>ACCEPTABLE USE POLICIES – WHY, WHAT & HOW

[Pages:10]>ACCEPTABLE USE POLICIES ? WHY, WHAT & HOW

>A PRACTICAL GUIDE TO IMPLEMENTING AN AUP >A WHITEPAPER BY JONATHAN NAYLOR, EMPLOYED BARRISTER

>CONTENTS

>WHY DO I NEED AN AUP?

>1

>I HAVE AN AUP, SURELY I AM NOW PROTECTED?

>2

>HOW DO I GO ABOUT CREATING AN AUP

OR REVISING THE ONE I CURRENTLY HAVE?

>3

>WHAT SHOULD BE IN AN AUP?

>3

>COMMON MISTAKES WHEN CREATING AN AUP

>4

>COMMON MYTHS WHEN CREATING AN AUP

>5

>MAXIMISING COMPLIANCE AND MINIMISING RISK

>7

THE AUP IS THE BEDROCK OF ANY ORGANISATION'S MANAGEMENT OF EMPLOYEE USE OF CORPORATE IT SYSTEMS

>WHY DO I NEED AN AUP?

Ten or so years ago, implementation of Acceptable Use Policies ("AUPs") within organisations was patchy. Many employers limited employee Internet and email use to certain categories of staff and large numbers of smaller and medium sized enterprises either had a very brief AUP or, alternatively, none at all.

Over the last decade businesses have, either through good planning and awareness or, alternatively, painful experience of something going wrong, learnt that with ever-increasing employee access to Internet, email and Instant Messaging ("IM") systems while at work, regulation of this area cannot be left to chance.

The AUP is the bedrock of any organisation's management of employee use of corporate IT systems. A well-drafted AUP will, amongst other things:

? set out the types of behaviour expected of employees (and equally the types of behaviour that will result in an employee facing disciplinary action);

? detail specific provisions that are tailored to the organisation's needs or particular areas of risk,

? highlight to employees that the systems are predominantly for work use and that personal use should not interfere with an employee's ability to undertake their duties

? and explain that an employee's usage will be monitored and where necessary disciplinary action will be taken.

It is crucial, once an AUP has been drafted:

1. that it is distributed to all staff,

2. there is an explanation given to the employees so that they can understand why the policy is needed and what it is there to do,

3. and that the policy is then consistently enforced by management so that it does not fall into either disuse or disrepute.

A common failing is that organisations feel that they have "fixed" the problem simply by drafting an AUP. This AUP may then gather dust on the shelf, while the company, its employees and the risks that the business faces, all change. This can mean that when an act of misconduct by an employee prompts management to dust down the AUP and seek to enforce it, they find that the specific problem they now face is not adequately covered by the AUP. In this type of situation, the employee may also be able to raise substantial arguments about his lack of knowledge of the AUP or the previous lack of enforcement by the employer, and either claim may lead a Tribunal to conclude that the company has acted unfairly in taking whatever action it did against the employee.

1

ANY AUP MUST BE BACKED UP WITH A TAILORED TECHNOLOGY SOLUTION; THE AUP IS ONLY PART OF THE STORY

>I HAVE AN AUP, SURELY I AM NOW PROTECTED?

As explained above, simply establishing an AUP is not in itself a sufficient response. Part of the challenge for employers is to explain to employees why misuse of the Internet, email or IM system is so potentially damaging. Despite widespread publicity about employee email misuse and all of the embarrassment that this can cause both to the employee and the organisation, hardly a day passes without a further example of a careless email or inappropriate use of the web.

It is therefore important that employees are educated as to why misuse of these company systems can be so significant. Employees are never likely to welcome the fact that an employer will monitor their activities while at work but, if it is conveyed to the employee that part of the reason for the monitoring is to avoid the potential for personal consequences for any employee, then it may be that at least a grudging understanding is obtained. For example, many employees may not appreciate that if a colleague brings a claim of discrimination (perhaps a claim of sexual harassment based on offensive emails) not only can the employer be liable for any compensation ordered by a Tribunal, but the individual employee can be named as a Respondent in any proceedings and a financial award made personally against that employee. The fact that there may be a direct financial consequence to the offending employee may help to concentrate the mind and stress the importance of abiding by the AUP.

Furthermore, any AUP must be backed up with a tailored technology solution; the AUP is only part of the story. The technical solution that you put in place must be relevant to the particular risks that you face as a business and also the policy that has been drawn up to meet those risks.

