Worldwide: Global Update: Monitoring Your Employees’ Use Of Technology

Introduction

It has become increasingly common for organisations to incorporate the use of social media into their business strategies. Social media has the potential to provide organisations with an unparallelled array of benefits, including the ability to promote the organisation's brand and services to a broad demographic and across international boundaries.

Similarly, increases in the varied uses of technology in the workplace have had incomparable benefits for organisations. At a minimum, technological advances have allowed employees to access work and customers to access products from almost any location across the globe. This has obvious benefits for any organisation.

The proliferation of the use of technology and social media in the workplace also raises concerns for many employers. These concerns include the impact that the use of technology and the access to social media has on productivity as well as the potential that negative comments made by employees will be made public, and the possibility that workplace harassment will take place through the use of these increasingly accessible modes of communication. Even where employee actions are not made public – the internal circulation of offensive material by email, for example – the potential for internal disruption and, in some jurisdictions, the possibility of legal liability continues to exist for an employer.

This article discusses the ability of an employer to monitor the use of its computer systems and to discipline or terminate an employee who uses those systems inappropriately or who makes inappropriate public comment on social media sites or blogs. This article also explores the value of creating policies that govern expected workplace conduct when accessing the employer's computer systems or when participating in social media. The law in seven jurisdictions is considered: Canada, the United Kingdom, Australia, France, Hong Kong, South Africa and Germany.

Can the employer access a computer provided to the employee?

Many employers take the position that it is necessary to monitor email and internet usage in order to detect activity that may negatively impact on the company. There is a broad spectrum of activity that an employer may seek to curtail. Such activity may range from disparaging comments about the company, its products or its customers that are made on social media sites to illegal actions, such as the circulation of pornographic material in the workplace.

However, what an employer believes to be necessary may not be permissible.

In fact, across all seven jurisdictions there are at least some limits placed upon the employer's ability to monitor an employee's email or internet activity, even though the activity being monitored takes place on company systems.

For example, in Canadian jurisdictions in which privacy legislation exists, an employer may be entitled to monitor an employee's e-mail and computer usage provided that it does so in a reasonable manner and with a limited impact on the privacy rights of the employee. Federally regulated employees, for example, are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Employers who are subject to PIPEDA must generally ensure that they collect, use and disclose employees' personal information only for purposes that would be considered appropriate by a reasonable person in the circumstances, in addition to obtaining the employees' consent. (Legislation that is substantially similar to PIPEDA exists in the provinces of Quebec, British Columbia and Alberta and similar considerations would apply to the monitoring of employee email and internet usage in those provinces.)

What is reasonable will generally depend on the purpose for which the monitoring has been undertaken. If the employer is attempting to confirm whether an employee has breached their employment obligations in some manner, reasonableness is more likely to be established. For example, where the employer has become aware that an employee is engaging in workplace harassment by email or through posts on social media sites, it will likely be reasonable that the employee's email communications and internet activity are monitored.

Whether an employee can assert a privacy interest over their email or internet activity will depend upon whether the employee has a reasonable expectation of privacy when using the computer equipment. An employee's privacy interest over their email or internet usage will be diminished where they have been advised that their corporate email account may be accessed by the company and where prohibitions have been placed on the personal use of those systems. To that end, a clear policy governing the use of email and internet systems will assist an employer that wants to monitor its employees' activity whilst on company email and internet systems.

In provinces where there is no privacy legislation, the employer has more latitude to monitor an employee's email and internet activity. This is as a result of the absence of any statutory limitations on the employer's right to access the computer provided by the employer. Special considerations may have to be given in the unionised workplace which may have terms and conditions in collective agreements that dictate whether (and how) such activity can be monitored.

In the United Kingdom, the Regulation of Investigatory Powers Act 2000 (RIPA) regulates an employer's ability to intercept and monitor the emails of its employees on the employer's computer systems. Monitoring an employee's emails will be lawful under the RIPA where the employer reasonably believes that the sender and intended recipient have consented to the interception. A clear policy or wording in an employment contract explaining that such interception could take place is likely to be sufficient to demonstrate employee consent.

