Call for The Right Advice (local rate):

0800 612 4772

E-Mail & Internet Policies - Six Things Employers Should Know

Existing procedures

If you have an existing policy and procedures in place, you should consult with staff about any changes you are making. It is good practice to do this in any case, but may be legally required if your existing policy and procedures are part of the contract of employment, or if you have a formal trade union recognition agreement in place.

Why have a policy?

Many employers have dismissed staff for accessing ‘inappropriate’ websites or spending too long sending personal emails. Many of those staff actually won unfair dismissal claims because the employer did not have a policy on what kind and level of use was acceptable, and what the penalties for misuse might be. So, as in all areas in which you want to set out ‘the way we do things round here’, it is strongly advised that you develop and circulate a clear policy. A written policy will

  • help protect against liability for the actions of workers
  • help educate workers about the legal risks that they might inadvertently take
  • prevent damage to systems
  • help reduce time spent on non-work activities

What should be in it?

  • make clear to workers who they should contact about any particular aspect of the policy
  • Consider what best practice procedures should be put in place, particularly internet and email etiquette do's and don'ts.
  • Decide the extent to which employees can use the internet and email for personal purposes. Set down the parameters clearly and specify the consequences of misuse/abuse of the system, including disciplinary action and summary dismissal.

Monitoring and Data Protection

In the UK, it is unlawful to intercept electronic communications unless the interception has been authorised, whether by a warrant, by consent, or by regulations. Regulations that came into force in October 2000 provide circumstances in which a business can lawfully intercept emails (and telephone calls) made on its own systems, such as:

  • Gaining routine access to business communications;
  • Monitoring standards of service and training;
  • Preventing or investigating crime; and
  • The unauthorised use of systems.

There are other conditions on monitoring found in these Regulations, the Human Rights Act and guidance from the Data Protection Commissioner, including:

  • The employer must have taken all reasonable steps to inform the recipient and caller that the email and/or phone call will be intercepted.
  • The employer must be open about monitoring. Therefore, the limits of personal use should be set out and any restrictions specified. Ensure that employees know that their email and internet use will be monitored before they begin using it or before monitoring begins.
  • The employer should not intrude on the privacy of the employee and provide a mechanism for employees to delete email from the system.
  • Where possible, monitoring should be limited to an automated process. Do not monitor the content of emails unless the traffic record alone is not sufficient and do not open emails which are clearly personal.
  • Any personal information that is found that concerns employees must be used fairly.

It is certainly worth looking at the Information Commissioners Office ‘Employment Practices Code’ and a direct link to this is provided in the Resources section below.

Introducing and Using the Policy

If implementing a new or revised policy, notify all employees by memo or circular, identify the date of implementation and give employees an opportunity to review the policy.

Any policy can only be effective if it has been brought to the attention of employees and they follow it. The best approach is not to rely only on a policy but also to educate your employees on the correct use of email and the internet.

Finally, bear in mind that a policy will not be effective unless it is enforced. An employer cannot turn a blind eye to abuse of an existing policy then expect to suddenly enforce it against one or a number of employees. Such an unfair approach could easily backfire on the employer.

Policy Review

Set a date to evaluate the effectiveness of the policy, perhaps annually, and nominate a person to take responsibility for this. Changes to the policy may also be required by changes in legislation and new case law.


For more and related information you may find the following websites and resources useful. Click on the underlined words to access the website.

The Information Commissioners Office is the independent authority on all aspects of the Data Protection Act, including the monitoring of communications. 



Add Pingback

Please add a comment