What legal issues does an employees' use of IT equipment raise?
Whatever equipment you provide to staff must be safe and comply with health and safety rules. Its electrical safety should be inspected periodically and employee workstations should be risk assessed to ensure that their use will not pose a threat to health.
Usually, employers will be liable to third parties for what their employees do using their equipment in connection with their employment. This is known as ‘vicarious liability’. This means that, if an employee’s use of IT is illegal, defamatory, discriminatory, breaches copyright or confidentiality, constitutes bullying or otherwise causes a legal problem, the employer is on the hook.
Issues can arise in connection with inappropriate or excessive personal use of equipment. Where employees damage or lose equipment negligently, employers sometimes wish to deduct the cost from their pay. However, care must be taken to ensure such a deduction is lawful. In most cases, the employer will likely only be able to make deductions from the employee’s wage if this is permitted under the terms of the employment contract or if the employee agrees to it. In most situations, employers should make a relevant insurance claim for the lost equipment.
Increasingly, employers want to examine and make use of information about employees' use of IT equipment (eg by monitoring email and internet use), to make employment decisions. This raises issues of privacy and data protection as well as the fairness of disciplinary action.
Employees' personal use of IT equipment
There is no obligation to allow staff to use IT equipment for their personal purposes. If you do allow personal use, make clear to staff that it must be lawful, reasonable and not interfere with their productivity or duties. You can also restrict use to certain times of day or a certain limit. In all cases, consider publishing the personal use rules that you decide on with a Communications and equipment policy.
Train and guide employees about the sorts of media use that are legally problematic and warn of disciplinary action if rules are breached. Don’t mix up personal use and private use. If you monitor your employees' use of equipment then they must be warned not to expect privacy even if personal use is permitted.
Monitoring employees' use of equipment
Monitoring of communications such as emails, internet use and phone calls engages data protection and privacy issues. For more information, read Data protection and employees.
Monitoring is permitted if justified but you should tell your staff you do this and target your monitoring. Consider less intrusive methods and take steps to avoid reviewing obviously personal materials. Covert monitoring will be acceptable only in exceptional circumstances.
When monitoring employee communications, the employer must also use the least intrusive methods necessary to achieve the business aim. Before any surveillance can take place, employers must create a policy that lets employees know the circumstances of monitoring and their expectations of fair use. To do this, you must first warn employees about monitoring of their equipment use (eg by having a Communications and equipment policy) and the types of prohibited behaviour where disciplinary action might be taken.
As some of the information collected and processed from monitoring employees meets the definition of personal data, organisations must prove that they have a lawful ground to collect and monitor this information.
The UK General Data Protection Regulation (GDPR) says that an employee cannot give consent to an employer because of the inherent imbalance of power. Consent can’t be 'freely given' if the data subject (ie the employee) faces a potentially negative effect from not consenting. It’s reasonable to expect that an employee might fear losing their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.
Note that employers are never justified in using automated monitoring methods (eg spyware) to search an employee’s browser history and/or workplace communications to find evidence of misuse. Similarly, employers should not employ monitoring methods that don’t leave a trace of their monitoring (eg physically looking through an employee’s private communication at their workstation).
For more information, read Workplace monitoring.
Staff should receive a copy of the employer’s written policy on the use of IT equipment when they join or when the policy changes. Periodic reminders are useful especially when portable equipment like laptops or smartphones are issued. Staff should sign to confirm receipt.
Pay deductions for damaged or lost equipment will be unlawful unless the employee has given advance written consent either in their Employment contract or another agreement. If this is not covered in the contract, get a separate signed agreement when the equipment is issued.
Consider using click-through consent or on-screen reminders to remind staff of rules on equipment use and monitoring information.
If you have any questions or concerns about an employee’s use of IT, Ask a lawyer.