CIPD - Internet and email policies

HR practice

Revised June 2009

This factsheet gives introductory guidance. It:

provides basic information on acceptable use policies for using email, the Internet, blogging and social networking at work.

Why have a policy?

In many organisations, access to the Internet was initially limited to a few people in the IT or marketing groups. Today, with a PC on every desk, many employees find themselves with access to the Internet and email but with little understanding of either the potential problems or the real benefits which this can bring.

The purpose of an acceptable use policy is to ensure that employees understand the way in which these technologies should be used in the workplace. This enables both employees and the organisation to gain the maximum value from email and the Internet, and alerts them to the dangers that can arise to the organisation if they are misused, which may put the organisation at technical, legal or commercial risk.

Employers are responsible for their employees' activities when using email and the Internet. For example, if software for use in an organisation is obtained illegally, the employer is liable even if it was obtained without their knowledge or permission. Similarly, information on an organisation’s website or in its email can give rise to legal action against the company. For example, in the case of Western Provident Association v Norwich Union¹, it was shown that untrue and damaging statements about alleged financial problems at Western Provident were circulating on Norwich Union's internal email which resulted in Norwich Union having to pay £450,000 in damages and costs. In order to reduce liability, employers must be able to prove that they have a policy in place to prevent illegal actions and that appropriate steps are taken to enforce it.

The content of such policies will depend on the needs of the organisation and the expectations and requirements of its employees, so before producing an acceptable use policy, an organisation must have developed an agreed strategy for using email and the Internet. But the policy must always state the consequences of breaching the rules: since the issues covered range from the inconsiderate through to illegal activities, the sanctions would similarly be expected to range from a verbal warning through to instant dismissal.

The policy should be introduced and explained during the employee induction programme. Where necessary, it should be reinforced during specialist training sessions.

Network security

Network security should be determined as part of an organisation's electronic information strategy and is generally managed by the IT department.

The introduction of viruses poses a risk to the entire network. Anti-virus software provides an element of protection but downloading also needs to be controlled. Technical security features such as firewalls can be included on the local network. As a rule, all software for use in an organisation should be controlled by the system manager and restrictions on downloading software should be clearly stated in the policy.

At individual user level, security is generally provided by using passwords. The policy should state clearly any rules for the format of passwords, changing passwords and for not disclosing them.

Data protection issues

Monitoring employees’ use of the Internet and email is covered in the Data Protection Act 1998 (DPA). The Information Commissioner is responsible for overseeing compliance and has produced The employment practices code² which includes guidance on an employer’s rights to monitor staff.

The Code recommends that employers carry out an impact assessment to help them establish whether their Internet and email monitoring complies with the DPA. Such an assessment should identify:

the purpose of monitoring
the benefits it is likely to deliver
any likely adverse impact.

The assessment should also consider alternatives to monitoring or less intrusive ways it could be carried out.

Once a risk assessment has been completed, policies should inform staff of the organisation’s approach to monitoring in the workplace and the consequences of unauthorised use. The Code protects staff from covert monitoring except in exceptional circumstances, such as where there are grounds for suspecting criminal or equivalent malpractice. The Code allows organisations to check staff email accounts in their absence if they have been informed that this will happen. However employees’ privacy must be respected if they clearly mark that an email is personal, unless their employer has a valid and defined reason to examine the content.

Many organisations contain a section in their policy on archiving or deleting information and how employees should store any data they download. This must also be based on the data protection principles that the information recorded is adequate, relevant, not excessive and not kept for longer than necessary. An assessment will help employers decide what their policy on deleting or archiving information should include. This will become increasingly necessary due to provisions in the Freedom of Information Act 2000.

More information on data protection issues generally can be found in our factsheet on that topic.

Go to our Data protection factsheet

Using the Internet

The policy must state any restrictions on using the Internet and whether access is allowed for business use only or for private use as well. A problem with browsing, even for business use, is that it can become unfocused and time-consuming. This wastes employees' time and, even when done in their own time, it ties up resources.

Although it is possible for a system manager to bar access to certain sites, the Internet is growing so rapidly that it is impossible to prevent all inappropriate access automatically. Occasionally, the IT department may undertake some monitoring, within data protection rules outlined above, to find out which websites are being accessed regularly and by whom.

Obtaining incorrect or poor quality information

One of the main benefits of the Internet is the access it gives to large amounts of information which is often more up-to-date than in traditional sources. However, as the Internet is uncontrolled, this information may also be less accurate than it appears. The policy must warn about the risks of obtaining and using unsubstantiated information.

Downloading

As with browsing, downloading information from the Internet can be wasteful of resources. The policy should make clear what is acceptable in terms of time spent downloading material.

The policy must state unequivocally that downloading offensive, obscene or indecent material is forbidden. In a CIPD survey³, 70% of companies had taken disciplinary action as a result of employees viewing pornographic images. Policies should also make it clear that the downloading or transmission of certain images is a criminal offence and that the police will be informed where there is any evidence of such activity.

Breaking copyright law

Much of what appears on the web is, or claims to be, protected by copyright. The Copyright, Designs and Patents Act 1988 states that only the copyright owner is allowed to use information. Any reuse of downloaded information without permission is prohibited. Many organisation libraries enforce rigorous policies on photocopying and a similar policy must be applied to copying from the Internet.

