Employee use of IT

Whatever equipment you provide to staff must be safe and comply with health and safety rules. Its electrical safety should be inspected periodically and employee workstations should be risk assessed to ensure that their use will not pose a threat to health.

Usually, employers will be liable to third parties for what their employees do using their equipment in connection with their employment. So if use is illegal, defamatory, discriminatory, breaches copyright or confidentiality, constitutes bullying or otherwise causes a legal problem, then the employer is on the hook.

Issues can arise in connection with inappropriate or excessive personal use of equipment. Where employees damage or lose equipment negligently, employers sometimes wish to deduct the cost from their pay; care must be taken to ensure this deduction is lawful.

Increasingly, employers want to examine and make use of information about employees use of IT equipment (eg by monitoring email and internet use), to take employment decisions. This raises issues of privacy and data protection as well as the fairness of disciplinary action.

There is no obligation to allow staff to use IT equipment for their personal purposes; if you do allow personal use, make clear to staff that it must be lawful, reasonable and not interfere with their productivity or duties. You can also restrict use to certain times of day or a certain limit. In all cases, consider publishing the personal use rules that you decide on with a communications and equipment policy.

Train and guide employees about the sorts of media use that are legally problematic and warn of disciplinary action if rules are breached.  Don’t mix up personal use and private use. If you monitor employees use of equipment then they must be warned not to expect privacy even if personal use is permitted. 

Monitoring of communications such as emails, internet use and phone calls engages data protection and privacy issues. For more information, read Employee Data Protection Issues.

Monitoring is permitted if justified but you should tell staff you do this and target your monitoring. Consider less intrusive methods and take steps to avoid reviewing obviously personal materials. Covert monitoring will be acceptable only in exceptional circumstances.

When monitoring employee communications, the employer must also use the least intrusive methods necessary to achieve the business aim. Before any surveillance can take place, employers must create a policy that lets employees know the circumstances of monitoring and their expectations of fair use. To do this, you must first warn employees about monitoring of their equipment use (eg by having a Communications and equipment policy) and the types of prohibited behaviour where disciplinary action might be taken.

As some of the information collected and processed from monitoring employees meets the definition of personal data, organisations must prove that they have a lawful ground to collect and monitor this information.

The General Data Protection Regulation (GDPR) says that an employee cannot give consent to an employer because of the inherent imbalance of power. Consent can’t be 'freely given' if the data subject faces a potential negative effect from not consenting. It’s reasonable to expect that an employee might fear losing their job (or at least fear losing favour among their bosses) if they don’t consent to being monitored.

Under no circumstances are employers justified in using automated monitoring methods (such as spyware) to look through an employee’s browser history and workplace communications to find evidence of misuse.

Employers should also refrain from methods that leave no trace of their monitoring, such as physically sitting at the employee’s computer and looking through their private communications.

Staff should receive a copy of the employer’s written policy on use of IT equipment when they join or when the policy changes. Periodic reminders are useful especially when portable equipment like laptops or smartphones are issued. Staff should sign to confirm receipt.

Pay deductions for damaged or lost equipment will be unlawful unless the employee has given advance written consent either in their employment contract or another agreement. If this is not covered in the contract, get a separate signed agreement when the equipment is issued.

Consider using click-through consents or on-screen reminders to remind staff of rules on equipment use and monitoring information.