Monitoring staff email and internet: The dos and don'ts

Should you be keeping an eye on the inboxes of your workers or not?

Every office generates so much email, IM and internet traffic it's all but impossible for management to keep track of exactly what's being said, seen and done online.

But how can execs be confident that all these digital conversations are necessary and not just time-wasting? Or worse: the cover for data leaks, inappropriate content-sharing or other nefarious or even criminal activities.

Should you be keeping a digital eye on your workforce?
(Photo credit: wili_hybrid via Flickr.com under the following Creative Commons licence

Why monitor staff email?
Some of the reasons an organisation might want to monitor staff use of email and internet sound obvious - assessing skills or performance or keeping tabs on time spent on non-work activities, for instance, or preventing the distribution of inappropriate or illegal content.

Another possible use for monitoring could be to help prevent damage to computer systems by identifying careless internet and email users who are downloading malware or accessing potentially risky websites. It could also help to ensure compliance with health and safety regulations and, more broadly, to reduce the risk to the business from liability for the actions of its employees.

Other reasons to embark on a period of monitoring might include gathering evidence on an untrustworthy employee where there are serious and credible grounds for suspicion.

Beware the legal minefield
But monitoring employees' use of email and the internet means tiptoeing through the legal minefield of data protection. Relevant legislation includes the Data Protection Act (DPA), Ripa 2000 and even the Human Rights Act.

As an employer, you must have an obligation to inform your workforce that you might be monitoring their communications. Unlike workers in the US, employees in the UK do have an expectation of privacy in the workplace, and if you fail to follow best practice you could find your organisation on the wrong side of the law: under Article 8 of the Convention on Human Rights everyone has the right to "respect for his private and family life, his home and his correspondence".

You may think adding a sentence to the company handbook along the lines of 'please be aware your email may be monitored' is enough to protect your organisation from being taken to court - but think again. Your monitoring policy needs to be visible to staff so don't be tempted to bury it where you hope it'll go unnoticed.

Be specific about what you are doing
The more specific the policy is the better too. The TUC argues staff need to be told when, why and how information is being obtained, and who will have access to it.

To avoid any doubt, your monitoring policy should be pre-emptively specific, said Cameron Craig, partner at law firm DLA Piper. "Just saying willy-nilly to all employees that email may be monitored I don't think gives sufficient safeguards," he told silicon.com. "It needs to be quite prescriptive."

An effective monitoring policy might therefore include several explanatory clauses - saying, for instance, you 'may monitor emails for compliance with company policy' and 'to prevent distribution of pornographic or other inappropriate or illegal content'.

Ideally you should regularly broadcast the full policy to all your employees via a medium such as the corporate intranet or a newsletter. Your workforce should be clear about what is acceptable and unacceptable when it comes to using email and the internet - so having an acceptable usage policy in place for both is also advisable. The more often you draw attention to the monitoring policy, and the more education and training you provide your staff about acceptable use, the better.

Covert monitoring of staff communications is only allowed in exceptional circumstances - where, say, criminal activity is suspected, as the Information Commissioner's Office notes in its guidance to employers The Employment Practices Code (PDF).

Don't be tempted to dig
Even if you put all these policies in place and regularly broadcast their existence and contents to staff this doesn't mean you have the all-clear to go on a fishing trip to dig dirt. Monitoring has to be proportionate, said Craig, which means reading everyone's emails to catch a paperclip thief is a no-no.

Blanket monitoring of everyone in the company to try and find who has been leaking confidential documents is another example of how monitoring should not be carried out.

As Craig pointed out: "Wholesale monitoring is not proportionate." However if, for instance, you had reasonable grounds to suspect a leak came from a specific division of the company, then you could be fairly confident that carrying out a controlled period of monitoring on that specific group would be OK.

In essence, there has to be a "reasonable purpose" behind the monitoring, and the monitoring must be carried out in a "controlled way" with a "clear objective" in mind when looking at the data, says Craig.

Deliberately reading personal emails should be avoided at all times, except the most exceptional cases, such as where a criminal investigation is taking place. But sensitive personal data - such as medical data, sexual orientation, trade union membership details - can be inadvertently unearthed during the monitoring process and must be treated sensitively and with strict confidentiality to avoid a breach of data protection law.

Do an impact assessment
OK, so you have what you believe is a reasonable purpose and a clear objective in mind - so now you're all set to start monitoring right? Not yet. In all but the most straightforward situations, you should first conduct an impact assessment to properly follow ICO guidelines on monitoring.

This means clearly identifying the purpose of the monitoring and any adverse impact it is likely to cause, and judging whether it is justified. You also need to consider alternative ways that the information could be obtained. And only if there is no other way of getting the data should you feel confident about going ahead with a focused period of monitoring. Best practice also means ensuring only a limited number of people have access to the data, and having a set end date so the monitoring does not roll on indefinitely.

Wholesale monitoring or fishing trips are a no-no
(Photo credit: striatic via Flickr.com under the following Creative Commons licence)

Another point to consider is that if, in the process of monitoring for one specific thing, you stumble across some other piece of information you should probably discard and ignore it, according to Craig - unless it's something so serious it demands criminal investigation.

There's another consideration too: if you haven't kept to the letter of the law, and ultimately aim to use the harvested data as evidence in court, then beware as it may be inadmissible. "You need to do it in a way that follows proper procedure," says Craig.

Why you might not want to monitor staff email
However, there are plenty of reasons to step away from the server too - not least the fact your actions might end up undermining the atmosphere of trust in your organisation. Act like Big Brother and don't be too surprised if your workplace is not seen as particularly modern or progressive and not viewed as a place where talented individuals want to work.

Smaller companies where staff are well known to each other and sometimes required to be self-managing should be especially careful. If your business benefits from an assumption of mutual trust and respect then resorting to monitoring will probably feel invasive - rather like swinging a sledgehammer at a nut.

Instead, ask yourself whether there is an alternative way of fulfilling your data gathering needs which treats your workforce with the respect they almost certainly deserve. And remember there's no substitute for having a careful, considered and comprehensive hiring process in the first place - probably the best answer all round.