Copyright law applies not only to documents but also to software. The Federation Against Software Theft (FAST) is making rigorous efforts to counteract the use of illegally copied software.

Blogging and social networking

Online diaries, or blogs, have become increasing popular as sources of information. These are personal accounts, but there have been some recent cases where employees have been dismissed for discussing their organisation online.

Social networks such as MySpace, Facebook and Twitter have become increasingly popular as a means for people to stay in touch and make new contacts. Research commissioned by content security specialist Clearswift in 2007 found more than a quarter of British office workers aged 18-29 were spending three or more hours a week at work on social networking sites. It is not just time lost which is of potential concern to employers, it is also the content which is posted. More than 40% of young workers surveyed by Clearswift had discussed work-related issues on social networking sites. An Argos employee was sacked in 2007 for gross misconduct following a disciplinary hearing after he posted a derogatory comment about his employer on Facebook.

However, corporate social networking can also be a useful way for employers to communicate and engage their employees. Some businesses are using social networking forums to increase awareness of their activities, to bring staff together from different locations or to introduce energy and ‘buzz’ into internal communications. If employers set up corporate social networks, a clear distinction needs to be made between corporate social networking which is useful to the business and social networking for personal use.

Employers should decide what approach they want to take to managing the use of blogs and social networks and ensure this is covered in their policy. They should set out whether there are any limits on use, for example, whether access to social networking sites is allowed at lunchtimes or whether there is a total ban. The policy should also make it very clear that defamatory statements about the organisation will be treated as a disciplinary offence and emphasise that confidential matters should not be discussed in such forums.

For more on how organisations responding Web 2.0 technologies, see our survey report.

Go to our Innovation in the workplace survey report

Using email

Although email communication has the same speed and apparent informality as using the telephone, it also has the permanence of written communications and, as such, must be controlled to ensure that it meets the same standards as other published documents.

The advantages of email are:

It is a fast and inexpensive way of delivering messages and documents across long or short distances.
Information can be shared quickly and consistently between any number of people.
It removes the need to print and distribute information by conventional means.

The disadvantages of email are:

If it is used inappropriately, 'information overload’ is a risk with vital information being lost in many messages that are irrelevant.
It can stifle face-to-face communication or be used to abdicate the responsibility of communicating messages that should be done in person.

The policy should state whether the email service is to be used for business purposes only or is permitted for personal communication also. This largely depends on the organisation's culture and the controls which are already imposed. If (either implicitly or explicitly) the telephone may be used for personal communications, then it could be difficult to forbid a similar use of email, although there are clearly greater security implications in the widespread use of email.

Content

The policy should make it clear that the same laws apply to email as to any other written document and that therefore they should avoid making any inaccurate or defamatory statements and sending offensive email will not be tolerated. It is inappropriate, however, for the policy to list unsuitable material in detail since this may imply that anything not listed was acceptable.

The sender of a message which causes offence must be subject to normal disciplinary procedures, but in this respect email is no different from any other interpersonal dispute (and has the advantage that, unlike purely verbal communications, it is possible to supply evidence to support a complaint).

For external email it is possible to include a disclaimer but the policy should still emphasise the need to act responsibly when writing email, and to seek advice before sending a message if there is any doubt about its contents.

Distribution

In spite of the benefits of email, there is a danger of loss of productivity associated with its excessive use. The policy should make clear the importance of only sending relevant emails and avoiding the automatic forwarding of all messages to long circulation lists which unnecessarily increases the traffic and the time spent dealing with irrelevant correspondence.

The policy should also set out a procedure to cover wrong delivery. For example, it should state that a wrongly delivered message should be redirected to the correct person and that if the email message contains confidential information, use must not be made of that information and nor must it be disclosed.

Policy contents checklist

Access	Who is entitled to use email - in most organisations, it would be difficult to justify denying any particular groups access to this valuable communication tool How to get access to email Who is entitled to access the web and when How to get to the web
Passwords	Rules for choosing a password Rules for changing a password Warning on disclosing passwords Rules on password-access to other organisations' websites
Web	Prohibition on access to certain websites Limitations on browsing the web for non-business purposes Rules for adding information to your own website Guidelines for responding to website enquiries
Downloading	Prohibition on downloading offensive material Information on the implications of copyright laws Guidance on the use of unverified information
Email	Limitations on private use of email Restrictions on content of e-mail Rules for email distribution Rules on disclosing email addresses Legal position regarding defamation and inappropriate advice
Monitoring	Notification that website access may be monitored Notification that email may be intercepted and read
Disclaimers	Wording to use in disclaimer Documents which require disclaimers
Disciplinary procedure	Sanctions which will be imposed for breaching the policy

Useful contacts

Information Commissioner’s Office

References

ENGEL, D. (1998) Caught by the net: avoiding cyberliability. Flexible Working. Vol 3, No 4, May. pp15-16.
INFORMATION COMMISSIONER`S OFFICE. (2005) The employment practices code. Wilmslow: The Commissioner's Office. Available at: http://www.ico.gov.uk/for_organisations/
topic_specific_guides/employment.aspx
UK survey highlights problem of illegal and inappropriate images in the workplace. Press release. (2004) London: Chartered Institute of Personnel and Development.

Internet and email policies