The Privacy of Data in Motion

The recent draft on employee monitoring, released earlier this year by the U.K. Information Commissioner, has caused a stir among employees and employers.

The draft, stressing that organizations can no longer monitor staff secretly and should rather put effective email policies in place, brings to light the sensitive debate of employer responsibility versus employee privacy, and the challenges that lie ahead.

Over the last two years, the growth of the Internet and email has kept the subject of employees' rights vs. corporate security under an increasing political and media spotlight. As email and Internet monitoring grow, so the number of disciplinary actions continues to increase, leaving individuals unclear about their rights to privacy in the workplace. The struggle to balance the individual employee's right to privacy and security with an organization's responsibility to protect its own employees and its intellectual assets has become increasingly intense. New legislation seeking to address this is resulting in new and complex compliance challenges for business.

Cases in Point

High-profile cases have added to the uncertainty. In January 2001, BBC News reported that U.K. insurance company Royal & Sun Alliance had sacked ten people and suspended at least 77 at its offices in Liverpool, U.K. over the distribution of lewd emails, including one featuring cartoon character Bart Simpson. An internal investigation was launched after a member of staff at the company complained about an offensive email, reportedly showing the character from the hit cartoon series The Simpsons in a sexual clinch.

Even more recently, on July 22 BBC News again reported that 150 people working at Hewlett Packard U.K. had been suspended - and two dismissed - for alleged email abuse.

Business Continuity at Stake

Legal liability, corporate responsibility, employee protection and company reputation are indeed top concerns of employers. Other threats to business continuity include network degradation due to virus attacks, theft or loss of data, and lost productivity.

The Melissa virus alone was been estimated to cost businesses many millions of pounds. The LoveLetter virus went around the world in a matter of hours, infecting many large and small companies' systems. The cost of virus attacks worldwide in 2000 is reported by Mummert & Partners as causing business damages totaling $17.1bn (£12bn).

In August 2001, SC Magazine reported that about 90 per cent of any company's intellectual capital - its inventions or know how - can be found in a digital format. Of that, 45 per cent of those corporate ideas are stored in an organization's email system at any time. Gartner Group has valued the loss of business information through email at over $24bn (£16.8bn) a year.

In terms of lost productivity, IDC claims that 70 per cent of personal e-commerce is conducted at work. It is therefore unsurprising that employers are turning to monitoring.

Just over 25 per cent of the global online workforce, or 27 million employees, had their Internet or email use monitored by their employers in 2001 according to the Privacy Foundation. Worldwide sales of employee monitoring software are estimated at $140 million per year. Using various types of scanning software, companies are analyzing incoming and outgoing email and detecting, blocking or quarantining emails and attachments they consider to be inappropriate or threatening. But, do employers have the right to monitor?

Legislation Matters

Conflicting legislation covering the issue of email and Internet monitoring and workplace privacy has made this question difficult to answer. One of the most controversial pieces of U.K. legislation on this subject is the Regulation of Investigatory Powers (RIP) Act, and more recently, the draft code of practice issued by the Information Commissioner. Add to this the Human Rights Act and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulation 2000, and you have a complex legal scenario.

Commonsense, however, suggests that companies must create, implement and monitor email policies which strike a balance in addressing the concerns of protecting the company, its employees and the employees' right to privacy. Companies have, after all, been wrestling with balancing these same concerns for many years in the context of the use of company telephones, cars and computers.

Setting the Parameters

The new areas of law are yet to be widely tested. So, currently, the best advice to employers is to obtain consent to intercept or monitor employees' use of email and the Internet through establishing acceptable-usage policies. These policies make it clear to employees how and when they will be monitored, and spell out what will happen if employees breach the policy.

Importantly, employers not only need to establish policies but also ensure that the list of prohibited uses is frequently viewed and easily amendable to be able to handle newer technologies. They also need to recognize that technology, although essential, is not the only enforcer of policy. Corporate culture and management expectations play a critical role in defining how an email and Internet monitoring policy is set up and implemented.

For example, in some places, it is better to say that the Internet is to be used for business purposes only, and there should be no personal use of the Internet. But then there are those four million U.K. employees who are working more than 48-hour weeks? When do they get to shop or do other personal things? It may be that their organizations are Internet and computer-oriented, in which case, this may be necessary to achieve their organizational goals and may be an accepted part of their culture.

At the same time, employees need help in preventing 'bad' content being sent outside or within the organization. From my experience much of the email abuse that is committed is accidental, rather than malicious. Apart from preventing human error however, we have strong anecdotal evidence of the other benefits accruing from responsible monitoring. One of Clearswift's customers in the Far East used our image management software to stop new car prototype images leaving the company en route to a competitor. Another Clearswift customer used our software to detect death threats to an employee whose parents are from Afghanistan.

So, from the perspectives of protecting intellectual property rights and fulfilling the employer's duty-of-care obligations to employees, there is a strong case for responsible monitoring of employees' emails. In fact, we might go so far as to say that for employers not to monitor emails could be construed as irresponsible or posing an unacceptable risk.

A Challenging Future

Despite developments, this area of employment relations and employment law will continue to face challenges. Technology is changing rapidly: employees can now send email and search Internet sites while on the road using their mobile handsets, while at the same time their phones will potentially allow their employers to monitor their exact geographical location at all times.

A policy, once effectively established, regularly discussed with employees, and consistently enforced through the appropriate technology, will play a more critical role than ever in lending consistency and predictability to the process of monitoring the workplace - and help to address the issue of privacy.

Paul Rutherford is chief marketing officer for Clearswift (

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.