As an employer, the organisation has a duty to take reasonable steps to put in place a safe system of work for employees. This will involve, for example, putting in place reasonable technical solutions to seek to block spam emails from reaching employees. Employers are not obliged to go to unlimited expense to implement the most perfect system for dealing with every conceivable threat, but they will be expected to put in place a reasonable level of protection for their own employees.

2

>HOW DO I GO ABOUT CREATING AN AUP OR REVISING THE ONE I CURRENTLY HAVE?

The starting point is to assess the particular needs of the business in the light of the specific risks that it will face; hence a risk assessment of some sort is the first step. Such an assessment will provide the basis for drafting the necessary AUP and subsequently the tailoring of a technical solution to support that AUP. Failure to make a proper assessment at the outset will lead to an incomplete solution being implemented later in the process.

When drafting the AUP itself, input should be obtained from any HR support within the organisation. What is technically possible is not necessarily good employment practice and therefore this has to be an area where an organisation's IT department talks with its HR department to create a combined solution. Senior management approval must be sought at an early stage so that there is a real commitment to the principles in the AUP.

When the AUP is complete and ready for distribution, there is a requirement to educate employees, so that they understand why the new policy is being produced and what it is intended to achieve. As mentioned above, a shrewd employer will seek to explain to employees the risks that the employer is attempting to address under the AUP and therefore to demonstrate the benefits not only to the business but also to individual employees from having a clear AUP to set the boundaries of reasonable behaviour.

Assess risk

Conduct thorough risk assessment

Identify areas of concern

Create policy

Tailor policy to specific risks

Fig. 1 Creating and maintaining your AUP

Distribute & educate

Distribute the AUP Educate employees on why AUP is being implemented

Monitor compliance

Implement technical solution to monitor and report on AUP compliance

Enforce policy

Enforce the AUP consistently when

it is breached

>WHAT SHOULD BE IN AN AUP?

The contents of AUPs vary; some are comprehensive, covering all forms of communications used by the business (including Blackberries/PDAs, telephone communications, etc) whereas others are more limited. Which coverage is most suitable for an organisation will depend on the nature of the usage by employees. For example, if the use of Blackberries is confined to one or two directors of the business, the need for any AUP to cover this is obviously greatly reduced when compared with a business which has scores of users. All AUPs should clearly state which categories of workers are covered, for example, if a business uses contractors or temporary workers it should be stressed that the policy also applies to them.

3

In setting the boundaries of acceptable use of corporate IT systems, the AUP should deal with issues such as the downloading of software or other material from external sources and what is appropriate email etiquette (such as the avoidance of chain emails or an aggressive/abusive tone in emails).

EMPLOYERS OFTEN UNDERESTIMATE THE IMPORTANCE OF TAILORING THE AUP TO THEIR SPECIFIC NEEDS

Being clear about the limits of reasonable personal web and email use is obviously a key factor, both in terms of the content of material to be accessed or sent and also the time involved in such personal use. For example, will the employer permit reasonable personal use at all times (provided it does not interfere with the employee's ability to undertake their work duties) or should personal use be confined to time outside normal working hours? Examples of the categories of website which are unacceptable for employees to visit should be given (such as gambling or pornographic sites).

The steps that the employer will take to monitor employee use should be explained and it should be specified that misuse may lead to disciplinary action being taken by the employer.

>COMMON MISTAKES WHEN CREATING AN AUP

One of the most frequent errors made by employers is drafting the AUP and then almost immediately forgetting about it, considering the "box to have been ticked". What is equally important is the distribution of the policy to, and education of, employees regarding the AUP so that they understand what is being proposed and why. This will help to achieve at least a degree of employee "buy in" to the aims of the organisation.

Employers often underestimate the importance of tailoring the AUP to their specific needs. Tempting though it may be to rely on the low cost solution of a standard template (or even a document used by another organisation) this may prove to be a false economy. The AUP (which, after all, will form the basis of your monitoring and the way in which your technical solution will operate) must do what you want it to do. Many employers who use a generic form of AUP then get into difficulty when trying to implement this in specific situations which have arisen. For example, if the AUP does not contain a sufficiently clear linkage to the organisation's disciplinary procedures, it may be that employees will seek to argue that they did not appreciate that an act which is contrary to the AUP is also a serious disciplinary matter.

Another common failing is that many businesses do not review and revise their AUPs as the needs of the business change. As the number of users of corporate IT systems increases, different challenges will arise. For example, remote or home workers often present an even greater risk of inappropriate use, perhaps due to a perception that they are out-of-sight and out-of-mind. If there are changes in the way in which employees are working, then the employer may be left exposed to greater risk if the AUP is not amended to reflect these changes.

