Monitoring Email Internet

12 April 2002

Edward Alder

When should employers be allowed to carry out covert monitoring of email and Internet activity? This thorny issue has featured in the press several times recently.

Last month car company Ford made headlines with a two week "amnesty" for employees with pornographic, racist or other offensive material on their work PCs. The amnesty, negotiated with employee unions, was announced with a reminder of Ford's "zero tolerance" for such material and that the company conducts random audits for such material.

Many Hong Kong employers now make email and Internet access available in the workplace. This is of course primarily to enable employees to carry out their employers' business. But as with office telephones, many think it reasonable for employees to make limited use of these facilities for personal purposes, for example to send an email confirming a dinner or to read an online newspaper over lunch.

Personal use of any employers' property or facilities without permission is theft or at least a breach of the employment contract. Employers will often allow limited personal use of their non consumable property, but only if they can scrutinise such activity to prevent misuse. This is understandable. No employer wants employees using their systems to download pirated or offensive material to their servers, or to leak their trade secrets, or worse to engage in criminal activity.

A new survey of employees at 30 leading UK companies by consultants DataSec suggests that employers are right to be concerned. It shows that around 40 % of employees have no idea that use of the Internet at work can lead to legal liability for their employers and that employers therefore have a legitimate reason for monitoring such use.

A balance has to be struck between such scrutiny and employees' expectations that meets the employer's legitimate needs while respecting the employees' rights to privacy. The best way for employers achieve this is to publish a legally vetted communications policy explaining when and why such monitoring might take place.

A good policy will act as a carrot rather than a stick. During the Ford amnesty employees could ask for help in removing such material from drives and bookmarks without fear of punishment, but afterwards such material could result in dismissal.

What legal rights to "privacy" do we enjoy in Hong Kong? In fact, as in the UK, there is no common law right of "privacy" here such as exists in the US, so there is no legal liability for "invasion of privacy".

The Basic Law (our "mini constitution") and the Hong Kong Bill of Rights do create legally enforceable privacy rights for individuals. But these only apply as between government agencies and individuals, not as between private citizens such as private sector employer and employee. Unless an employee is engaged in some relevant government related activity he or she cannot rely on those rights to prevent invasions of privacy by their employer.

An Interception of Communications Ordinance was passed in 1997 to regulate monitoring of electronic communications by government agencies, but unlike its UK equivalent it has never been brought into force.

The chief sources of protection are the Personal Data (Privacy) Ordinance (the "PDPO") and express and implied obligations on employers under employment contracts to respect employee privacy.

The PDPO requires, amongst other things, that the collection of "personal data" by employers be lawful, fair and necessary/sufficient for a legitimate purpose, that there be no unnecessary retention of data, that data only be used for the purpose for which it was collected or a related purpose and that data users provide information to data subjects about their data policies use. Private emails and Internet use "histories" might, if tracked together with the personal details of the user, constitute "personal data".

On 8 March 2002 the Privacy Commissioner issued a draft "Code of Practice on Monitoring and Personal Data Privacy at Work" for public consultation. According to the Commissioner's press release, the Code has been drafted to provide guidance for employers monitoring employee activities at work, including online activities. The development of the Code was a response in part to the fact that the 2001 Data Users Survey indicated that a staggering 63.6% of respondent organisations had already installed employee monitoring devices.

Once a final code is issued all employers will need to make sure that their monitoring activities comply with it so as to ensure they do not fall foul of the PDPO.

First published in the SCMP on 18 April 2002.

Important - The information in this article is provided subject to the disclaimer. The law may have changed since first publication and the reader is cautioned accordingly.