Computing, March 24, 2005 p22

Comment - Avoid legal risks of watching your staff. IT must work with HR to communicate a clear policy on employee email and internet use, says Edward Goodwyn. (Column) Edward Goodwyn.

COPYRIGHT 2005 VNU Business Media Europe

IT and HR directors alike may be alarmed to learn that in February an employment tribunal awarded [pounds sterling]26,000 to a woman who was dismissed by her employer for sending more than 300 personal emails, many of which were sexually explicit, to her girlfriend, using a work computer.

The concern for employers is that this case found in favour of the ex-employee because she had been given no prior warning that her employer would regard her behaviour as inappropriate. If the employer had in place a clear policy on email use, it would not have lost.

Given the potential liabilities involved, IT and HR directors need to work together to reduce the risks involved in monitoring email and internet use, and acting upon misuse.

From a legal viewpoint, basic best practice needs to be applied, and the IT function has to work with the rest of the organisation to develop a formal, written email and internet use policy. This policy should clarify to what limited extent work computers are available for personal use; when, why and how email and internet use on work computers might be monitored; and to whom the findings might be disclosed. The sending of offensive or obscene material via work computers or other devices, such as mobile phones, should be expressly forbidden.

It is essential that this policy is communicated clearly to all employees, and that regular reminders are made.

This policy should also contain consent wording, for example: 'Your first use of business equipment for private use demonstrates your consent to the terms of this policy.' Make employees aware of the importance of the policy by notifying them, in writing, that breaches may cause the company to take disciplinary action against them, which may ultimately lead to their dismissal.

Employee monitoring is governed by the Regulation of Investigatory Powers Act 2000 and a set of regulations made under that act, called the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations.

These give employers plenty of lawful grounds for monitoring the electronic business activities of their employees - for example, to check that the telephone system is not being abused by employees ringing relatives in Australia, or to make sure that if contracts are being formed by the exchange of emails, they contain the correct terms.

To monitor staff telephone calls legally, all an employer has to do is make reasonable efforts to ensure both parties know they are being monitored; this is why you often hear a recorded message at the start of a phone call telling you the call may be monitored 'for quality and training purposes'.

Difficulties arise when the organisation, wishing to extend benefits to its employees, allows staff to have private use of business equipment. In this case, the only grounds the employer has to monitor the private communications of employees is with the consent of both parties. This consent is quite easy to obtain from staff - just include the consent statement described above - but how do you obtain it from third parties, particularly senders and recipients of emails from your employees?

The best method anybody has been able to devise so far is to include a statement at the end of all emails stating that they might be monitored in certain circumstances, and that by responding to an email from an employee the other person is deemed to consent to this.

Of course, you could ban all private use of business equipment, but most employers use this as an added benefit, so they allow private use but need to realise this will affect their powers of monitoring.

Many organisations have yet to develop or implement simple procedures and policies that will protect them. Although it could be considered an HR issue, there is a clear responsibility for IT professionals to make their organisation aware of the potential risks as technology and related abuse emerges, and to consult on best practice.

Software World, Nov 2004 v35 i6 p10(1)

Ignorance is no defence--implications of email retention and best practice. (STORAGE) Andrew Barnes.

COPYRIGHT 2004 A.P. Publications Ltd.

How long should we keep our email for'? Should we ever delete anything? And how can we tell what to keep and what to delete?

Recent research, such as the Radicati Group's report Email Archiving Market Trends, 2003-2007, reveals that senior management place great emphasis on the importance of corporate email archiving. However, there is also considerable discrepancy between the noted importance of email archiving and the lack of actual implemented email archiving policies. Radicati also predict that the number of worldwide corporate email mailboxes will reach 421 billion by the end of 2003 and believes the market for email archiving vendors to reach over $126 million by year-end 2003.

The one strong lessons lesson our customers companies say they have learned over the over the past eighteen months is that reputational risk is every bit as important as the actual credit risk of being caught out on data retention. The very nature of email is transient, and lawyers view emails as electronic moving targets? What does this mean?.. Senior management and directors are considered to have a duty to recognise and manage risks to ensure that their organisations are compliant. What many people don't realise is that they can be held liable for both lack of, and excessive monitoring of email use, as well as failure to retain documents and records.

