employers’
power to act positively will be limited by this code."
Mark O’Connell, HR director,
financial services firm Skandia
"As an employer you don’t want to be intrusive, but we
need to have the right to properly investigate in very serious circumstances.
HR will have to pick its way through this. We need a code that is reasonable
and practical."
Mike Taylor, group HR director,
building services company Lorne Stewart
"It is ridiculous preventing employers accessing staff
e-mails if they are suspected of wrongdoing. Company computers are not there
for personal use. An employer should have an absolute right to have complete access
to everything on their system."
What HR needs to know
The data protection monitoring code has been radically overhauled to appease
employer concerns over its bias against business.
Companies will not have to inform the police before covertly monitoring
staff, except where monitoring takes place in areas that staff have a high
expectation of privacy. As examples the code cites public toilets and an
individual’s private office.
Firms now have to undertake an impact assessment (see box) before any monitoring
takes place.
Employers can also now access individual staff e-mail accounts in their
absence to ensure the business responds properly to customers, as long as the
employee is made aware that this is company policy.
The code is one of four being drawn up by the Information Commission to help
employers comply with their responsibilities when handling staff information
under the Data Protection Act 1998.
It is in its third consultation after employer bodies, including the CIPD,
complained to the Government about the length of the consultation and the
content, length and complexity of the code. The Information Commission has
taken on board many employers’ concerns and has significantly amended the final
draft.
The commission has also introduced business, private and personal e-mail
definitions:
– E-mails sent for business purposes but that include personal information,
can be accessed by employers for business reasons. Assistant commissioner at
the Information Commission David Smith gave Personnel Today the example of an
employee informing the HR department about a private matter as a private
e-mail.
– E-mails that do not involve the workplace, but are sent from work, can be
opened by organisations, but only when they have evidence of a serious breach
of company policy or law.
Compiled by Paul Nelson
Impact Assessments
The main questions HR will need to ask to monitor staff
Employers must carry out impact assessments before they can
monitor staff, under the latest version of the Data Protection monitoring code.
The aim of the assessment is to determine whether monitoring is
justified, and if it is, to decide what is the best way to monitor to get the
information required without intruding on staff privacy.
The code states:
"Make an impact assessment to determine what, if any,
monitoring is justified by the benefits. Limit the scope of monitoring to what
is strictly required to deliver those benefits."
It also warns employers that any internet or e-mail monitoring
must justify the "specific circumstances".
The code gives employers many questions that should be answered
in an impact assessment.
These include:
– Is the monitoring based on random spot-checks, regular
spot-checks or is to be continuous
– Does monitoring have to be electronic
– Can monitoring be limited to staff that the employer has
received complaints about or must it be wider
– Can monitoring be automated
Q&A on the background to data protection
What is the Data Protection Act?
The 1998 act is designed to ensure organisations comply with
the eight principles of data protection. These include processing personal data
fairly and securely and ensuring that this information is held for only as long
needed.
When did the act come into force in the UK?
October 2001.
What is the monitoring code?
The monitoring code, currently under consultation, explains to
HR what employers’ rights are when monitoring staff in the workplace.
When does the consultation end on the monitoring code?
HR professionals can respond via the commission’s website until
8 August.
When will the code be published?
The monitoring code is expected to be published in September.
How many codes are there?
There are four codes. The other three inform HR how to handle
recruitment, records management and medical information.
What happens if you breach the Data Protection Act?
It could lead to an unlimited fine in the Crown Court,
potential liability of responsible directors, and compensation for the affected
employee for damage and associated distress.
Failure to comply could also expose a company to the full
spectrum of employment-related claims, including sexual, racial and disability
discrimination and unfair dismissal.
Sign up to our weekly round-up of HR news and guidance
Receive the Personnel Today Direct e-newsletter every Wednesday
What is the Information Commission?
The Information Commission’s role is to enforce and oversee the
1998 Data Protection Act.
