LAW SPECIAL REPORT: E-mail may give an illusion of privacy, but employers and employees can easily find themselves on sticky legal ground, as Steve Mathieson explains

E-mail is a funny thing.

Hidden behind their monitors, people send messages they would blush to repeat verbally, and view material they would be embarrassed to be seen with in person.

Yet many do not realise that they have far more privacy in the real world: many organisations closely monitor what their staff do online, and do not like what they find.

Indeed, increasing numbers of staff have found their e-mail antics have led to disciplinary action, or even put them out of a job.

In December last year, London law firm Norton Rose decided to discipline lawyers who forwarded a sexually explicit e-mail from the girlfriend of one of them;

creating notoriety for the firm around the world.

Last year, mobile phone network Orange fired up to 40 staff after 'inappropriate' material was circulated on company systems.

And January saw insurer Royal and Sun Alliance firing 10 staff from its Liverpool office for forwarding lewd cartoons - one reportedly involving Bart Simpson.

Yet not taking action can cause its own problems.

Another e-mail from a lawyer in another London law firm - Charles Russell - has led to an industrial tribunal. The lawyer e-mailed a colleague asking if a secretary announcing her resignation could be replaced by a 'real fit busty blonde. . .

she can't be any more trouble'.

The secretary, who is black, read the e-mail in question.

Her distress led to her being declared too ill to work. The tribunal has the power to award unlimited damages.

Given that an employee sending a defamatory e-mail can land their employer with legal action, employers see monitoring e-mail as a reasonable step.

Furthermore, it is technically fairly easy. Many e-mail software packages automatically look for messages containing offensive words, or for pictures likely to be pornographic. These can then be sent to a compliance officer for judgement. And many organisations store all e-mails for several months, or even permanently, to allow checks when problems are brought to light.

It is worth remembering that the e-mails will be stored even if staff think they have deleted them. Likewise, web pages visited are normally stored on the computer used and, as with e-mail, dubious site visits can be automatically reported to a compliance officer.

Yet the Human Rights Act 1998, which came into force a year ago, provides a right to privacy. 'You have a balance of rights, ' says Sara Ellacott, a partner at law firm Nabarro Nathanson.

'Employers need to protect themselves and their employees from defamatory comments and pornography.

On the other hand, you have perceived rights from employees for privacy. We are in a state of legal flux.'

Phil Boyd, assistant commissioner in the Information Commissioner's Office (responsible for policing data protection), points out that the Human Rights Act's privacy provision applies to all organisations.

'But the starting point is the public sector, ' he warns.

He handled a case where a local government authority fired an employee on the basis of e-mails she sent. 'They were distasteful, but there was a strong feeling that this was a private conversation, ' Mr Boyd says, adding that the content was not illegal.

He says that under the Data Protection Act 1984, the employee didn't have a strong enough case to win a case for unfair dismissal. But under the updated 1998 act, and the Human Rights Act, she might well have. 'It is an extremely difficult area, ' he says.

So how do organisations steer a course between these two legal perils?

Shelagh Gaskill, a partner at law firm Masons, says the principle is clear. 'You can intercept employees' communications if there is a lawful reason, ' she says - and checking business communications for defamatory remarks is fine.

'But employers have no grounds for intercepting private communications, and so have to make a very clear decision: do they allow employees to use communications for private purposes or not?

'If they go for a complete ban, the employer can presume all communications are business-related, and can intercept content.'

Such a regulation may already be in place within health service organisations, which may have standing orders banning private communications on cost grounds. However, this could risk a Human Rights Act claim, as it arguably removes the employee's right to privacy of communications.

A better way is to provide a secondary channel. 'An enlightened employer can say:

'Mark your private e-mails as private, and we will not monitor them', ' says Ms Gaskill.

This could be achieved by requiring staff to title private e-mails 'private', or through some kind of tagging on the software. However, this still means these private e-mails are running through an organisation's systems.

Mr Boyd says that marking e-mails 'private' does not remove the danger of an organisation being liable for comments made by its staff through the organisation's e-mail system. 'A lot of case law suggests that companies are responsible for information stored on their company systems. I am not sure the court would accept the defence that your staff were using the private bit of the system.'

Perhaps the ideal solution is a standalone computer, with a separate Internet connection, for private use. This would be the equivalent of a payphone in a call-centre, giving operators a private channel where they can be sure their calls are not being taped.

However, this is likely to add to an organisation's IT costs.

Whatever the policy chosen, it is vital that it is made abundantly clear to staff.

'We have been advising clients to have a clear policy setting out what an employee can and can't do, making clear that the right is reserved to intercept e-mail, ' says Ms Ellacott.

'Our advice is to place a clear policy on your intranet, or a banner warning that comes up when you start your e-mail software.'

This policy should be particularly clear on the issue of downloading pornography.

'The possession of pornography is not a criminal offence, or every newsagent would be in jail, ' says Ms Gaskill. Only material that breaches the Obscene Publications Act, or which involves children under 16, is actually illegal.

'Organisations that fire staff for downloading pornography must do so because the employee has breached policy, not the criminal law.'

Ms Ellacott outlines a successful tribunal claim against an employer after the claimant was fired for downloading pornography.

'The tribunal said, you have to bring this policy to the attention of your staff, ' she says. 'In the policies we draft, we spell it out.'

E-mail, law and the NHS.

The NHS is about to see an explosion in e-mail use. Government policy is to give trust staff desktop access to a number of standard computer packages, including e-mail, by March next year.

An outline business case has just been published for e-mail and directory services. Yet the NHS has no central guidelines as to whether, and in what way, staff communications can be intercepted - it is up to individual health organisations to decide.

Law firm Weightmans, which specialises in health service work, says the advice for health organisations is much the same as that for any organisation.

'The safest way for a trust to deal with this is a policy that can go in employment contracts, ' says James Powell, a lawyer at the firm.

At larger organisations, such as hospitals, this policy should include the strategy of providing computers for personal use. If that is done, then individuals should be barred from sending personal e-mail and web-surfing on work machines. This means monitoring of the main system can go ahead without having to worry about privacy.

At smaller organisations, and to sort out problems at larger ones, it is sensible to appoint someone to act as a privacy arbiter. 'The difficulty we have is that very few cases have come to trial under the Human Rights Act, ' says Mr Powell. 'You have got to find a way forward in the meantime.'

Several trusts extend their e-mail systems from hospitals to smaller clinics and doctors' surgeries. Mark Forman, another lawyer at Weightmans, says these users must be equally well-informed about the regulations concerning the systems.

What about ensuring the secrecy of medical data sent through the e-mail system?

'The obvious answer is that you seek to encrypt personal health information, ' says Mr Forman. Someone monitoring e-mails will then realise the message's nature, but will not see the medical data. This should also protect medical images from being viewed by monitoring staff.

Some software that looks for pornography relies on searching for certain amounts of skin in a picture - but encryption of medical images should stop them from being picked up.

The information commissioner criticised interception policies in a draft code on this subject. Organisations should look for the final, revised version of this code, due at the end of this year.

Hopefully, this will bring greater clarity to how employers should cope with the multiple legal risks provided by their e-mail systems. Until then, whatever policy an organisation chooses to follow, it needs to proceed with caution and make its policy clear to its staff.

lInformation commissioner Elizabeth France is responsible for policing data protection laws, and providing guidance for compliance: see www. dataprotection. gov. uk or call 01625-545 745.