Faced with the volume and complexity of current legislation and fiduciary requirements, corporate customers are increasingly asking KVS to provide guidelines on setting email policy. These include:

KVS' Top Ten Best Practice Guidelines For Corporate Governance of Email:

1. Retention and deletion decisions should be made at the management level. Not at the individual user level. (Although users can delete mail from their personal inbox, the organisation should define its overall policy for email retention, for example, what to keep, where to keep it, how long to keep it and what to delete). Ensure that policies are enforced centrally rather than relying on user discretion.

2. Responsibility for policy enforcement should be at a management level, but everyone needs to play a part..

3. Bring together usage and retention policies for email and other documents (* e.g. letters, faxes, non-email documents held in filing systems and other stores).

4. Policies should address external and internal email.

5. Email policy should be driven by corporate governance goals and, where applicable, regulatory requirements, and not simply by IT goals.

6. Use technology to facilitate rapid discovery of email content. Ensure the IT infrastructure can deliver on the business policy. If an organisation uses a system that it knows is not-compliant then it can be held liable, even though it may be 'best of breed'.

7. Data Protection is all pervasive in the EU. Records containing personal data must be deleted once their retention periods come to an end. Whilst those records are held, individuals have a right to see their content.

8. If the organisation is subject to email usage regulation, including routine internal/external audit processes, then put email review in place as part of the management process.

9. Ensure that policy implementation can be audited and is visible to management and, if appropriate, to external regulatory bodies.

10. Ensure that all users are fully aware of email retention policies being upheld within the organisation. Provide comprehensive staff training if appropriate.

11. Ensure that technology solutions are transparent to users and can scale to cope with the organisation's email volumes. Regardless of the size of your organisation, if you're using email for any sort of business correspondence you need to understand the legal implications of both retaining these emails for the period required in an easily retrievable and searchable manner, as well as deleting them after the legal retention period passes. Failure to property appreciate the implications of corporate governance on email can be a costly mistake both commercially and legally.

Andrew Barnes, KVS

www.kvsinc.com

New Media Age, Jan 29, 2004 p14(1)

Financial companies break rules by not monitoring email. (Trends) (Brief Article) Yinka Adegoke.

COPYRIGHT 2004 Centaur Publishing Ltd.

Over half of UK financial services companies don't monitor employees' use of email, the Internet and other electronic communications. New research from technology firm Orchestria revealed that 56 of 100 banks surveyed last year were found to be at risk of unknowingly breaching regulations such as the Financial Services Authority code of conduct by not monitoring email. Only 22% already had a monitoring system installed, while 14% were planning to spend on software to strengthen their systems.

orchestria.com

Edited by Yinka Adegoke yinka.adegoke@centaur.co.uk

Internet Magazine, Sept 2003 i107 p11(1)

Watching you watching me. (News). (Employment Practices Data Protection Code)(Brief Article)

COPYRIGHT 2003 EMAP Media Ltd.

Information Commissioner Richard Thomas has published long-awaited guidelines on how employers should monitor their employees' computer use.

The third part of the Employment Practices Data Protection Code, 'Monitoring At Work', describes the need for employers to be transparent about their email monitoring activities and balance their needs with the rights of their employees.

Small businesses are able to obtain a complementary plain English guide which outlines some basic dos and don'ts.

"If an employer has to check how staff are using computers at work, they should make sure they know how and why the checks will be carried out," the Information Commissioner said. "In reality there are few circumstances in which covert monitoring is justified."

The publication of the code has been welcomed by the Trades Union Congress, which has launched a website, worksmart.org.uk, to help employees understand the implications of the Code.

The guidelines are, however, not legally binding, and industry representatives have warned employees to be aware that information that goes over a company's network is the property of that organisation.

BT, for example, has reportedly sacked more than 200 employees for accessing pornography at work over the past 18 months. The telecoms giant warned staff in an email last year that accessing pornography was against company policy, and it would not be tolerated. However, despite a second warning, many employees continued the practice.

"It is the organisation that is ultimately liable for even accidental security breaches," said technology consultant at messaging specialist Mirapoint, Jamie Cowper.

www.dataprotection.gov.uk

Database and Network Journal, August 2003 v33 i4 p4(2)

Stop snooping on employees.

COPYRIGHT 2003 A.P. Publications Ltd.

Nobody likes to feel they're being watched all the time or that their employer doesn't trust them. But in some workplaces, every bit of email written is scrutinised, and every web site visited, is checked out by employers. Apart from the detrimental effect this has on employees, it is a hugely expensive and totally unnecessary waste of time.

