Monitoring and control of employee use of email and the internet

Anthony Drake, Senior Associate | Wednesday 25 May 2005

Introduction

The recent investigation by New Zealand Police into internet and email abuse, which resulted in disciplinary action for 330 employees, should serve as a wake-up call to employers.

While the internet and email are valuable communication tools, employers need to be aware of the implications of the electronic exchange of material - both internally and externally - between organisations and employees.

Some employees' internet activities may leave the organisation vulnerable to undue or unknown risks, potential productivity losses and expense as a result of misuse or abuse. 

Potential liabilities for employers

Employers should regulate email and internet access to avoid criminal or civil liability for the wrongdoing of their employees under various statutes and common law. 

This newsletter explains the legislation governing pornography and censorship, confidentiality, harassment, and the privacy issues of monitoring employees, and outlines how employers should best handle breaches of email and internet policy.

What's on the hard drive?

The censorship of pornographic material in New Zealand is governed by the Films, Videos & Publications Classification Act 1993 ("the FVPC Act"). 

The FVPC Act defines pornography as material that is "objectionable" and classifies and regulates such publications. 

It is an offence under the FVPC Act to supply or possess objectionable publications, and employers should be aware that the FVPC Act expressly excludes knowledge or lack of reasonable belief as a defence.

The FVPC Act was recently updated to broaden the definition of a "publication" to include electronic storage devices such as CDs, hard drives and computer files. The fines and liabilities under the FVPC were also increased.  Offences of:

  • strict liability for the possession of objectionable material now face maximum fines of $10,000 for an individual (was $5,000) and $30,000 for a corporate body (was $15,000); and

  • possession or distribution of objectionable material involving knowledge or reasonable cause to believe the publication is objectionable face a maximum imprisonment of 10 years for an individual (was one year) and a maximum fine of $200,000 for a body corporate (was $50,000).

A new offence is also created in relation to possession of objectionable publications and involving knowledge under which an individual can face up to two years imprisonment or a $50,000 fine and a body corporate can face up to $100,000 in fines.  Appropriate search warrant powers are also created by the Amendment Act.

Keeping it confidential

Under the common law, employees have an obligation not to use or disclose confidential information. As employees are free to exchange information from their computers, a major concern for employers is controlling the disclosure of their organisation's confidential information.

Although the employment contract may expressly require confidentiality, employers can claim some protection of confidential information, even after the termination of employment and even without any contract with the employer requiring confidentiality. 

When confidential information relates to a trade secret in the strict sense, such as technical information on machinery or a process, as distinct from a profitable business connection, the general obligation of confidence continues after the termination of employment.

However, confidentiality obligations are difficult to enforce - and once the information has been disclosed the damage has already been done.

If an employer is aware that information is about to be used by an employee (or ex-employee) for an illegitimate purpose, you can seek an injunction against the individual. 

If information is disclosed you can seek damages; however, it may be difficult, if not impossible, to quantify the loss. 

If the employee was still employed by the company when the disclosure was made, dismissal or other disciplinary processes may be justified.

E-harassment?

Email or cyberspace harassment may expose employers to claims from employees of sexual harassment. 

In New Zealand, the Employment Relations Act 2000 provisions on sexual harassment are similar in scope to the provisions of the Human Rights Act.  Sexual harassment is a type of personal grievance defined in the Employment Relations Act 2000.

Employers may be held liable in addition to the offending employee if they have not taken adequate measures to prevent sexual harassment or to investigate a complaint. A clear email policy and effective monitoring of employee use are ways to ensure that the preventative requirements have been met.

In the case Blakely v Continental Airlines, the New Jersey Supreme Court ruled that email postings by employees on an internet bulletin board may constitute workplace harassment for which an employer can be liable if the employer fails to remedy the problem.

Blakely, a female pilot, was successful in her claim that her fellow employees used the Crew Members Forum to post defamatory and harassing comments about her and that her employer failed to take any steps to remedy the problem.

An employer has a duty when the employer knows of or has reason to know that such harassment is part of the pattern of harassment that is taking place in the workplace (even if these postings are made during non-working hours or on a website which an employer does not control).

Privacy issues

In New Zealand, an individual's privacy has been infringed if one or more of the 12 Information Privacy Principles set out in the Privacy Act 1993 has been breached.