In the absence of consent, the employer may also be able to rely on the provisions of the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the Regulations) which authorise monitoring without consent in certain specified circumstances including where it is necessary to ensure compliance with regulatory practices; to ensure that standards of service are maintained - e.g. in call centres; to prevent or detect crime; to protect the communications system itself - e.g. to protect against unauthorised use and potential viruses; or to determine the relevance of the communication to the employer's business - e.g. by picking up relevant messages when someone is away from work.

Even when the employer relies on the Regulations, it is expected to make all reasonable efforts to ensure that its employees know that communications may be intercepted and the monitoring must also comply with the provisions of the Data Protection Act 1998.

In South Africa, the Constitution of the Republic of South Africa entrenches an employee's right to privacy and may in certain circumstances curtail the employer's ability to access the employee's private email and internet communications, even where those communications are made on company equipment. This right is, however, not absolute and in terms of the Regulation of Interception of Communications and Provision of Communication Related Information Act of 2002 (RICA), an exception exists where the employer is investigating or detecting the unauthorised use of its telecommunications systems; where the employer must establish the existence of facts related to a workplace investigation; or where the employee has provided his or her consent in writing to the interception. Consent may be obtained through an employment agreement that sets out the employer's right to monitor email and internet usage on company equipment.

The privacy of the employee is similarly protected in France, where monitoring of email and internet communications on company equipment may be permissible where the monitoring is justified by a legitimate purpose and is carried out in a reasonable manner. However, employees must be given prior notice of the possibility that their internet and email communications may be monitored. This can be achieved through the use of an employment policy.

In addition, the works council of the company and the company's health and safety committee must be informed and consulted about the monitoring in advance of it taking place.

Notably, in France, where an email is identified as "private" or "personal" by the employee, the employer may not access it. To do otherwise is a criminal offence punishable by monetary penalties and/or the imposition of a jail sentence. However, an employer may seek advance authorisation by a court of the search if it wishes to avoid criminal prosecution. Where an electronic file is identified as "private" or "personal" by the employee, the employer must ask the employee to be present when the employer accesses the item.

In Germany, an employer's ability to monitor an employee's internet and email usage will depend upon whether the employee has been permitted to use the employer's computer system for personal use.

Where employees are permitted to use the company's email and internet only for business purposes, the employer can monitor the connection data (e.g. date, time, originating and receiving email / IP addresses, size of submitted data, duration of use) and the content of emails and the websites that have been visited to the extent required for certain reasonable purposes. Those purposes include monitoring the employee's compliance with the rules regarding email and internet use; investigating whether criminal activity has taken place; and maintaining the employer's electronic systems and protecting its technical devices. Accordingly, an employer would generally be allowed to randomly check the content of websites visited by employees in order to make sure that the employees only use the internet for business purposes; 24-7 surveillance of those systems and a review of email content that is obviously private (e.g. on the basis of the subject) would not be allowed.

By contrast, if an employee is allowed to access the company's email and internet for both work related and personal use, the employer is not permitted to collect any data about the employee's use of its systems. The only exception to this general rule is that connection data may be monitored to maintain the electronic systems and protect the company's technical devices and to assess connection fees as well as – to a certain extent – to investigate the abuse of the employer's telecommunication system.

In Hong Kong, the Personal Data (Privacy) Ordinance (PDPO) and various codes and guidelines issued by the Privacy Commissioner for Personal Data (e.g. the Privacy Guidelines on Monitoring and Personal Data Privacy at Work (the Monitoring Guidelines)), regulate the employer's ability to monitor its employees' email correspondence and internet usage. The Monitoring Guidelines do not have the force of law, but represent best practices that are encouraged by the Privacy Commissioner in that jurisdiction.