At the other end of the scale, some companies have no rules, management or controls over email and a similar attitude when it comes to the web. This puts both the company and employees at risk.

The 'burying your head in the sand' approach is just as inappropriate as the 'big brother' approach, because there are effective solutions available to deal with the management and regulation of email and web use. There is a happy medium between these two extremes.

Why monitor?

Why do we need to consider monitoring email and the web at all? There are a number of legal, moral and business issues. Companies need to protect their employees from racism, sexism and pornography. If they don't, they can be prosecuted. The American oil company Chevron, for example, had to pay US$ 2.2 million to employees offended by a sexist joke circulated around the company. There are many less expensive, but just as unpleasant, examples in the UK.

Clearly, if there is unfettered use of the web, unsuitable material can be downloaded into the work place and distributed inside and outside the company with no control over the legal consequences. Failure to manage racist, sexist, pornographic or just plain libellous content has been shown repeatedly in court to be expensive in terms of fines, legal costs and perhaps worst of all reputation. One thing is abundantly clear--ignorance is not a defence in law.

There are several other important issues if email and web use is uncontrolled. Company confidential material can be and often is easily emailed out of the workplace by ambitious, mischievous or disgruntled staff members. No sales manager in their right mind would let a sales person walk out of the workplace with the customer database tucked under their arm. But the same sales person could email the list out even more easily, if there is no email management system in place.

There are also major productivity implications if email isn't managed properly. Research from IDC and Gartner Group suggests that 30-40% of all email in organisations is personal. Failure to deal with this issue is expensive for both the business and for shareholders, as well as penalising hardworking staff.

Additionally, personal email traffic and its associated attachments, significantly increases network traffic and the overall load on your Internet connections. This adversely affects not only the performance of the whole network, but also has a potentially negative impact on important email communications with customers.

Big brother?

When there is too much monitoring of email and the web, problems also arise. It is a waste of time and money to read everything that is written in emails, checking all the attachments, and checking out every single web site visited. Also, it is not consistent with other company policies, as most companies don't read every letter into and out of the building, nor do they listen to every telephone call. Staff disciplined for email abuse can feel aggrieved if the same standards are not applied throughout a company's communications.

Finally, it is an activity which companies will eventually be unable to keep up with, because email and web use is growing at such an exponential rate. Scrutinising everything may be working today, but it will almost certainly be unmanageable in a few years or even a few months time. IDC estimates that around 15 billion emails are sent each day with that number rising to 35 billion in 2005. In a further study, IDC projected that 977 million people worldwide will use the Internet by 2005, with 50% of these doing so from a business location.

There is also the undeniable fact that people don't like to feel their every move is being watched, their every word scrutinised. The 'big brother' approach can leave staff feeling inhibited in what they do and positively hostile towards management and the company.

What happens, therefore, if you catch a large number of people breaking the rules. Do you sack half your work force? This has happened recently with some companies and it perhaps illustrates that when you start monitoring, you have to be absolutely clear what the rules are, how rule breakers will be dealt with and what is a sackable offence. Additionally, companies have to tell people that they are monitoring, or they could find themselves legally liable for snooping on staff.

The right balance

How do you find the right balance that will keep staff happy, keep the board happy and fulfil all your legal, moral and business obligations? Firstly, you need a policy. You need to clearly decide and record what will be allowed and what will not be allowed.

You also need to think very clearly what the purpose of managing email is and what the consequences will be for those who do not follow the rules. While this sounds blindingly obvious, it is apparent from a number of high profile sackings of highly trained staff by major companies, that punishment is a major component of their policy rather than management. Some companies have lost sight of the original purpose of monitoring--to help grow their business and meet their legal requirements. Once you have decided on the rules, the most important thing is to make them crystal clear to staff. After that you make the consequences for transgression similarly clear. Will it be verbal warnings, instant dismissal, or some other reprimand? It would be totally unfair to sack someone for something they haven't been warned against.

Fundamental to the effective implementation and management of email and web access, is staff buy-in. Managers should explain, for example, why it is crucial that the customer database is not emailed out, and how this could adversely affect the company's profitability, and the employees' own job security, if this happens.

This enables employees to be aware of the purpose of the policies, both as benefits to themselves and to the company. If someone is disciplined, the reaction is more likely to be relief that they have been stopped, rather than sympathy for the staff member and resentment against the company.

