Monitoring staff: What the latest code of practice means

Part 3 of the Employment Practices Code entitled Monitoring at Work was issued on 11 June. Businesses need to review their communications policies and ensure their workers are reminded regularly of any restrictions on personal use of communications in the workplace. They also need to consider capability of IT systems' compliance with the Code when purchasing and implementing such systems. Failure to follow the code may lead to enforcement action by the Information Commissioner and the need for IT system changes. What action should businesses take?
Workers must be made aware of the nature, extent and purposes of any monitoring. One of the code's seven good practice recommendations is devoted to e-communications (which includes telephone (including mobile), fax, email and voicemail communications and internet access). Key practical points to note include the following:

• Employers should "establish, document and communicate" a policy on e-communications to ensure workers are made aware of the policy. Existing policies should be reviewed to ensure they reflect data protection requirements -- the new Code makes it clear that a simple warning that "emails may be monitored" may not be sufficient; and
• Employees should be made aware (and reminded regularly) of the policy on monitoring and of their own role in data protection compliance, and the possible consequences of breaching the Data Protection Act 1998 ("the Act"); In addition to carrying out impact assessments for each form of monitoring, employers are encouraged to consider:
  • Limiting e-communications monitoring to that necessary to protect against security breaches, e.g. viruses (and using automated monitoring systems where possible);
  • Informing workers of retention periods for emails and Internet usage, and checking that they are aware of them;
  • Encouraging workers and their correspondents to identify personal emails as such and using recorded messages to make external callers aware of potential monitoring;
  • Confining email monitoring to traffic data (addresses and headings) except where access to the content of the email is essential; and
  • Monitoring Web activity on an aggregated (e.g. departmental ) basis where possible.

What are the implications for IT departments?The code contains best practice standards for IT professionals' guidance when purchasing, designing or commissioning new monitoring and backup systems. The code stresses that liability for compliance with the Act rests with the users rather than the suppliers of such systems. Specific recommendations include:

• Ensuring that any "off the shelf" monitoring systems (particularly those sourced from outside the EU) are capable of meeting data protection requirements;

• Considering technology to prevent misuse, such as Web filtering software; and
• Using IT system capabilities to remind workers of the communications policy.

Data protection compliance is a multi-disciplinary matter. IT, HR and legal departments will benefit from combining resources to implement consistent policies and practices in order to meet data protection obligations.