Watching you

New complications have been created by the common practice of recording telephone calls. What is the most appropriate course of action of an employer to take when inappropriate use of the internet is suspected?

In one of the many surveys published that deal with internet and e-mail abuse, a most striking revelation was that employers are taking disciplinary action more often against staff for misuse of the web than for dishonesty, violence and health and safety breaches combined. The same research showed that nearly two-thirds of e-mail and internet-related dismissals and half the disciplinary offences were about accessing or distributing pornographic material. Another survey showed that on average an employee spends approximately 220 hours a year surfing the web for non-business use.

Legal scene

The Data Protection Acts, the Regulation of Investigatory Powers Act 2000 and rules made under these acts regulate the process and storage of data as well as the interception of data. The emphasis of the legal requirements encourages employers to carry out surveillance only with the informed consent of employees and then only in a proportionate manner.

Covert surveillance is discouraged and generally only acceptable when a specific unlawful act is under investigation. Despite this, it is reported widely that a considerable amount of covert surveillance of employees takes place. The Human Rights Act 1998 has created the possibility that protection of private and family life will constrain the right to monitor. The extent to which the workplace may constitute part of the private life of a worker is uncertain and bound to be the subject of litigation in the future.

In addition to these well publicised rules, new provisions in the Sexual Offences Act 2003 came into effect on 1 May this year. Publicity was widespread about the new offence of meeting children following “sexual grooming”. However, there is now also a new offence of causing or inciting a child to engage in sexual activity that can create criminal liability in respect of telephone conversations between an adult and a child that would not previously have constituted an offence.

The most commonly detected material is pornography. Plainly, the term “pornography” covers a wide spectrum from the technically obscene to the titillating pictures found in the daily press and decisions may have to be made about what is and is not acceptable.

For legal purposes, material falls generally into two categories, based on content – specifically, whether the pornography is child-related or not. Child pornography attracts the headlines, heavier penalties and the majority of law enforcement activities.

There are also two types of pornography offences: possession and distribution. It is an offence simply to possess child pornography. A wider spectrum of material is covered by distribution offences. It may be difficult to ascertain whether the employee has accessed material for his or her own pleasure or intends to pass it on.

Practical situations

In the experience of forensic accountants, pornography is discovered during virtually every investigation they perform, although often the search is not being directed at pornography. Irrespective of the law, pornography can be a large problem for an organisation. For example, it is likely employees are downloading and reviewing this material when they should be working. At the very least, an organisation’s network resources are being consumed by inappropriate material, which could have financial implications.

Businesses can use a number of measures to try and stop the inappropriate use of the internet. These can include network firewalls that can prevent users accessing inappropriate web sites and e-mail filtering software that prevents inappropriate e-mails entering the network. The major problem with both of these tools, however, is that they tend to stop the casual or accidental browser but will not always stop a determined person.

It is important to know what to do when pornography or other offensive material is discovered. Action should be taken quickly and as much potential evidence as possible should be secured. Evidence is generally located in two areas: locally to the user (their machine) and on the network in the form of log files.

The equipment should also be secured and not used. If taking further action against the individual is being considered it is essential that the equipment be handled correctly. This involves taking a forensic image (a sector-by-sector copy of the hard disk) and maintaining its integrity; otherwise there could be allegations of planting the evidence. At the very least, the relevant machine should be securely locked up until a decision is made on how to progress the case.

The majority of the evidence stored locally will be created by Internet Explorer (or an alternative internet browser) while the content is being viewed. This will generally be stored in two locations, the internet cache, which records a local copy of the internet sites that a user visits (including graphics), and the internet history, which records which sites a user has visited and when.

To maximise the potential recovery of this information, users should be prohibited from deleting it using the internet options functionality of Internet Explorer. This can easily be done through the use of policies in a network environment.

In relation to evidence on the network, the network administrator should be able to secure the log files fairly quickly, and these should be copied to a (non-rewriteable) CD as soon as possible to preserve their integrity. Regardless of whether there are specific concerns over pornography, employers need to consider how they manage their network logs, ensuring that they are turned on, and they are not automatically overwritten.
In an ideal world, all actions at a user level should be recorded and stored indefinitely. It is recognised that this is both impractical and has data protection issues. A suitable strategy would be for all activity leaving an organisations network to be logged (so that the individual user can be identified) and that these logs are maintained for a reasonable length of time (one year).