Education and training are key parts of any email and web strategy. Policies should be explained and staff given any training needed to comply with these policies. Surprisingly, many companies have policies, but fail to train their staff on how to carry them out. In an IDG survey in the US, 81% of responding companies had an email policy, but only 24% trained their employees on the policies.

Managing without snooping

The next step is to monitor in a workable way. This can be done by automating the monitoring process and monitoring for exceptions. You don't have to physically keep someone permanently engaged in reading emails and checking all web sites visited. But you can still check everything coming into the building, going out of the building and circulating around the building.

Solutions such as Clearswift's MIMEsweeper range provide effective management by exception. Monitoring by exception selects only emails where the rules have been broken.

Similarly, when dealing with the web, Clearswift's WEBsweeper, bars access to selected categories of web sites and constantly monitors for inappropriate activity, informing you of any problems. Sophisticated 'web filtering' solutions such as Allot's NetPure use artificial intelligence for more flexible and more selective web monitoring.

The rules don't have to be rigid. For example, some companies will allow staff to surf the web on permitted sites (e.g. sports and leisure) during their lunch hour, when less work is being done, but not during peak business hours. Some companies will allow a limited amount of personal emailing, in the same way that some companies allow a limited amount of personal phone calls. These steps show employees that the company is being reasonable and listening to their needs, but also clearly says that there are rules. On the email side, you can use software which will pick up key words in emails, such as swear words or words associated with pornography, racism or sexism. Such software can be context sensitive, so for example, it may allow in the word 'bloody' once in an email, whereas twice might be a problem and more than twice would probably get picked up, especially if it's in association with another swear word.

You can manage your response to such emails. You might choose to reject the incoming mail and notify the recipient that it failed the test. Or you might quarantine it, check it, then send it on. For example, you might do this with an angry letter from a dissatisfied customer which may contain swear words, but may still be considered necessary and suitable to send on to the recipient. Or it may be too offensive to send on, so the contents could be noted and the recipient informed in more acceptable tenns of the complaint.

You could set different rules for different groups or different individuals. Senior management could be allowed to receive unmonitored email. Or, in certain professions, specific rules can be set, e.g. a solicitor's office may receive email containing strong language because it relates to a case. If you're worried about sensitive information being emailed out, such as research data, marketing plans or customer lists, you can set your monitoring system to pick up key words which would highlight this information.

Once these systems are in place indicates to staff that you have rules, and are managing the rules. It tells them you are checking to see when the rules are broken, but that employees are not being individually monitored nor their every move watched. Staff will know that if they stick within understood rules, they have no need to be worried. With rapidly growing email and web use, it is increasingly necessary to set and enforce security policies to manage these areas. Companies, however, should avoid the 'big brother' approach. Email and web monitoring can be dealt with perfectly sensibly by using solutions which monitor automatically and by exception. That way, companies can fulfil their legal, moral and business obligations, without being accused of snooping.

www.wickhill.com

Ian Kilpatrick Wick Hill Group

Database and Network Journal, June 2002 v32 i3 p20(3)

Security: is company data an asset or a threat? (European Union's Data Protection Act and the Regulation of Investigatory Powers Act) Paul Rutherford.

COPYRIGHT 2002 A.P. Publications Ltd.

Information is a commodity,and for many companies the most valuable asset they possess, especially when it comes to customer relationships. The more a company knows about its customers, the easier it is to reach out and touch them.

Now, however, governments across Europe are under pressure to develop legislation in response to the growing consensus that businesses should be made accountable for how personal information is stored, used and distributed. Consequently, a raft of new laws have emerged which codify privacy rights for the digital age.

Cyberlaws

The Data Protection Act (DPA) and the Regulation of Investigatory Powers Act (RIPA) are the first in this new wave of `cybefiaws'--legislation designed to reinforce privacy rights threatened by the unregulated dissemination of information, in a world where everything from birth records to shopping habits are stored electronically.

Much of the thinking behind cyberlaw is so new however, that the majority of companies are unaware it even exists, let alone realise they must now comply. However,unless business leaders take formal action to protect the integrity of their data, it could become a major threat rather than an important asset.

Understanding the new cyberlaws

As the first wave of cyberlaws comes into force, it is essential that senior managers develop an understanding of how the changes in legislation affect their business and what they must do to protect themselves.