The principles apply in any situation where information about an individual is collected or held by an agency.

The question remains whether material in employees' emails would be defined as "information about an identifiable individual".  While some personal email messages could hold such information about the employee, many would not. 

For example, jokes or offensive material that are not about the employee would not be personal information and therefore not covered by the Privacy Act. In terms of the Information Privacy Principles:

(a) 

Principles 1- 4 regulate the purposes for which and the manner by which information may be collected.  Collection does not include the receipt of unsolicited information.  Personal information put on an employer's intranet or email system by employees voluntarily is therefore not solicited and therefore not collected. 

(b) 

Principles 5 - 11 apply to the way in which information held by an agency is stored, able to be accessed and corrected by the individual concerned.  These principles set out limits on the use of personal information held by the agency and apply regardless of how the information is obtained.

Organisations could consider monitoring employee emails to ensure compliance with their email policy, but they may be opening themselves up to further liability.  

When a company monitors employee emails, those monitoring the information could easily stumble across personal information in the course of their work - and the Privacy Act could apply to the email monitoring itself.

In such a situation, employers could find themselves liable for breach of the Privacy Principles, because of the insecure storage of personal information about an employee.

Principles 1 - 4 do not prohibit an employer from accessing information and viewing email messages on its email network.  However, principles 5 - 11 apply to the way in which information is held and used by an employer.

Where practicable, inform your employees that you will carry out random checks of emails.  It seems that an employer may lawfully monitor employees' use of email without notification where it has a good reason for doing so, such as ensuring pornographic material is not being distributed.

However, until more specific guidance from the Privacy Commissioner is received, be careful that monitoring is not carried out in a way that would be an unreasonable intrusion upon the personal affairs of the individual. Both current or dismissed employees could make a complaint under the Privacy Act.

If you can provide a legitimate reason to monitor and access employee emails, you will reduce your exposure to a complaint being made under the Privacy Act. 

Breaching email policy

It is a good idea to specifically set out the consequences of breaching your organisation's email policy.  Consider stating expressly in employment contracts that email-internet abuse is serious misconduct, which will justify termination of employment.

In a recent case on dismissals arising out of the breach of an email policy, Wilmott v Bank of Western Australia Ltd, the Western Australian Industrial Relations Commission (IRC) has warned employers that trivial breaches will not justify summary dismissal.

The bank dismissed an employee, a specialist programmer, for storing offensive and inappropriate emails in a folder marked "humour".  The emails were cartoons which the IRC found were at best "dirty jokes" rather than pornography, even though two of the emails depicted an act of sex.

The onus is on an employer to demonstrate that a summary dismissal is justified.  In this case the IRC found that the termination was harsh because the breach of the email policy was trivial and that an appropriate penalty would have been counselling, a warning or a demotion for a short period of time.

Avoid strict and uncompromising application of your policies.  While it is important to apply a policy consistently, consider fully the circumstances of each case before the harshest penalty under the policy is applied.

Other issues

Surfing all day

Time spent on the internet or email can lead to a loss of productivity which may in itself be a breach of the employee's duty to devote their working time and attention to their employer's business.

In an English case Franxhi v Focus Management Consultants Limited, the Employment Tribunal found the employee to be fairly dismissed after she logged onto a holiday internet site 150 times during working hours.

The Employment Tribunal held that the employee was guilty of serious misconduct.  The employee claimed unfair dismissal, maintaining that the reason for her dismissal was her pregnancy but the Tribunal ordered that she had acted in breach of contract.

Conclusion

The starting point for any discussion on the use of email and/or internet access in the workplace should be to identify and clearly state why these technologies are available in the workplace.

Whilst Privacy Act issues in New Zealand have not been finally decided, in terms of how the principles apply to email networks, the Commissioner did recommend in a 1996 address that:  "Companies should adopt clear policies and make them known."

In summary, employers should provide adequate safeguards to protect both the organisation and the employee. 

For further information, please contact your usual Bell Gully adviser or:

Auckland

Rob Towner
Partner

Wellington

Andrew Scott-Howman
Partner


Disclaimer

This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.

Link to PDF Download full document
(83KB PDF Document)

To view this document you will need to download a copy of Adobe Acrobat.

Related Expertise Areas: