Balancing Employer Liability and Employees Rights:
Legally Monitoring Internet Communications
Panel Discussion hosted by Clearswift
Old Parliament House, Canberra
25 February 2003.
Security in partnership with Privacy
Recent technological advances have dramatically changed the working environment. Today we are here to discuss how the information revolution intersects with the office atmosphere. There are two main issues. The first is the need for business to protect their systems and their business interests. The second is how these protection measures affect the rights of employees, and indeed, the rights of these people as citizens.
The business sector was quick to embrace the new technological advances. In fact, we have now seen a change from information technological advance being driven by the government, as happened in the past to being driven by the business sector. Typically, this means business practice outpaces public policy, effectively ensuring that business practice in IT outpaces the law. Issues like security and data protection have not been driven by government standards and promotion thereof. Business has learnt the hard way.
These technological advances have come at a price. According to the Computer Security Institute Survey the financial losses due to viruses etc were reported to cost an aggregate total of $45,288,150[1]. The “I love you” viruses and the “code red” worm are two of the most well know examples. Business must constantly be one step ahead, updating their protection against polymorphic viruses.
Now that information can be sent just as easily across the globe as it can be sent across an office. Unlike in the past with telephone communication, there is now documentary evidence of communications.
This has led to awareness of another concern: employee’s non-work related use of email and the Internet. One statistic claims that non-work related web access during working hours accounts for 30% – 40% of lost worker productivity.[2] The relative freedom and confidentiality of phone calls stands in contrast to the evidentiary status and lack of privacy for emails in the workplace.
There are increasing reports of companies facing financial losses due to security breaches that involved theft of intellectual information.
Strict copyright laws mean that business could be liable for software that employees have downloaded or duplicated onto the companies system. One US company paid $US52,000 to settle claims brought by the US Federal Government and software industry.[3].
It is now well known that employers are responsible for ensuring that acceptable standards of behaviour are observed in the work environment. Sexual harassment is prohibited in all Australian states and Territories. The sending, receiving or displaying of images, jokes or cartoons of an offensive, racist or discriminatory nature breaches these standards. According to the ePolicy Institute “50% of employees reported receiving racist, sexist, pornographic, or otherwise inappropriate email at work”[4]. The most widely reported case of this kind was when Chevron had to pay $2.2million to female employees to settle a sexual harassment lawsuit due to offensive material emailed by male employees. With issues such as these, it is no wonder that management is concerned and seeking ways to protect companies by means of monitoring employees’ computer usage.
However, as today’s discussion demonstrates, managers are not the only ones greatly concerned. Many unions, employee organisations and civil rights groups are equally interested in employees right to privacy, and rightly so. The Sydney Morning Herald reported in May 2001 that:
Research by law firm Freehills last year showed that 76 per cent of the top 2000 Australian companies periodically monitor email, and 65 per cent do it without notification.[5]
While it can be claimed that this kind of covert surveillance is necessary to protect employers legitimate interests, many employees are not aware that the electronic messages that they send or receive may not be considered their own personal property.
The monitoring of emails or Internet use can disclose a variety of personal information that workers would not have communicated in public. These can include health concerns, relationship details or even financial anxieties. According to Weisband and Reining, employees will express themselves more openly in email than they would if being observed[6].
This happens because employees are under the misguided impression of privacy. Since the use of passwords and logins has become standard business practices, employees mistakenly believe that no one can access their emails. Employees tend to view email communication as being of the same transitory nature as telephone conversations.
Legally, emails are considered as official documents that are subject to the same laws as any other form of correspondence. You may remember that the antitrust lawsuit brought against Microsoft Inc was based in part on internal email messages circulated by Microsoft employees. Employees also wrongly believe that once they have deleted an email it is no longer accessible on the system. Many employees are unaware that the sites they visit on the World Wide Web may be logged and that their surfing activities can be monitored.
An important factor to realise is that banning employees from any private use of e-mail and internet usage can have a dramatic effect on staff morale, productivity and retention. This is especially true when it is remembered that employees are working longer hours. Figures from the ABS show that as of November 2000 44% of women and 28% of men regularly work overtime and are not paid for it[7].
For many workers e-mail is the most effective and efficient way to stay in touch with family members. For example in my own office, during the recent Canberra bushfires, one of my employees was able to monitor streets or areas that were at risk by listening to updates on the local ABC radio that was streaming on the net. She was also able to email the people she lived with to arrange a contingency plan if their house was placed at risk. If my office had implemented a system that prevented non-work email, or prevented her from accessing the Internet, then I would have lost one days productivity from that worker. She would not have been able to complete her work or perhaps not even stay in the office, whilst wondering if her house was safe from danger.