The Monitoring Guidelines set out certain factors that an employer should take into account when determining whether the monitoring of email or internet usage is appropriate. These factors include the need to assess the risks that the monitoring seeks to address and the benefits that may be achieved by engaging in the monitoring; the impact on the privacy of the employees; the requirement to consider alternatives to monitoring; and how the employer will comply with its responsibility to implement privacy compliant data management policies when handling employees' personal data that it obtains as a result of the monitoring.

In accordance with the PDPO, data may only be collected by means that are "fair in the circumstances" and data collection should be kept to an absolute minimum. To that end, employers are generally required to notify their employees that their email and internet usage may be monitored; the purpose for the monitoring and how the monitoring will be carried out.

Despite the foregoing, 'concealed' monitoring may be permitted where there is a legitimate rationale to undertake it and where all other options have been considered and appropriately rejected. Much will depend on the individual circumstances of the individual case. For example, 'concealed' monitoring may be appropriate where an employer has good reason to suspect theft by an employee and it would impinge on the investigation into the theft if the employee was alerted to the proposed monitoring of his or her email or internet usage.
As in other jurisdictions, an employer should have a policy in place that addresses the possibility that workplace computer systems will be monitored. Given the prohibitions set out above, records should be kept of the employer's reasons for needing to engage in 'concealed' monitoring. In addition, the employer should consider and manage the effect of this form of monitoring on its other employees.

In Australia, the regulation of surveillance of employee use of workplace computer systems is done primarily at state level and so the laws are not uniform. In New South Wales, the Workplace Surveillance Act 2005 (NSW) regulates the overt and covert use of camera, computer and tracking devices in the workplace. In order to lawfully conduct surveillance of email and internet use, the employer will be required to notify the employee in advance of the intended surveillance in such a way that it is reasonable to assume that the employee is aware of and understands the policy. However, in Western Australia, the Surveillance Devices Act 1998 (WA) prohibits the use of listening devices or optical surveillance devices to listen to or observe private activities but does not specifically address an employer monitoring an employee's use of computer systems. It is recommended that an employer have a policy allowing for employer monitoring of employee use of email and internet clearly setting out what an employer considers to be reasonable use of such systems. Without such a policy it will be difficult to discipline or dismiss an employee for inappropriate use of an employer's computer system.

Using policies effectively

As is clear from the foregoing, whether an employer can access an employee's computer for the purpose of monitoring email or internet usage may depend upon whether a workplace policy exists. This is because, in most jurisdictions, employers must establish a clear policy that puts employees on notice that corporate systems may be accessed for the purpose of monitoring email and internet usage. Similarly, where the employer wishes to prohibit personal communications on social media sites, a policy outlining the nature and scope of the prohibited communications will be required. The exception to the foregoing is found in Germany, where a policy may only apply to the use of the employer's equipment and not to private communications made outside the workplace. In any case, in Germany, the policy related to the employer's equipment could be subject to the works council co-determination rights.

An effective workplace policy will clearly set out what the employer considers to be appropriate and inappropriate use of social media, internet and email systems, both within and outside the workplace. For example, a policy with respect to communications made on social media sites or blogs should prohibit an employee from making derogatory or inflammatory remarks about the employer, its products and services or its clientele. The policy should warn employees that private conversations and actions, made public by the unrestricted nature of social media communications, may be regarded as misconduct that will attract discipline. If the policy is unclear as to the employer's expectations, it will be open to the employee to argue that they did not understand that their behaviour could attract discipline. However, the policy should make some effort to balance the employer's legitimate business interests and an individual's right to make public comment on matters that will not bring the company's reputation into disrepute. Making this effort helps to bolster the reasonableness of the employer's policy by reinforcing that it is not every minor transgression that will result in discipline or discharge.

Policies with respect to the use of the employer's equipment, including email systems, should also set out the behaviours that the employer considers unacceptable in the workplace. A commonly prohibited use of the employer's email system is the circulation of offensive jokes or photographs, including pornographic materials. The employer should also confirm that the computer and the email communications remain the property of the company. Again, this will limit the employee's ability to argue that they were unaware that their behaviour was culpable.