The Data Protection Act

The Data Protection Act (DPA) hands legal responsibility for all personal data to the company or, more pertinently, its directors. Employees, clients, potential clients, past clients, job applicants, website visitors, contractors, consultants--anyone who has had contact with the company is entitled to the sensitive handling of any private information they divulge.

When requesting personal information, companies must now ask consumers to `opt-in' to receive additional sales information rather than `opt-out'. Termed `permission marketing', this subtle shift means customers must now proactively agree before their details can be distributed for promotional purposes. Under the DPA, if the corporate network is breached and personal information lost or stolen, be it deliberately or by mistake, company executives themselves can face prosecution.

Furthermore, the DPA gives individuals the legal right to prevent their details being processed for marketing purposes. Upon request, a company must now disclose all the data it holds relevant to an individual the purpose for which the data is being used and to whom else it can be disclosed. Any inaccurate data must be deleted.

The Information Commissioner is currently establishing the Employment Data Protection Code (EDPC), which is based on the DPA. The Code of Practice: Monitoring at Work, part of the EDPC, is expected to be published in Summer 2002. The aim of the code is to strike a balance between a worker's legitimate right to respect for his or her private life and an employer's fundamental need to run its business. To achieve this aim, to the satisfaction of both parties, will be a significant task.

Critically, companies must take whatever organisational and technological precautions are necessary to protect the information they hold. And today, with information predominantly stored electronically, that means IT security.

Regulation of Investigatory Powers Act

Enacted in October 2000, RIPA makes the interception of emails illegal without consent from both the recipient and the sender. Conversely, targeted monitoring of company email traffic is acceptable when justified under the Lawful Business Practice Regulations, but only for very specific reasons and all employees should be informed beforehand via a company IT security policy. And, of course, all personal data collected in the process of any email monitoring must be handled in accordance with the DPA.

Human Rights Act

Implemented in October 2000, the Human Rights Act (HRA) supplements the European Convention on Human Rights (ECHR), guaranteeing the right to privacy and freedom of expression. Contrary to the intentions of RIPA, which permits companies to monitor employee IT use, the HRA asserts the right for email privacy. Exact interpretations of the HRA however, renuiin a matter of contention; although it currently only applies to the public sector, the legislation could potentially be exploited in defence of companies who fail to secure their internal information resources.

Cyberlaw in practice

Cyberlaw can be a complex and ambiguous area which is frequently misunderstood. Myths continue to surround the subject, largely because many of the new cyberlaws have yet to be tested in the courts. For business leaders, unravelling the mystery of internal IT security is a forbidding task. What is certain however is that companies must do something. The new cyberlaws effectively formalise the rules on IT best practice in business--pleading ignorance is no longer a defence. Without measures regulating internal information security and employee email behaviour, companies are at risk of breaking the law.

Moreover, regulations inherent to speci:fic industry sectors such as medicine, finance and government often demand even tighter controls than the DPA, making the issue of data security all the more pressing.

The DPA explicitly decrees that all companies establish the appropriate technical and organisational safeguards to ensure personal data cannot be lost, damaged or stolen. In practice this translates as continuous management of the information entering exiting circulating and stored within the company network.

For effective internal email monitoring a company must:

1. Comply with regulatory practices and procedures

2. Maintain elective system operations

3. Monitor standards of service and staff training

4. Detect or prevent criminal use of the system

The IT threat--it's not what you think

With so much information stored electronically, the answer to how business should meet the new cyberlaws inevitably lies in the way companies regulate their IT. Much has been made of the external IT threat on the Intemet. In the media, news of the latest international virus epidemic never seems very far away. When it comes to meeting the new cyberlaws however, the spotlight is turning away from external risks and onto the threat from within--the intranet.

Litigation

* Companies are legally responsible for the information on their systems

* Corporate data, trade secrets, research material and copyrights are all potential targets for theft

* Staff subjected to offensive data or email messages are entitled to take industrial or legal action against the company

Breaches in confidentiality

* All private customer, staff and supplier information is deemed sensitive and must be treated as such

* Confidential information or private correspondence may be betrayed, be it knowingly or by mistake

* Unauthorised individuals may read emails before they reach the intended recipient

The people problem--A threat not to be underestimated Within British law the concept of `vicarious liability' decrees an employer can be held responsible for the actions of its employees. In the context of IT security this means if an employee were to send an email, internally or to an outsider, that contained confidential or offensive information, the company could be held liable. If the email were then forwarded on, each subsequent sender and their respective employers could also be made liable.

The following case histories illustrate just some of the potential consequences for organisations that fall foul of the new cyberlaws.

* A Norwich Union employee circulated false rumours that a competitor was experiencing financial difficulties, over the internal email system. The rumours leaked to brokers and customers, and the competitor sued Norwich Union for libel. Norwich Union settled out of court for a reported 450,000 [pounds sterling].

* In the US, two employees of the investment bank Morgan Stanicy have alleged that they suffered emotional and physical distress as a result of an email circulated to 6 other employees containing racist remarks. The bank is facing a $60m lawsuit.

* Two employees at the Nissan Motor Company, fired for sending explicit email messages, subsequently sued for unfair dismissal claiming violation of privacy under the HRA. But, having designated an email policy that clearly prohibited the use of company owned computer systems for non-business purposes, Nissan won the lawsuit.

When it comes to the IT threat, it's not technology itself that's the problem, rather than the way people use it. In the eyes of the law, emails have all the authority of a letter but their disposable nature tends to encourage an informal, almost intimate attitude. Compare the time spent on composing an email to that of a letter and it's easy to understand how, under the everyday pressure of work, mistakes and misunderstandings occur.

A recent report by PricewaterhouseCoopers revealed how, having installed security at the Internet gateway, many companies simply sit back and hope for the best. Only 32% have a dedicated policy review process and just 20% have an accurate itinerary of their existing security measures.

A popular misconception is that by writing an email security policy document a company has fulfilled its IT security obligations. This is not necessarily the case. To be effective, such policies must be supported by appropriate staff education and training, sufficient and targeted controls on web and email use and regular reviews and assessments.

The fact is, piecemeal solutions are fundamentally flawed because without any overall co-ordination it is impossible to cover IT security from every angle. Only by adopting a strategy that combines the appropriate technological measures implemented by a dedicated IT security policy and effective staff communication and training, can companies be sure they are completely secure.

Educating employees is a major preventative measure because an IT security policy, although protecting you from a technical point of view, is powerless without the cooperation of the people that must observe it.

A formal consultative process is crucial if staff are to understand why the policy is important, how it will help to protect both them and the company and, critically, why it must be underpinned by the appropriate IT technologies. Adopting an open approach to IT security is the only way to create the emotional `buy-in' needed to foster real awareness and, crucially, a change in attitude to email usage.

Educate

* Educate employees to the threat of email misuse and abuse.

* Run a series of internal briefings to explain the policy objectives, the process by which incidents will be processed and the potential consequences for offenders.

* Produce supporting materials to help staff understand the dangers they expose the company to through careless use of email and Internet resources.

* Formalise their commitment with a policy agreement addendum to their Contract of Employment.

Computing Canada, Feb 11, 2005 v31 i2 p6

IT vendors organize forum for communications compliance: council to provide enterprises, lawmakers with strategic advice on how to create and enforce policies around electronic documents. Ian Palmer.

COPYRIGHT 2005 Transcontinental Media IT Business Group

AN ALLIANCE PROMOTING BEST practices for complying with IT-related communications rules hopes to help companies navigate the regulatory waters and make lawmakers more aware of the impact their decisions have on the market.

The Electronic Communications Compliance Council (TE3C), a virtual group made up of user companies, technology partners, consultants and industry experts was formed last month to educate enterprises on issues surrounding the need to manage, retain and archive electronic communications, and to push for regulations that can be realistically implemented by businesses

Priscilla Emery, TE3C chair, said laws such as Canada's Personal Information Protection and Electronic Documents Act and the U.S. Sarbanes-Oxley Act require firms to better manage internal e-mail and instant messaging use.

"It goes beyond the cost of trying to figure out what technology to use," said Emery, also president and founder of e-Nterprise Advisors in Florida. "The real problem is: 'What kind of policy should we have? How should we enforce the policy?' Most companies want to comply. The challenge is being able to do so in a way that doesn't create major upset to businesses."

One TE3C initiative involves offering from its own Web site free, limited-time access to Policy Builder, an online tool companies can use to create customized e-mail policies. The tool was developed by Fortiva, a hosted message archiving and compliance solutions provider in Toronto, and a founding member of TE3C.

According to Paul Chen, Fortiva president and CEO, his company planned to sell Policy Builder as a product for US$249. But it is now being offered for free until April 30 to persuade firms to contemplate electronic communications policies.

Many of companies with electronic communications policies actually have simple guidelines that inadequately set out the rules, said Chen. Businesses wanting to stay out of legal hot water should focus both on determining how e-mail and instant messaging should be used, and deciding what the penalties should be for breaking the rules, he continued.

"As we were talking to customers, we realized one of the major difficulties for customers is to find out what is a best practice for electronic communications compliance," said Chen, explaining the rationale behind TE3C, which had its inaugural meeting January 11 in New York. "A bunch of us passionate about electronic communications decided to start an organization like TE3C."

David Senf, program manager at IDC Canada in Toronto, said Canadian companies are taking the challenges of monitoring e-mail and IM use seriously.

IDC research projects that North American enterprise instant messaging revenue will reach $219 million in 2005 and hit $424.3 million in 2008. This suggests businesses will increasingly be putting the same emphasis on managing IM as they have been putting on managing e-mail use, he said.

"In terms of policies and procedures, I think organizations understand what they need to do around compliance," said Senf, noting IBM, Microsoft and open source provider Jabber dominate the EIM space while FaceTime, IMLogic and Akonix rule the managed EIM space. "Canadian organizations are increasingly ensuring the collaboration going on inside and outside of the organization adheres to the policies that they should be."

In the meantime, TE3C is still putting together its membership program. So far initial interest by potential members has been encouraging, said Emery, who envisions an alliance that over the course of its first year will focus on educating businesses about electronic communications compliance as well as creating forums where companies and regulators can discuss the issues.

"The whole idea is we're trying to provide a forum and educational resource," said Emery. "We're starting to see a lot of people coming to us with interest of being part of the organization."

Source: http://www.bcentral.co.uk/issues/administration/businesslaw/monitoremail.mspx

Monitoring Email and Internet Use

How do I go about monitoring the use of email and the internet by employees at my company?

Monitoring your employees' email and internet use is a complicated issue – and one that can damage relations even when lawfully carried out. It's best handled with tact, of course, but your legal obligations must remain a priority.

You must inform your employees if you intend to monitor their internet and email use. It's advisable to draw up a written company email and internet-usage policy and this should be made part of all employment contracts you issue. You might consider displaying a copy on a staff notice board or in a staff handbook if you have one.

A well considered and written policy will help to protect your business against liability from the actions of your employees. It should explain clearly what is acceptable and what is expressly forbidden (e.g. writing or reading personal emails during work time or the viewing of pornographic websites).

The document should state that your policy applies to all staff members at all work times and that your business monitors email and internet use. It should also say which manager employees should contact for further information about any aspect of the policy.

You might consider consulting with trade unions when drawing up your policy. Should you lack sufficient knowledge, you might also consider hiring an IT or legal expert.

Acas provides a useful guide to internet and email policies, covering all of the key areas you need to be aware of when drawing up a policy. View it now.

Talk to your employees and try to get their full support. Explain why it is necessary for your business to have a policy and ensure that all staff members understand and accept your position.

When you recruit new employees, as part of their induction, make sure that they are informed about your stance on internet and email use. You must be able to prove that all employees were made aware of your policy and the responsibilities it placed upon them.

There are complex legal restrictions concerning the monitoring of your employees' internet and email use. There are three laws affecting workplace monitoring:

The Data Protection Act has the biggest implications for workplace monitoring, because it controls the use of personal data held on a computer. If you are in any doubt about the legal implications of your actions, seek professional legal advice.

The Information Commissioner (IC) is an independent official who oversees the Data Protection Act (DPA) and the Freedom of Information Act 2000. It's worth becoming familiar with the IC's Employment Practices Data Protection Code – a best-practice guide intended to help employers ensure that they are DPA-compliant. Part 3 of the code covers monitoring at work.

You are allowed to monitor emails and web browsing through software that logs the website addresses visited, as well as the subjects and addresses of emails sent and received. It is also advisable to invest in software programmes that automatically prevent access to certain URLs (eg pornographic sites). These are relatively cheap and effective.

In general, more intrusive workplace monitoring without an employee's consent can only be carried out in exceptional circumstances. There are specific reasons that allow the inspection of individual emails. These include:

Be very careful, in particular, when monitoring emails which are obviously personal. To lessen the likelihood of problems, one option is to set up separate personal email addresses for all employees, while making it clear that company email systems are not for personal use. You should also explain that personal correspondence should not be written or read during work hours.