Worldwide: Global Update: Monitoring Your Employees' Use Of Technology

Introduction

It has become increasingly common for organisations to incorporate the use of social media into their business strategies. Social media has the potential to provide organisations with an unparallelled array of benefits, including the ability to promote the organisation's brand and services to a broad demographic and across international boundaries.

Similarly, increases in the varied uses of technology in the workplace have had incomparable benefits for organisations. At a minimum, technological advances have allowed employees to access work and customers to access products from almost any location across the globe. This has obvious benefits for any organisation.

The proliferation of the use of technology and social media in the workplace also raises concerns for many employers. These concerns include the impact that the use of technology and the access to social media has on productivity as well as the potential that negative comments made by employees will be made public, and the possibility that workplace harassment will take place through the use of these increasingly accessible modes of communication. Even where employee actions are not made public – the internal circulation of offensive material by email, for example – the potential for internal disruption and, in some jurisdictions, the possibility of legal liability continues to exist for an employer.

This article discusses the ability of an employer to monitor the use of its computer systems and to discipline or terminate an employee who uses those systems inappropriately or who makes inappropriate public comment on social media sites or blogs. This article also explores the value of creating policies that govern expected workplace conduct when accessing the employer's computer systems or when participating in social media. The law in seven jurisdictions is considered: Canada, the United Kingdom, Australia, France, Hong Kong, South Africa and Germany.

Can the employer access a computer provided to the employee?

Many employers take the position that it is necessary to monitor email and internet usage in order to detect activity that may negatively impact on the company. There is a broad spectrum of activity that an employer may seek to curtail. Such activity may range from disparaging comments about the company, its products or its customers that are made on social media sites to illegal actions, such as the circulation of pornographic material in the workplace.

However, what an employer believes to be necessary may not be permissible.

In fact, across all seven jurisdictions there are at least some limits placed upon the employer's ability to monitor an employee's email or internet activity, even though the activity being monitored takes place on company systems.

For example, in Canadian jurisdictions in which privacy legislation exists, an employer may be entitled to monitor an employee's e-mail and computer usage provided that it does so in a reasonable manner and with a limited impact on the privacy rights of the employee. Federally regulated employees, for example, are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Employers who are subject to PIPEDA must generally ensure that they collect, use and disclose employees' personal information only for purposes that would be considered appropriate by a reasonable person in the circumstances, in addition to obtaining the employees' consent. (Legislation that is substantially similar to PIPEDA exists in the provinces of Quebec, British Columbia and Alberta and similar considerations would apply to the monitoring of employee email and internet usage in those provinces.)

What is reasonable will generally depend on the purpose for which the monitoring has been undertaken. If the employer is attempting to confirm whether an employee has breached their employment obligations in some manner, reasonableness is more likely to be established. For example, where the employer has become aware that an employee is engaging in workplace harassment by email or through posts on social media sites, it will likely be reasonable that the employee's email communications and internet activity are monitored.

Whether an employee can assert a privacy interest over their email or internet activity will depend upon whether the employee has a reasonable expectation of privacy when using the computer equipment. An employee's privacy interest over their email or internet usage will be diminished where they have been advised that their corporate email account may be accessed by the company and where prohibitions have been placed on the personal use of those systems. To that end, a clear policy governing the use of email and internet systems will assist an employer that wants to monitor its employees' activity whilst on company email and internet systems.

In provinces where there is no privacy legislation, the employer has more latitude to monitor an employee's email and internet activity. This is as a result of the absence of any statutory limitations on the employer's right to access the computer provided by the employer. Special considerations may have to be given in the unionised workplace which may have terms and conditions in collective agreements that dictate whether (and how) such activity can be monitored.

In the United Kingdom, the Regulation of Investigatory Powers Act 2000 (RIPA) regulates an employer's ability to intercept and monitor the emails of its employees on the employer's computer systems. Monitoring an employee's emails will be lawful under the RIPA where the employer reasonably believes that the sender and intended recipient have consented to the interception. A clear policy or wording in an employment contract explaining that such interception could take place is likely to be sufficient to demonstrate employee consent.

