We have tried to be clear with our employees about Internet use but we believe a lot of unauthorized use and personal emailing is still going on. How far can we go in monitoring our employees’ use of the Internet while at work? — Shelby G., HR Manager in Los Gatos
Shelby, the explosion of electronic devices and applications in and out of the office is causing many employers fits. Often employers will tell employees, “Don’t use your company email account for personal business,” which is a very good idea. And employers also tell workers that they monitor email and review usage. By doing this, employers hope to remove any notion the employee has of a privacy right or expectation.
Having a comprehensive computer policy is critical in today’s workplace. Make sure to include rules for email use and Internet and intranet access, and then enforce them. If you tacitly allow employees to use their business email address for personal correspondence, you may not have diminished their expectation of privacy. Some of my clients get around this issue by telling employees that if they want to use their work computer to read and write personal email, they have to do so during their breaks and on a private email account such as AOL or Hotmail.
However, here’s a tricky problem employers face: What about the privacy expectation of the people who send email to an employee? Say I give out my business email address to my mother, and she emails me at work regarding her hip surgery. She may not realize that I can’t use my work email for personal email. Her understanding might reasonably be that if I give her that address, she can use it to contact me. But if my company monitors email, my mother’s expectation of privacy could be violated. Employees can (and maybe should) be instructed not to give out their work email address to anyone who would send personal correspondence, such as relatives and friends. Instead, again, employees should use a personal email account that they can access through the Internet, such as a Google or Yahoo account.
Internet Use
Internet use is another tough topic, and no matter how many times my clients remind their employees of their policy prohibiting personal Internet use on company computers, it still happens. Employers need a practical approach to address this situation. Besides having a policy on this topic, I also think that you may want to be very open with your employees about Internet use. Let them know that you are monitoring it, that employees’ Internet histories are periodically reviewed to ensure that they’re following company policy, and that people should not use the Internet inappropriately during work.
Training Your New Supervisors: 11 Practical Lessons
Many brand-new supervisors have never been trained on how to manage, and they’ve probably had at least a few poor role models over the years. Learn how to point them in the right direction with our free White Paper, Training Your New Supervisors: 11 Practical Lessons.
No Deleting Internet History
This is an important element of your computer policy: Put in place a rule that employees are not to delete their Internet history. If you tell employees that they can’t use the Internet for personal Web browsing and that you’re going to look at their history, they’ll delete it so you can’t access it. So, you have to say, “You’re not allowed to delete your history.” Make it a policy violation if you try to review an employee’s Internet history and it’s not there.
Key-logger programs that monitor computer keystrokes and record what is typed in are another approach employers use to supervise Internet use. Inform people that you monitor their actions, and actually do it. Key-logger programs are effective, and you can implement a random review of Internet activity. For example, inform your staff that every week you will randomly check the Internet use of 2 percent of employees—and follow through. If you then learn that someone is on a non-work-related website, talk to the person about it. You may want to say, “We noticed that you were on eBay Tuesday afternoon, and there’s no reason for you to do that in connection with your business for our company. That’s a violation of our policy. This is an oral warning; if it continues, further discipline—including termination—could follow.”
Malware and Viruses
Besides the problem of employees accessing porn and other inappropriate materials at work, there’s another reason that you want to ensure that employees don’t use your systems to browse the Internet—the Internet poses a danger to your system’s security. Visiting certain websites can result in malware being put on your system or viruses or worms attacking your computers. My anecdotal experience is that probably 50 percent of my clients’ thorniest computer system problems have come from employees using the Internet for personal use and downloading malware or a virus.
GPS Monitoring
While we are discussing technical issues, let me mention one that you didn’t ask about but that many employers face: GPS monitoring systems. For example, if your GPS-equipped company vehicle is sitting alongside the road for three hours in the middle of the afternoon while the employee is supposed to be busily buzzing around making deliveries, you may be able to show that this person wasn’t getting the job done. Some telephones also now come equipped with GPS devices, so if you issue telephones to employees, you can track where they are. Again, it’s important to have a policy if you’re using GPS technology to track employees, whether you’re using it to track time and attendance or to monitor efficiency. Privacy concerns can arise with GPS tracking devices, so be sure to address those in your policy.
What to Do with Personal Information
With any kind of electronic monitoring, you’re going to obtain personal information. Don’t delve into the information any more than is absolutely necessary to confirm that the employee was doing something inappropriate. For example, if an employee on a delivery route diverged from the route without permission, went six blocks out of the way, and was parked in front of a building for two hours, what you really care about is that she diverged from the route substantially and was off the route for two hours. What exactly she was doing isn’t as important.
Similarly, when you see emails that clearly aren’t business related, look at them enough to identify that they’re not business emails. You don’t need to get into all of the personal details. With all employee monitoring, as soon as you determine that where they are, what they’re doing, or what they’re saying is not business related, stop listening or reading.
Laura E. Innes, Esq., is a partner in the South San Francisco law firm of Simpson, Garrity & Innes, P.C.