Sign in

Courtesy navigation

Posts for May 2012

Email and internet use monitoring: where should employers draw the line?

May 28, 2012 by Anne Hughes

Anne Hughes{{}}In a world where everyone is glued to their smartphones and addicted to Facebook and Twitter, there are still a few people (usually those over 20) who want their personal communications to remain private. That is why there has been so much controversy recently over the Government’s proposals to introduce new laws allowing it to snoop on all electronic communications of UK citizens without a warrant.  But how do people feel about their employers snooping on their personal communications?

Carrying a Blackberry 24/7 means that the line between your work and private life becomes more blurred, and most of us use work email for personal use. iPads are the latest “must-have” executive accessory for work and play, and people don’t think twice about forwarding confidential company documents to their personal email accounts so that they can access them away from their desks. This helps us cram more working hours into our days, and so has an obvious upside for business. But there are downsides too. 

Sensitive confidential information may be lost or stolen. As staff “tweet” about their day or post comments on Facebook about their boss’s latest antics, their right to freedom of expression and privacy comes into direct conflict with the company’s interests to protect its professional reputation.  This has led to a string of employment tribunal cases hitting the news in the past couple of years.

Here are some pointers:

  • If you want to monitor an employee’s use of emails and internet at work, the Employment Practices Code published on the Information Commissioner's Office website is essential reading.
  • Your business should have a clear internet and electronic communications policy for staff, which lays down the ground rules and explains the consequences of failure to comply.
  • Staff should be required to be familiar with the policy and warned that a breach of it will be treated as serious misconduct, which could lead to dismissal.
  • And if employees are expected to work away from the office, they should be provided with a secure way of accessing the confidential information needed to get the job done.

If it is discovered that an employee has forwarded confidential information to their personal email account, the company will want to make sure that the information has not been misused or leaked.  Often, an employer’s first step is to carry out an investigation (including a forensic IT investigation and an interview with the employee concerned). Then, the company may ask the employee to give written undertakings to confirm that the information has not been misused or disclosed to any third parties. 

Some employers demand possession of the employee’s personal computers and other devices as part of the disciplinary process so that they can search for (and permanently delete) the company’s information. Understandably, most employees will regard this to be a gross intrusion into their privacy. In reality, we often store a huge amount of personal information and photographs on our personal computers, belonging to us and our families. Any proposed process for inspecting an employee’s personal devices must show respect for their privacy and property. 

Here are some tips on best practice:

  • Appoint an independent IT expert, who will inspect the employee’s devices only with their consent and under their supervision.
  • The scope of the IT expert’s job should be very clearly defined and explained to the employee in advance. 
  • The IT expert should enter into a separate confidentiality agreement with the employee, agreeing not to disclose to any third party information belonging to the employee.
  • And in return for the employee’s co-operation, the company may be willing to indemnify the employee in respect of any damage to their device, software or personal data (including deletion). 

This generation of employees has learnt how to multi-task, so much so that we’re almost constantly online. The challenge for employers now is to help staff realise when it is appropriate to “switch-off” from their work email. It seems that we are still working-out where the dividing line should be, between work and our private lives.

Anne Hughes is a Senior Associate at Fox Solicitors. She advises employers, employees, partners and firms on their full range of employment and partnership law concerns.

Posted in Data protection and IT | 0 comments

Changing the way the cookie crumbles - are you compliant?

May 21, 2012 by Michael Derges

cookie legislation: pile of cookies{{}}Back on the 26 May 2011 the EU passed some amendments to the Privacy and Electronic Communications Regulations, further expanding its attempts to protect user privacy on the internet (in stark contrast to David Cameron's desire to wiretap every UK citizen). However, the requirements were given a grace period of 12 months before they came into effect. That means that website owners should be compliant by 26 May 2012 – are you?

Here's the definition of a cookie as used by the Information Commissioner's Office (ICO):

“The Regulations apply to cookies and also to similar technologies for storing information. This could include, for example, Local Shared Objects (commonly referred to as “Flash Cookies”), web beacons or bugs (including transparent or clear gifs).

A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device.”

Changes to EU regulations

The key change in the wording of the EU regulations is that whereas previously it was quite acceptable to assume that a user is happy to have a cookie from your site downloaded to their machine as long as you gave them a way of opting out, now it is a legal requirement to get consent before you can store a cookie.

There are, however, a few examples of exemptions to this requirement. The biggest is that cookies used to track goods being added to a shopping basket are considered to be strictly necessary and therefore exempt from the new rules.

What you need to do

  • The ICO advises taking a “cookie audit” which should entail looking at where and why you use cookies on your site. Once you’ve done this and carefully assessed which ones you need and which are no longer serving a valid purpose, you can take action.
  • The first step would be to include more detailed information for your users about what data you’re monitoring.
  • You then need to get the person’s consent to store your cookies on their machine. This can be by getting them to click an icon or check a tick box.

Getting consent

At this point there seems to be a step missing which I certainly feel is going to harm our own users’ experience of our site, and thus harm the business.

To be certain that our visitors know they’re being tracked, we need to provide some kind of pop-up or other attention-grabbing dialogue which explains our use of cookies and then asks for consent.

Now hopefully, existing customers will decide that they trust us as a company. However a new visitor may well decide that he doesn’t wish us to use cookies.

This in itself isn’t an issue. But how can we tell if this is a user we’ve had before and whether they need to be pestered about cookies again? Simple, we’ll put a cookie... Oh! Any user not accepting our cookies will have a “Please let us monitor you” alert flash at them each time they hit the site.

An alternative to this is to show a display once and then assume consent. However the ICO says that, as knowledge about the extent of cookie tracking is so low, it’s not acceptable to do this.

Why does it matter?

There are several reasons why it’s a valid concern to UK businesses:

  1. It’s the law.
  2. Your competition will be complying. Customers shop around and if you’re behind the curve they’re going to see you as either outdated, or as a company that’s trying to ignore their rights.
  3. The ICO can impose a fine of up to £500,000 on an organisation it deems to have “seriously contravened the regulations”.

However, the ICO has put together a very detailed guide explaining the changes in the law and giving some examples and suggestions of both exemptions and possible ways of tackling the issue. It’s worth taking a look.

Michael Derges is a writer and researcher for Stinkyink.com.

More advice and opinion on cookies...

• Read Rory MccGwire’s blog on the Law Society Gazette, and check out his comment below.

• Robert Peters looks at the marketing implications of the new cookie regulations on Marketing Donut.

• And IT Donut has a full guide to the new EU regulations on cookies.

Posted in Sales and marketing | 0 comments

Age discrimination ruling adds clarity on compulsory retirement

May 17, 2012 by Jo Davis

A landmark judgment by the Supreme Court has highlighted the issue of whether employers can justify plans to compulsorily retire someone.

The high-profile age discrimination case of Seldon v Clarkson Wright and Jakes (CWJ) on Wednesday 25 April sparked a good deal of media interest on radio and BBC TV.

The case concerned Leslie Seldon, a partner at a firm of solicitors in Kent, whom I represented at an Employment Tribunal. Leslie Seldon had appealed to the Supreme Court to be allowed to continue working after the age of 65. His case was taken on by the Equality and Human Rights Commission and by Age UK.

CWJ admitted that this was direct age discrimination but sought to justify its retirement policy on the basis that younger employees needed the opportunity to move up through the ranks, that it enabled the law firm to forward plan more easily and prevented the firm from having to remove older partners using more confrontational mechanisms, like performance reviews.

The EHRC & Age UK supported Mr Seldon's case as a means of seeking clarity as to the correct test for justification in direct age discrimination cases.  The Supreme Court used the opportunity to outline for the first time the powers that employers have to force workers to retire.  These include ensuring they have a legitimate social policy type aim — such as making way for younger employees — and the retirement is proportionate, ie appropriate and necessary. Whether it was proportionate in Mr Seldon's case will now revert to the Employment Tribunal to decide with the benefit of the Supreme Court's ruling.

I welcome the fact that the case has brought some clarity for employers in relation to the policies they need to have in place in order to compulsorily retire someone.  However, whether it will be proportionate is something that will have to be looked at by each business individually.

It is quite a minefield and companies aren’t really going to know until they are challenged whether or not they are going to succeed in showing someone’s retirement was justified.

The Supreme Court has made it clear they will scrutinise businesses on a case-by-case basis. If a company’s plans to retire someone can be justified as a legitimate aim, then the question is — could it be achieved in a less discriminatory way? For example, at 66 or 67 rather than 65.

It is about balancing the needs of older workers and younger ones who want to come up through the ranks. But this is not the end of the story for Mr Seldon. 

Whilst remitting the specific case back to the Employment Tribunal for further consideration, Justice Hale concluded more generally that in order to justify a policy it is not sufficient for an employer to show that it has an aim which is capable of being a public interest aim; they need to show in addition that it is actually a legitimate aim in the particular circumstances of the employment and it is proportionate in the circumstances of the business at the time it is applied.

Jo Davis is head of employment law at Buckinghamshire-based B P Collins LLP.

Posted in Employment law | 0 comments
Syndicate content