On 26 April 2002, a new collective industrial agreement (n° 81) was concluded between the employers’ and employees’ organisations represented in the Belgian National Labour Council. This new collective agreement provides for rules regarding the employer’s right to control his employees use of the Internet and e-mail in the office.
Control of Internet and e-mail use is inevitable when operating a computer network. The network should indeed be secured from viruses, overloading or other failures. The operating of a network, however, can conflict with the basic rights of the individuals being part of that network, both privacy and data protection being safeguarded by international and Belgian legislation (cf. Convention for the Protection of Human Rights and Fundamental Freedoms of 4 November 1950, the EC Data Protection Directive n° 95/46 of 25 October 1995 and the Belgian Data Protection Law of 8 December 1992, as adapted).
The new collective industrial agreement intends to reconcile the employer’s Internet and e-mail control with the basic privacy rights of employees and is therefore clarifying the existing legislation on data protection in order to make it more adequate for use in the specific relationship between employer and employee.
The new agreement does not regulate the access or use of Internet and e-mail within companies. This remains subject to the authority and policy of each employer who is free to determine if, how and to what extent his employees can have access to a computer and to Internet and e-mail facilities (e.g. only at lunch-time, no access to hotmail addresses or on-line banking sites, no use of computer programs that are not related to the job, etc.). When establishing their IT policy, employers should however take care not to violate the employees’ basic right of communication.
The new collective industrial agreement sets out the following rules:
1. The control system should be transparent
When installing a system to control the Internet and e-mail traffic in the office, the employer should inform the employees. Secret control is thus prohibited. The companies’ works council should be informed in detail about the type of control system that the employer is planning to install. Moreover, any individual employee should also be informed of the existence of a control system. This can be done in the employment contract, or with on-screen messages which are displayed when starting up the computer, etc.
2. The control should have a specific objective
Control of the Internet and e-mail use of employees is only allowed when serving a specific objective. The collective industrial agreement contains a list of four valid objectives:
- the prevention of illicit acts or of acts that violate other persons’ dignity (e.g. prevention of hacking or of insulting e-mails);
- the protection of the company’s economic, business and financial interests (e.g. prevention of outgoing e-mails containing confidential company information or trade secrets);
- the safety and/or technical functioning of the company’s IT network (e.g. prevention of viruses within the office or of network obstruction by downloading large capacity messages);
- the respect, in good faith, of the company’s internal Internet and e-mail policy.
The control effectuated by the employer should be relevant and in proportion to the desired objective. Employer’s control of Internet traffic can, in principle, involve the collecting of data about the duration of Internet connections per computer, but not the specification of the web sites visited. In the same way, employer’s control of e-mail traffic can involve counting the number of outgoing messages per computer, but not the identification of the employee sending out the messages.
3. The control should be carried out in two phases
Individualised control, focussing on specific employees, is in principle not allowed. In a first phase, the control can only be operated on the basis of general information and statistics. Only when the employer encounters specific irregularities, can he proceed with the second phase: the identification of the employee who is causing the problem.
The “individualisation” of the employee can in principle be done on a direct basis, without taking into account any further formalities. Only if the objective of the control is related to the respect of the company’s internal Internet and e-mail policy (see above), should the employees be first informed of the irregularities that were discovered during the first phase of the control and of the fact that, in the second phase, further control shall be held on an individual basis in case the irregularities would persist.
Once an employee has been “individualised” as being responsible for the irregularities, the employer shall invite him for an interview before taking any appropriate measures. Such interview should allow the employee to defend himself and to justify his use of the company’s IT facilities.
The new collective industrial agreement of the National Labour Council has the merit of setting out, for the first time in Belgium, clear rules concerning professional Internet and e-mail use.
However, these new rules may cause some practical problems; most of the existing software allows full and unrestricted control by the employer and thus is not adapted to the two-phases control established by the new collective agreement.