In short, a properly prepared policy with respect to social media usage and the appropriate use of company computer equipment has two primary benefits: it alerts the employee to the behaviour that the employer considers inappropriate and it puts the employee on notice that engaging in inappropriate behaviour may result in disciplinary action up to and including termination of employment.
Where a policy is implemented, it will be important that any company policy be consistently enforced and that it specifically addresses the consequences that will arise where an employee breaches the expectations in the policy. If the policy is not consistently enforced, or if it is unclear what the result of a breach of the policy may entail, an employee could defensibly take the position that they were unaware that their actions were impugned by the company.

The policy was not adhered to: the need to terminate for inappropriate activity

An employee who chooses to ignore the employer's policy with respect to the use of its computer systems or social media communications may be disciplined and/or terminated for cause, depending on the nature and/or frequency of the employee's transgression.

Whether cause for termination or discipline will be established will substantially depend upon the nature of the communications; whether the communications potentially or actually bring the employer's reputation into disrepute; whether the employee had advance notice that their communications could be considered inappropriate; and whether there is a link between the employee's misconduct and the employer's legitimate business interests. Those communications that impugn the employer, criticise clientele or constitute harassment or discrimination will more likely warrant discipline and/or termination for cause.

In most jurisdictions, it is not necessary that the employee carry out the impugned activity while on company property or during working hours. It is a reflection of the ubiquitous nature of internet and email communications that the location from which the communications are made will be irrelevant; it is the impact of the communications themselves that is relevant.

Of course, if the evidence of the employee's transgressions has been inappropriately obtained, the employer may not be able to rely upon that evidence. This highlights the importance of accessing employee email and internet information only in a reasonable manner and in accordance with local laws.

Conclusion

The ability to monitor employee email and internet communications can be invaluable to an employer. Monitoring employee communications may prevent negative publicity, illegal activity and inappropriate comment from being made on the employer's computer systems or about the employer in the public domain.

However, an employer should consult with counsel in their jurisdiction prior to undertaking surveillance of an employee's email and internet communications. Local laws may affect the right of the employer to monitor even their own computer systems.

Furthermore, employers should establish clear policies that delineate the communications that are considered inappropriate and that may result in the termination of the employee. Such policies may address the employee's participation in social media and blogging sites. However, the policies must be consistently enforced to be of value to the employer. There must also be a clear indication to employees that the violation of those policies will result in disciplinary action up to and including termination.

By adhering to these principles, an employer can obtain the benefit of the global reach of technological communications while minimising the risk that those same communications may pose in the workplace.

Norton Rose OR LLP

Norton Rose OR LLP is a member of Norton Rose Group, a leading international legal practice offering a full business law service to many of the world's pre-eminent financial institutions and corporations from offices in Europe, Asia Pacific, Canada, Africa and the Middle East.

The Group's lawyers share industry knowledge and sector expertise across borders to support clients anywhere in the world. The Group is strong in financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and pharmaceuticals and life sciences.

Norton Rose Group has more than 2600 lawyers operating from 39 offices in Abu Dhabi, Amsterdam, Athens, Bahrain, Bangkok, Beijing, Brisbane, Brussels, Calgary, Canberra, Cape Town, Dubai, Durban, Frankfurt, Hamburg, Hong Kong, Johannesburg, London, Melbourne, Milan, Montréal, Moscow, Munich, Ottawa, Paris, Perth, Piraeus, Prague, Québec, Rome, Shanghai, Singapore, Sydney, Tokyo, Toronto and Warsaw; and from associate offices in Dar es Salaam, Ho Chi Minh City and Jakarta.

Norton Rose Group comprises Norton Rose LLP, Norton Rose Australia, Norton Rose OR LLP, Norton Rose South Africa (incorporated as Deneys Reitz Inc), and their respective affiliates.

On January 1, 2012, Macleod Dixon merges with Norton Rose OR, creating a global energy and mining powerhouse within Norton Rose Group. For more information, please visit nortonrose.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions