UK eyeing Internet privacy protections for workers

From...

By Patrick Thibodeau

(IDG) -- Businesses in the UK, including U.S. firms with branch offices there, may soon face limits on their ability to monitor employee Web surfing and e-mail activity under a new privacy code due to be released by a government body in the next two months.

The UK privacy protections also illustrate the sharp difference in privacy approaches that exist between the U.S. and European nations, many of which have stringent privacy rules.

The code, which sets out workplace privacy rights, will call for employers to spell out their monitoring policies to employees and conduct monitoring that is "proportionate" to the risk posed by the employee activity.

Here are two examples of how the standard could be applied:

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories JEITA: Deleting data from hard disks won't erase it Security experts say voice mail systems vulnerable Fiorina voice mail is genuine, HP says Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

•  If employees write 10 e-mails a day on average, but one employee is writing 200 e-mails, that would give an employer grounds to look at the content of those e-mails, David Clancy, a strategic policy officer at the Information Commission in London.

•  Employers with sensitive information to protect, such as the secret ingredients of a soft drink, could reserve the right in their monitoring policy to check all communications -- such a policy would be proportionate to the risk, said Clancy. "The risk is that the business would collapse if the recipe was loose," he said.

The code would also call on companies to give consideration to an employee's privacy rights, said Clancy, because there "is a blurring between work and personal communications, especially with the growth of people working away from the office and the use of mobile communications." The mixed nature of messages can cause problems when a message to the human resource department, while work-related, is "quite often highly personal and private," he said.

But a major UK industry group, the Chartered Institute of Personnel and Development, called the code "unrealistic and inappropriate" and said it will halt virtually any employee monitoring and create new risks for businesses.

The code "does not allow any covert monitoring" of such activity as telephone calls and Internet use "unless criminal activity has been identified and the police are involved," said Diane Sinclair, the lead advisor on public policy at the London-based personnel management group.

The code is the Information Commission's interpretation of the Data Protection Act. The code isn't a law, but if a company doesn't follow the code, it risks a legal challenge from an employee.

Companies operating in the U.S. are allowed to monitor workplace computer activity without restriction, said Christopher Wolf, an Internet law expert at Proskauer Rose LLP in Washington. In short, U.S. law, which is backed by court rulings, makes clear that "he who owns the computers gets to see what is going on with their computers," he said.

But U.S. businesses in England will have comply with the privacy code. Although companies with servers located in the U.S. might have the capability of remotely monitoring a workstation in England -- and may technically be able to get away with it -- they could face legal risk if they do so, said Wolf.

There have been high-profile cases in the UK of employees who have been dismissed for surfing the Internet, said Carolyn Jones, who heads the Institute of Employment Rights in London. She argued, however, that the boundary between family and the workplace is no longer what it was and that there should be some flexibility.