What to do following detection

It is assumed that the business has in place policies that are compliant with the Codes of Practice issued by the information commissioner. It is also assumed that the contracts of employment that govern the individuals concerned have definitions of misconduct and gross misconduct that adequately categorise how the business wishes to treat accessing and retaining such material or behaving in an unlawful manner.

Advice should be taken as to whether any breach of the criminal law has occurred. Even if it has there is no obligation to report matters to the police, although some businesses decide to do so particularly if hard-core material is discovered.

From an employment law perspective, it is better to suspend an employee under suspicion however damning the evidence appears to allow a proper disciplinary process to take place in due course. Calls for immediate dismissal in the heat of the moment are best avoided.

If child pornography is involved then the matter should be reported to the Police as soon as the business has become aware of it. If it is not, the organisation could be guilty of an offence, especially if material is being stored on its systems.

When distribution is suspected the organisation must take even greater care to maintain network logs, as these can provide substantial information useful to an investigation. In such cases, it can also be important to ensure that the suspect is not tipped-off until the Police are informed, as their actions could negatively influence any future law enforcement operations.

Organisations should consider this matter critical when dealing with suspected distribution of child pornography or a possible offence under the Sexual Offences Act because the suspect may be the subject of a larger law enforcement operation. This course of action can create difficulties in conjunction with the disciplinary procedures contractually applicable. Every case is different and appropriate advice should be sought.

What does an organisation do about pornographic material that could be stored on back-up tapes? This could provide additional information to an investigation, but could also result in the company committing an offence. We would recommend two steps of action in this situation. First, seek specific legal advice on the circumstance you are facing, and secondly, if the matter has been discussed with the police, seek their specific advice.

Another possibility we have experienced is where an abuse of an organisation’s systems has been perpetrated by an external source, rather than an employee. This situation is created where there has been an IT security breach caused by a hacker and somebody is using the business’s IT system to store and distribute illicit material. This is attractive to the external source as it physically distances them from the material and makes it harder for law enforcement to pursue them. To prevent this, an organisation should undertake appropriate security reviews and monitor systems regularly.

Analysis and timing

Efforts should be made as soon as possible to categorise the material and actions concerned. There should be no delay in carrying out an investigation and, where appropriate, suspending those under suspicion, and the actual investigation should be thorough and complete. This may well take time and if the contract does not authorise a sufficient period of suspension then it may be necessary to obtain the employee’s agreement to a longer period of suspension.

Ideally the contract should not specify a defined period for such investigations. Disciplinary action should follow the contractual procedure or be otherwise agreed with the employee. 


These problems are increasing and cause organisations much grief. The old military adage that time spent on reconnaissance is rarely wasted is apt. An organisation must think through in advance the actions it will have to take in these events and test that against existing policies to ensure that it can act accordingly within its own rules. If not, change is the order of the day.

Finally, someone will also have to keep cool throughout the whole process as these issues frequently cause much anger, particularly if children are involved.

Stephen Levinson is an employment law partner with Manches LLP

Phil Beckett is a forensic accounting manager with BDO Stoy Hayward

Recommendations on handling digital evidence

  • Do not turn on the device
  • If a computer is on, turn it off directly at the power switch; do not use the shutdown command
  • If a server is on, power it down
  • Freeze the scene and ensure that the computer/device and any digital media is securely stored
  • Try and identify the user
  • Call an expert

Recommendations on legal process

  • Have properly drafted policies and contracts and review them regularly
  • Ensure all investigators record accurately and completely all aspects of their investigation
  • With external investigators have a clear understanding who is responsible for what aspects and agree this as soon at the beginning of an engagement
  • Ensure all individuals suspected are informed of their right to be accompanied at any disciplinary meetings and have a full understanding of the charges against them
  • Be clear from the outset that appropriate individuals will be available to conduct any disciplinary appeals

Comments are closed.