How can employers ensure that their staff are using the Internet for the right reasons?
In a constantly developing technological world, the Internet has evolved to become one of the main default tools that we use so ubiquitously today.
Safer Internet Day 2019 - “Together for a Better Internet”, is an EU wide initiative to promote a safer internet for all users, especially young people. It is promoted in Ireland by the PDST Technology in Education and Webwise. Whilst not specifically targeted at workplaces, its message is equally as applicable. It is rare to find a business or workplace that is not connected to the Internet either through desktops, laptops, smart phones, tablets and other portable devices. How can employers drive home their message of safe internet use and ensure their businesses are not exposed to risk through unsafe, inappropriate or unlawful use of the internet?
Identify the risk
Bullying, discrimination, defamation, virus exposure, lost productivity, the transfer of confidential information and loss of trade secrets are just some of the issues that can arise from misuse of the Internet in the workplace. Failure to restrict the use of the Internet by employees can have damaging effects on the employers’ reputation and business. In certain cases, employers may be held vicariously liable for the acts and/or omissions of their employees which occur in the course of the employee’s employment.
Set out the ground rules!
If employees don’t know what the expectations are around internet use in the workplace, then your business is at risk. To ensure that everyone knows what the rules are, you need to put in place an Acceptable Usage Policy (AUP).
This policy should specify what acceptable use is, what constitutes misconduct and the consequences of improper use of the Internet by employees both during and outside working hours. Other areas often included are workplace rules in relation to the usage of email, phones, tablets, online games (including gambling) and the management of the employer’s website.
Realism and commercialism
Reactionary measures such an outright ban on access to certain Internet sites, like social media pages, on workplace equipment during work hours may not be practical, especially where key employees operate a strong social media presence from within and often on behalf of businesses. A more achievable solution may be to use an AUP to limit access to social networking sites (or limit access to certain employees) on the employer’s equipment during working hours.
It’s good to talk!
Like all policies that are there to protect your business, the key is communicating its existence and the consequences of its breach with employees, contractors and any other relevant people. Your HR function will be charged with ensuring that written confirmation is obtained from each employee confirming they have read and understand their responsibilities and obligations under the policy. It is also important that employers reserve their right to review and vary the AUP in order to take account of any future developments in Internet capability and usage.
Keep the policy alive!
The AUP is the first step for employers in protecting themselves from employees who misuse their access to the Internet in the workplace but don’t let the AUP gather dust on a shelf. If it is to be effective, it has to be a live policy. Your IT function will play a key role in monitoring phone usage, email, Internet searches and downloads. However, a word of caution. Before any form of employee monitoring takes place, sufficient measures outlining the circumstances of monitoring and fair use should be in place under the AUP permitting employers to legitimately and periodically monitor their employee’s usage of the Internet on an informed basis.
Big brother / Bad brother?
Workplace monitoring is a delicate balancing act. On the one hand, employers have a legitimate interest to protect their business, reputation, resources and equipment. On the other hand, individuals should not be expected to relinquish their privacy and data protection rights simply because they are employees.
If you are monitoring emails and internet use of employees, you must comply with the General Data Protection Regulation and the Data Protection Act 2018. In practice, employers must first be able to demonstrate that they have a lawful and legitimate ground to collect and monitor such information. There should be no indiscriminate monitoring and any monitoring should be limited to that which is necessary and appropriate. At a most basic step, employees must be informed of the purpose for which any data is being collected and that it will not be used for any other purpose other than the stated purpose.
Employers will enjoy more leeway in monitoring work correspondence as opposed to personal communications however, they also have an obligation to make sure employees aren’t using personal accounts excessively on workplace equipment or are operating with disregard to internal security policies. Where the results of any legitimate workplace monitoring uncover such trends appropriate action must be implemented in accordance with existing policies.
Business risk and financial cost
Failure to implement an appropriate AUP creates a blurred line between an employee’s private activities and their employment. Any action seeking to discipline or dismiss such employees for unapproved acts exposes employers to unnecessary complaints before the Workplace Relations Commission.
In an Employee v an Employer, an employee was awarded €7,000 for having been dismissed despite having been verbally warned to not be on non-work related Internet sites. The then EAT was critical of the employer not having in place an Internet policy to effectively manage such instances. More recently in A Beauty Therapist v A Beauty Salon, the Labour Court upheld the decision of an adjudication officer wherein an employee was awarded €10,000 having been dismissed for soliciting the employer’s customers via Facebook. Although there was an AUP in existence at the time of dismissal, it was held that the AUP was uncertain and nebulous in its application.
Conclusion
The Internet is part of the modern work life and access is essential for the effective running of any modern business. Employers need to be cognisant of the dangers of the misuse of the Internet by at least some of their employees and to pre-empt this by having in place an appropriate AUP. If an employer has not implemented a clear and precise AUP, then employees cannot be expected to know when they are committing acts that the employer finds unacceptable.
Takeaway
There is no substitute for a well thought out and well drafted AUP which is communicated and circulated to employees and most importantly, one that is put into practice within the workplace.