It's hard to imagine our working day without the Internet, but the medium brings its own challenges for employers. In Asia recent scandals involving the circulation of supposedly private embarrassing emails have hit a US investment bank in Korea (like the Claire Swire scandal, an employee boasting of sexual conquests) and a UK law firm in Hong Kong (a poor taste joke about a supposedly " murdered" employee).
The reality is that in the online world it is easier for an employee to breach confidentiality, to mislead, to bind an organisation to a contract, to access or send unauthorised information, to defame or to infringe third party copyright than it is using traditional communications.
This article advocates the need for employers to adopt a clear, legally effective and wide ranging "electronic communications policy" to enforce sound communications practices in the workplace.
While "Email Policy" is the term most commonly heard in this context, why stop there? It is arbitrary to attempt to enforce a workplace policy dealing merely with email. One policy should ideally cover the use of all electronic communication systems provided for work. This will include laptops used remotely, mobile phones and of course use of the Internet at large. In opening the policy to a broader coverage, it may be simpler to dovetail it with all existing communications policies such as those covering telephone answering, authority to send letters or documents unchecked, measures for highly confidential communications, money laundering and rules on press announcements.
A simple truth that is often lost in the debate over privacy and interception of communication is that communications equipment is provided for the furtherance of an organisation's business and anything else is secondary, so the employer has a legitimate interest in controlling, and therefore monitoring, its use.
On the other hand, to impose a blanket ban upon personal use would usually be disingenuous and probably counter-productive. Therefore it is far better to take a common sense approach and to allow personal use but within clear limits.
So what should such a policy cover? Broadly it should address or include:
- potential legal consequences of electronic communications, such as liability for misrepresentation, defamation and entry into contracts,
- compliance with regulations specific to the employer' s type of business, for example regulations of professional bodies for professional firms,
- rules for authorising, sending and receiving business emails, attachments and voicemails,
- dealing with suspicious communications,
- workplace use of the Internet, including what constitutes "acceptable use",
- uploading of material to intranets and extranets;
- installation of software,
- safe retention of business-related materials sent or received electronically,
- employee absence during sickness or holiday,
- employer monitoring of communications and the absence of privacy as between employer and employee,
- acceptable personal use of electronic communications,
- disciplinary action that may follow if the rules are breached.
It is important to define clearly (although non-exhaustively) the sorts of activity that are unacceptable, such as the sending of sexist, racist, obscene, corrupt or defamatory communications, gambling, harassment, the downloading of certain types of information from the Internet, and/or the forwarding of certain types of files or content of email.
The Legal Background
In Hong Kong employers have a relatively but not completely free hand to dictate workplace practices.
The key sources of obligation and law that employers will need to keep in mind in implementing a fair electronic communications policy, and in taking action against employees in breach of it, might include:
- on the disciplinary aspects and employee privacy, the duty of good faith implied into every employment contract and the existing terms of employment,
- on employee privacy, the Personal Data (Privacy) Ordinance,
- on disciplinary aspects, the Employment Ordinance,
- the Code of Practice on Human Resource Management and Compliance Guide and other relevant Codes issued by the Privacy Commissioner,
- for Government employers, the Hong Kong Bill of Rights, and
- if it ever comes into force, the Interception of Communications Ordinance.
A "electronic communications policy" that forms part of a comprehensive corporate communications policy might draw employees' attention to other legal obligations concerning use of communications, such as:
- on business record keeping issues, the Evidence Ordinance,
- on suspicious incoming communications, the money laundering reporting obligations in the Organised and Serious Crimes Ordinance and the Drug Trafficking (Recovery Of Proceeds) Ordinance,
- the misuse of computers provisions in the Crimes Ordinance and the Telecommunications Ordinance, and
- for publicly accessible material, conceivably the Control of Obscene Publications Ordinance.
Any employment or commercial lawyer ought to be able to vet a proposed policy to check that these and other relevant legal issues are adequately taken into account.
Making the Policy Work
Any such policy must be linked to an employee's contract of employment and the employer's general disciplinary regime. This will be relatively easy to implement for new employees who can be employed on terms that include the policy. It but may prove more difficult for existing employees.
Depending upon the terms of their current contract of employment, the employer may or may not have a right to introduce a unilateral variation on workplace terms. However, it may be possible to get around this difficulty by implementing the changes at the same time as offering the employees a discretionary annual salary increase.
An edited version was published in IT Wire issue 3, December 2001