According to a report by IT Week, industry response to a draft Code of Practice issued by the Data Protection Commissioner has been so critical that the final version of the Code is likely to be delayed until at least mid-April. The Code is important to employers who need to know how far they can go in their monitoring of e-mail and internet use by their staff.
The draft Code of Practice sets out standards for using any personal information that relates to employees and includes a section on the monitoring of e-mail and internet use. It provides that employers must be open about monitoring and should not intrude on the privacy of the employee. It also says that, where possible, monitoring should be limited to an automated process. In all cases the employer must establish a business purpose for monitoring and ensure that the impact on staff is not out of proportion to the benefits to the employer.
IT Week reports that David Smith, the Deputy Data Protection Commissioner has admitted that the draft lacked clarity. Accordingly, there is a proposal to split the Code into separate sections which is likely to delay publication of the authoritative version.
However, the Data Protection Commissioner has given no indication that the proposals in the Draft are likely to be changed in any significant way, despite criticism by the Confederation of British Industry (CBI), one of around 70 responses to the Draft.
The Code is not a new law; rather it is guidance based on existing law. Accordingly, the safest practice for any business is to comply now with the guidance contained in the Draft.
Among the standards for an employer to follow in monitoring e-mail and internet use are:
- Do not monitor content of e-mails unless the traffic record alone is not sufficient.
- Do not open e-mails which are clearly personal.
- Provide a mechanism for employees to delete e-mails from the system.
- Set out limits of permitted use and specify any restrictions.
- Do not monitor sites visited/content viewed unless the business purpose cannot be achieved by recording the time spent on the internet.
- In using results of monitoring, take account of the ease with which sites can be visited by accident, and always give the employee an opportunity to explain or challenge the results.
- If you permit employees to access the internet for personal reasons, ensure that no record is kept of the sites visited. If this is not technically possible you must ensure that employees are made aware of what is retained and for how long.
For more information on this and the introduced Regulations that cover monitoring, see our Article, Monitoring employee e-mail and internet access.