This instalment of Breaking Down the Handbook series looks at email, internet and social media policies, in particular considering why employers should have them, what they should contain and what the pitfalls are in drafting and applying such policies.
Why have them?
It is estimated that the misuse of the internet and social media by employees costs Britain's economy billions of pounds every year.
In this digital and ever increasingly social media driven age, it is becoming increasingly important for employers to keep up with the fast pace of such technology. Employers should ensure they have clear and transparent rules and policies governing the use of such technology when it comes to the workplace, as well as the possibility of an employee making reference to his/her employer on any personal media platforms or via private email. It is, therefore, crucial that both employers and employees know where they stand when it comes to the use and abuse of emails, the internet and social media.
Policies should ensure that employees do not feel unduly restricted; managers know how to respond to inappropriate behaviour, such as cyber bullying; and an organisation feels confident that its reputation is protected.
What should email, internet, social media policies cover?
The list, as you would imagine, is pretty wide. We have, therefore, covered the main issues which often arise.
With the commonplace use of emails, many employers have already set out standards and best practice guidelines for employees. For example, when sending out emails on behalf of or related to the employer, employees may be required to format their emails in a particular way, include certain information in the headings and have a standard corporate sign off. Such rules are useful and ensure an organisation looks professional and consistent to its customers and clients. However, an email policy needs to go much wider in terms of setting out the do's and don'ts of what employees can use the email system for. So what can/should you do as an employer?
Email - In respect of email use, a policy will often state that:
- employees should not use the company's email systems excessively for personal use;
- employees should not overload company email systems with excessive emails;
- offensive or inappropriate materials should not be circulated;
- computer hardware and email systems are the company's property and therefore employees should not expect any degree of privacy as their emails may be monitored (if applicable).
The latter is usually due to business reasons where employers may need to access an employee's emails if that employee is unwell or unable to attend the office for any reason. Employees should, therefore, be warned that if they wish for their private messages to remain private these should be clearly marked and similarly, employers should not access an employee's clearly private emails if marked as such unless there is good reason to do so (e.g. a suspicion of misconduct) and also provided that privacy issues have been considered (see below).
Internet - Turning to the internet, such a policy should state that:
- internet use may be monitored (if it is);
- either the number and types of websites that employees can access while at work are limited OR there is a complete personal internet ban during the whole of the working day but employees can access sites either during breaks or before or after work OR there is a complete ban on accessing the internet at work for personal use;
- no offensive or inappropriate websites or material should be accessed while at work or using any work equipment.
Social media - This is, to some extent, an area that is still developing. More and more employers are using social media platforms for business reasons and expect employees to engage with such platforms either as part of their job or outside of that. The lines of work and home are being blurred and this is mainly due to the impact of social media.
As can be seen in the press on any given day, social media platforms are being used increasingly to bully, harass and victimise people (trolling). A social media policy should therefore make it very clear that any such behaviour in relation to any employees, customers and clients will not be tolerated. It should be made clear that this is the case whether the actions were taken by an individual in the workplace or outside of the workplace so that an employee cannot argue that the employer has no jurisdiction to do anything if posts were made outside of work and/or during their own time.
If an employer does use social media to promote its business and encourages employees to do so as well, the policy should:
- set guidelines to ensure that the employer is not brought into disrepute by anything said or done by any employee;
- make it clear that if a personal view is expressed by an employee they must make it clear that it is their view and not the view of the company.
Any breach of any of the above policies should be referred in the employer's disciplinary policy, clearly stating in all policies that disciplinary action may be taken if any breaches occur.
Pitfalls in drafting and applying such policies
An employer has to set out clearly to its employees what is and is not permitted in relation to emails, internet use and social media use. As well as stating that disciplinary action may result if any policy is breached, if there are specific problems or issues in an organisation particular to that organisation, the policy should be tailored to cover these circumstances. In addition, the disciplinary policy should be amended to reference possible offences such as cyber bullying, accessing pornographic material, etc.
Social media has largely replaced the traditional get together in a pub where friends would share anecdotes or stories about what has happened during the day, including work. Social media is different in that whatever is posted is permanently there and employees should be warned of the consequences of sharing inappropriate content with friends or others, as once they have sent or posted something the content is no longer under their control.
Nod to GDPR
It goes without saying that there are data protection and privacy implications in relation to a lot of the above. As said previously, this series of articles does not intend to focus on GDPR as we have a specific series of articles relating to this wider topic. However, security measures around hardware, passwords, encryption, monitoring, etc. should all be included in updated GDPR compliant data protection and privacy policies.
Keep an eye out for our next article in the series which will focus on whistleblowing policies.