4

>COMMON MYTHS WHEN CREATING AN AUP

There are also a number of myths which seem to surround the area of employee use of the Internet and email and the consequent monitoring by employers. For example:

>MYTH 1: `PERSONAL USE OF IT SYSTEMS IS A MUST'

Many employers seem to be under the impression that they have to allow employees to have personal use of work Internet and email systems. This is not, in fact, the case, although with the increasing flexibility demanded of employees in terms of their working hours, most employers accept that it is reasonable to allow at least limited personal use.

>MYTH 2: `IT'S A BREACH OF MY HUMAN RIGHTS!'

Employees who find themselves in hot water as a result of misuse of the corporate IT systems may well argue that the employer has in some way breached their human rights by conducting monitoring. This is generally an argument that does not find much favour with courts or tribunals. In the first instance, direct claims for breach of the Human Rights Act can only be made by employees of public bodies such as NHS Trusts or Local Authorities. Private sector employees can only bring a claim for breach of the Human Rights Act if the employee can add this to another form of claim such as unfair dismissal or breach of contract; there is no freestanding right for private sector employees to bring Human Rights Act claims.

Whatever may be reported in the press, the idea that the courts are in thrall to the Human Rights Act and allow the most frivolous and ridiculous claims is certainly not true in this area of employee monitoring. Provided the employer has set out in a clear AUP what monitoring will take place and why; that this level of monitoring is reasonably proportionate to the risks involved; and that the employer has then monitored in accordance with that policy, it is highly unlikely that employees could succeed in any claim.

>MYTH 3: `WE ALL NEED SOCIAL NETWORKING'

Access to social networking sites presents a dilemma for employers. Most employers do not allow access to these sites and there is certainly no law that insists that employees should have such access. Some organisations take the view that these types of sites actually assist employees in making social connections which can aid the business, but this can be a risky strategy. Employers have to consider whether the benefits that might arise from such use are in fact outweighed by the damage that might be done.

5

EMPLOYERS IGNORE THE DANGERS OF EMPLOYEE USE OF INSTANT MESSAGING ("IM") AT THEIR PERIL.

>MYTH 4: ALL BLOGGING IS EVIL

The increase in blogging and micro-blogging is often a concern for employers, particularly those organisations with a public profile, such as retailers. However, just because a negative comment is made by an employee in their blog, this is not necessarily grounds for immediate dismissal by the employer. The question is whether the comments made by the employee amount to misconduct under the employer's disciplinary procedure, for example, conduct which brings the employer into disrepute, and also the scale of the misconduct. There appears to be a recent trend of customer service operatives using blogs or social networking sites to be very critical of both their employers and also the customers that they serve. This can be highly embarrassing for the employer, but the organisation should not act in haste, but rather investigate the matter thoroughly before coming to a considered decision.

>MYTH 5: IF IN DOUBT, ARCHIVE EVERYTHING

Many employers also seem to think that there is a particular magic period of time which must be allowed to pass before emails can be deleted. Rumours abound about the need to keep all email traffic for five, seven or even ten years. In reality, it is not as simple as setting an arbitrary deadline for all emails. The shrewdest solution would be to make an assessment of the content of particular email traffic, enabling business critical data to be stored and irrelevant information to be deleted.

When assessing storage times, the timeframes for litigation may be of some assistance. For example, most personal injury claims must be brought within three years of the date of the incident giving rise to the injury and claims for breach of contract must usually be brought within a limitation period of six years from the date of the alleged breach. While this type of litigation "long stop" date provides at least some rough outline to employers as to how long certain information should be kept, organisations should recognise that there will be large elements of information which could be deleted much sooner than the guidance dates set out above. For example, there is really no valid reason for employers to retain the personal bank details for temporary members of staff who have not been engaged for some years. The data is clearly out of date, is unnecessary for the employer to retain and may well be breaching the requirement on the employer under the Data Protection Act to ensure that it does not hold excessive data.

>MYTH 6: IM IS NOT PERMANENT, SO I DON'T NEED TO WORRY

Employers ignore the dangers of employee use of Instant Messaging ("IM") at their peril. IM carries all of the same risks associated with email correspondence, but is perhaps even harder to guard against given the very immediate nature of the communication. Organisations need to approach IM as they would other misuse of corporate IT systems, as the same risks of harassing/discriminatory communications, loss of confidential data, possible brand damage, etc. all apply.

6

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download