To reassure employees’ fears employers need to understand that surveillance should only be used if there is a situation that needs to be investigated. As John Weckert, associate professor of information technology at Charles Sturt University, states:
“Workplace surveillance should only be used in response to a known or suspected problem” “Randomly monitoring employee, just to see what they’re doing – fishing expeditions – should be avoided.”[8]
This is the approach theoretically used by Telstra. Emails would be monitored only if there was suspicion of something illegal or against company policy. According to spokeswoman for Telstra, Megan Lane “We keep a record of sites that are accessed but they are generally not referred to unless there’s cause to. [9]
To protect workers, the Privacy Act 1988 was amended and on the 21st December 2001 the Privacy Amendment Act (Private Sector) Act 2000 came into law. The Act enforces the ten National Privacy Principals (NPPs). These outline the way that private organisations collect, use, disclose and safeguard personal and other information stored on systems. By using the guidelines outlined by the NNPs it is at least possible for employers and employees to strike a balance between workers rights and employers needs.
One weakness in the Act, however, is the funding, powers and applicable penalties of the privacy watchdog, the National Privacy Commissioner. This means that if unscrupulous employers do not respect the rights of workers, then the chances for successful prosecution under the Act are significantly reduced. This undermines the deterrent effect of the Act.
Rather than go into full detail of all ten of the NPPs I want to highlight just a few.
NNP1 deals with the collection of information. NNPs 1.1 and 1.2 place restrictions on the collection of personal information, requiring that it be necessary, lawful, fair and not unreasonably intrusive.
NNP 2 deals with the use and disclosure of personal information and states that an organisation must not use disclosure of personal information for a secondary purpose (unless one of the listed exceptions applies)
NNP 4 deals with Data Security. NPP 4.1 requires organisations to take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification or disclosure. This means any information held must be secure from cyber attacks such as hacking or accidental disclosure.
NNP 5 deals with Openness. NPP5.1 requires that an organisation set out in a document a clearly expressed policy on its management of personal information. This is where a comprehensive Privacy and Acceptable Internet and Email Usage policy can be developed by organisations.
What is acceptable use of IT services, including aspects such as:
What is considered work and non-work related usage Policy on receiving personal email messages Policy on reading and posting Usenet messages Policy on using instant messaging software for personal messages Conditions for accessing the World Wide Web It should also include what is unacceptable use of IT services including prohibited activities such as:
Dissemination of any material with content that breaches the equal opportunity or sex discrimination legislation Circulating confidential information of the organisation Personal commercial purposes Sending unsolicited bulk email Any purpose considered illegal There should be an outline of the consequences of unacceptable use.
Any policy developed should be in plain English and made available to all employees.
Any policy developed should be reviewed regularly to keep up with new technological developments.
If the NPPS are adhered to and an organisation develops an Internet and Email Usage policy, then there should be no need for employees to fear for their privacy. Employees will feel safe if they know that any monitoring of computer systems is not covert, is lawful and is necessary. Workers may also feel more protected if they know any information about them is secure and cannot be distributed.
Workers will also know what will be expected of them and what the consequences will be if they breach company’s policies. Employers will feel safer knowing that they have taken steps to protect themselves and their employees from breaches of security. They will also have taken steps to protect their liability from Sexual Harassment offences.
They will not need to fear for loss of productivity from workers. If both parties commit to a partnership of privacy and security, then it will be possible to relieve some of the needless stress faced by workers and the unnecessary costs to business. Ultimately, it is employers who have the power and therefore the responsibility to engage with employees about privacy and security. Through a commitment to education, awareness, flexibility and mutual respect in the workplace, privacy and security can co-exist.
[1] Computer Security Institute Survey 2002
[2] IDC June 2001
[3] American Management Association The Employer Fact Sheet http://www.amanet.org/books/catalog/0814470912_fs.htm accessed 30/01/02
[4] The ePolicy Institute eMail Policies http://www.epolicyinstitue.com/e_policies/index.html accessed 30/01/2003
[5] Peter Vincent Sydney Morning Herald Wednesday 16th May 2001 Caught in the Net
[6] Ritu Agarwal Mine or Ours: Email Privacy Expectations, Employee Attitudes, and Perceived Work Environment Characteristics www.univ-montp2.fr/~crego/cahiers/25.pdf
[7] Media Release 6342.0 Women More Likely to Work Unpaid Overtime http://www.abs.gov.au/ausstats/abs@.nsf/0/3489079AC20EE59CCA256AB10081BADF?Open
[8] Karen Dearne, Are you being monitored? Australian Wednesday 8 January 2003 accessed from the Palinfo Database
[9] Peter Vincent Sydney Morning Herald Wednesday 16th May 2001 Caught in the Net