In the absence of consent, the employer may also be able to rely on the provisions of the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the Regulations) which authorise monitoring without consent in certain specified circumstances including where it is necessary to ensure compliance with regulatory practices; to ensure that standards of service are maintained - e.g. in call centres; to prevent or detect crime; to protect the communications system itself - e.g. to protect against unauthorised use and potential viruses; or to determine the relevance of the communication to the employer's business - e.g. by picking up relevant messages when someone is away from work.

Even when the employer relies on the Regulations, it is expected to make all reasonable efforts to ensure that its employees know that communications may be intercepted and the monitoring must also comply with the provisions of the Data Protection Act 1998.

In South Africa, the Constitution of the Republic of South Africa entrenches an employee's right to privacy and may in certain circumstances curtail the employer's ability to access the employee's private email and internet communications, even where those communications are made on company equipment. This right is, however, not absolute and in terms of the Regulation of Interception of Communications and Provision of Communication Related Information Act of 2002 (RICA), an exception exists where the employer is investigating or detecting the unauthorised use of its telecommunications systems; where the employer must establish the existence of facts related to a workplace investigation; or where the employee has provided his or her consent in writing to the interception. Consent may be obtained through an employment agreement that sets out the employer's right to monitor email and internet usage on company equipment.

The privacy of the employee is similarly protected in France, where monitoring of email and internet communications on company equipment may be permissible where the monitoring is justified by a legitimate purpose and is carried out in a reasonable manner. However, employees must be given prior notice of the possibility that their internet and email communications may be monitored. This can be achieved through the use of an employment policy.

In addition, the works council of the company and the company's health and safety committee must be informed and consulted about the monitoring in advance of it taking place.

Notably, in France, where an email is identified as "private" or "personal" by the employee, the employer may not access it. To do otherwise is a criminal offence punishable by monetary penalties and/or the imposition of a jail sentence. However, an employer may seek advance authorisation by a court of the search if it wishes to avoid criminal prosecution. Where an electronic file is identified as "private" or "personal" by the employee, the employer must ask the employee to be present when the employer accesses the item.

In Germany, an employer's ability to monitor an employee's internet and email usage will depend upon whether the employee has been permitted to use the employer's computer system for personal use.

Where employees are permitted to use the company's email and internet only for business purposes, the employer can monitor the connection data (e.g. date, time, originating and receiving email / IP addresses, size of submitted data, duration of use) and the content of emails and the websites that have been visited to the extent required for certain reasonable purposes. Those purposes include monitoring the employee's compliance with the rules regarding email and internet use; investigating whether criminal activity has taken place; and maintaining the employer's electronic systems and protecting its technical devices. Accordingly, an employer would generally be allowed to randomly check the content of websites visited by employees in order to make sure that the employees only use the internet for business purposes; 24-7 surveillance of those systems and a review of email content that is obviously private (e.g. on the basis of the subject) would not be allowed.

By contrast, if an employee is allowed to access the company's email and internet for both work related and personal use, the employer is not permitted to collect any data about the employee's use of its systems. The only exception to this general rule is that connection data may be monitored to maintain the electronic systems and protect the company's technical devices and to assess connection fees as well as – to a certain extent – to investigate the abuse of the employer's telecommunication system.

In Hong Kong, the Personal Data (Privacy) Ordinance (PDPO) and various codes and guidelines issued by the Privacy Commissioner for Personal Data (e.g. the Privacy Guidelines on Monitoring and Personal Data Privacy at Work (the Monitoring Guidelines)), regulate the employer's ability to monitor its employees' email correspondence and internet usage. The Monitoring Guidelines do not have the force of law, but represent best practices that are encouraged by the Privacy Commissioner in that jurisdiction.

The Monitoring Guidelines set out certain factors that an employer should take into account when determining whether the monitoring of email or internet usage is appropriate. These factors include the need to assess the risks that the monitoring seeks to address and the benefits that may be achieved by engaging in the monitoring; the impact on the privacy of the employees; the requirement to consider alternatives to monitoring; and how the employer will comply with its responsibility to implement privacy compliant data management policies when handling employees' personal data that it obtains as a result of the monitoring.

In accordance with the PDPO, data may only be collected by means that are "fair in the circumstances" and data collection should be kept to an absolute minimum. To that end, employers are generally required to notify their employees that their email and internet usage may be monitored; the purpose for the monitoring and how the monitoring will be carried out.

Despite the foregoing, 'concealed' monitoring may be permitted where there is a legitimate rationale to undertake it and where all other options have been considered and appropriately rejected. Much will depend on the individual circumstances of the individual case. For example, 'concealed' monitoring may be appropriate where an employer has good reason to suspect theft by an employee and it would impinge on the investigation into the theft if the employee was alerted to the proposed monitoring of his or her email or internet usage.
As in other jurisdictions, an employer should have a policy in place that addresses the possibility that workplace computer systems will be monitored. Given the prohibitions set out above, records should be kept of the employer's reasons for needing to engage in 'concealed' monitoring. In addition, the employer should consider and manage the effect of this form of monitoring on its other employees.

In Australia, the regulation of surveillance of employee use of workplace computer systems is done primarily at state level and so the laws are not uniform. In New South Wales, the Workplace Surveillance Act 2005 (NSW) regulates the overt and covert use of camera, computer and tracking devices in the workplace. In order to lawfully conduct surveillance of email and internet use, the employer will be required to notify the employee in advance of the intended surveillance in such a way that it is reasonable to assume that the employee is aware of and understands the policy. However, in Western Australia, the Surveillance Devices Act 1998 (WA) prohibits the use of listening devices or optical surveillance devices to listen to or observe private activities but does not specifically address an employer monitoring an employee's use of computer systems. It is recommended that an employer have a policy allowing for employer monitoring of employee use of email and internet clearly setting out what an employer considers to be reasonable use of such systems. Without such a policy it will be difficult to discipline or dismiss an employee for inappropriate use of an employer's computer system.

Using policies effectively

As is clear from the foregoing, whether an employer can access an employee's computer for the purpose of monitoring email or internet usage may depend upon whether a workplace policy exists. This is because, in most jurisdictions, employers must establish a clear policy that puts employees on notice that corporate systems may be accessed for the purpose of monitoring email and internet usage. Similarly, where the employer wishes to prohibit personal communications on social media sites, a policy outlining the nature and scope of the prohibited communications will be required. The exception to the foregoing is found in Germany, where a policy may only apply to the use of the employer's equipment and not to private communications made outside the workplace. In any case, in Germany, the policy related to the employer's equipment could be subject to the works council co-determination rights.

An effective workplace policy will clearly set out what the employer considers to be appropriate and inappropriate use of social media, internet and email systems, both within and outside the workplace. For example, a policy with respect to communications made on social media sites or blogs should prohibit an employee from making derogatory or inflammatory remarks about the employer, its products and services or its clientele. The policy should warn employees that private conversations and actions, made public by the unrestricted nature of social media communications, may be regarded as misconduct that will attract discipline. If the policy is unclear as to the employer's expectations, it will be open to the employee to argue that they did not understand that their behaviour could attract discipline. However, the policy should make some effort to balance the employer's legitimate business interests and an individual's right to make public comment on matters that will not bring the company's reputation into disrepute. Making this effort helps to bolster the reasonableness of the employer's policy by reinforcing that it is not every minor transgression that will result in discipline or discharge.

Policies with respect to the use of the employer's equipment, including email systems, should also set out the behaviours that the employer considers unacceptable in the workplace. A commonly prohibited use of the employer's email system is the circulation of offensive jokes or photographs, including pornographic materials. The employer should also confirm that the computer and the email communications remain the property of the company. Again, this will limit the employee's ability to argue that they were unaware that their behaviour was culpable.

In short, a properly prepared policy with respect to social media usage and the appropriate use of company computer equipment has two primary benefits: it alerts the employee to the behaviour that the employer considers inappropriate and it puts the employee on notice that engaging in inappropriate behaviour may result in disciplinary action up to and including termination of employment.
Where a policy is implemented, it will be important that any company policy be consistently enforced and that it specifically addresses the consequences that will arise where an employee breaches the expectations in the policy. If the policy is not consistently enforced, or if it is unclear what the result of a breach of the policy may entail, an employee could defensibly take the position that they were unaware that their actions were impugned by the company.

The policy was not adhered to: the need to terminate for inappropriate activity

An employee who chooses to ignore the employer's policy with respect to the use of its computer systems or social media communications may be disciplined and/or terminated for cause, depending on the nature and/or frequency of the employee's transgression.

Whether cause for termination or discipline will be established will substantially depend upon the nature of the communications; whether the communications potentially or actually bring the employer's reputation into disrepute; whether the employee had advance notice that their communications could be considered inappropriate; and whether there is a link between the employee's misconduct and the employer's legitimate business interests. Those communications that impugn the employer, criticise clientele or constitute harassment or discrimination will more likely warrant discipline and/or termination for cause.

In most jurisdictions, it is not necessary that the employee carry out the impugned activity while on company property or during working hours. It is a reflection of the ubiquitous nature of internet and email communications that the location from which the communications are made will be irrelevant; it is the impact of the communications themselves that is relevant.

Of course, if the evidence of the employee's transgressions has been inappropriately obtained, the employer may not be able to rely upon that evidence. This highlights the importance of accessing employee email and internet information only in a reasonable manner and in accordance with local laws.

Conclusion

The ability to monitor employee email and internet communications can be invaluable to an employer. Monitoring employee communications may prevent negative publicity, illegal activity and inappropriate comment from being made on the employer's computer systems or about the employer in the public domain.

However, an employer should consult with counsel in their jurisdiction prior to undertaking surveillance of an employee's email and internet communications. Local laws may affect the right of the employer to monitor even their own computer systems.

Furthermore, employers should establish clear policies that delineate the communications that are considered inappropriate and that may result in the termination of the employee. Such policies may address the employee's participation in social media and blogging sites. However, the policies must be consistently enforced to be of value to the employer. There must also be a clear indication to employees that the violation of those policies will result in disciplinary action up to and including termination.

By adhering to these principles, an employer can obtain the benefit of the global reach of technological communications while minimising the risk that those same communications may pose in the workplace.

Norton Rose OR LLP

Norton Rose OR LLP is a member of Norton Rose Group, a leading international legal practice offering a full business law service to many of the world's pre-eminent financial institutions and corporations from offices in Europe, Asia Pacific, Canada, Africa and the Middle East.

The Group's lawyers share industry knowledge and sector expertise across borders to support clients anywhere in the world. The Group is strong in financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and pharmaceuticals and life sciences.

Norton Rose Group has more than 2600 lawyers operating from 39 offices in Abu Dhabi, Amsterdam, Athens, Bahrain, Bangkok, Beijing, Brisbane, Brussels, Calgary, Canberra, Cape Town, Dubai, Durban, Frankfurt, Hamburg, Hong Kong, Johannesburg, London, Melbourne, Milan, Montréal, Moscow, Munich, Ottawa, Paris, Perth, Piraeus, Prague, Québec, Rome, Shanghai, Singapore, Sydney, Tokyo, Toronto and Warsaw; and from associate offices in Dar es Salaam, Ho Chi Minh City and Jakarta.

Norton Rose Group comprises Norton Rose LLP, Norton Rose Australia, Norton Rose OR LLP, Norton Rose South Africa (incorporated as Deneys Reitz Inc), and their respective affiliates.

On January 1, 2012, Macleod Dixon merges with Norton Rose OR, creating a global energy and mining powerhouse within Norton Rose Group. For more information, please visit nortonrose.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.