| Should your Company have an Internet Use Policy? | |
| 1.
1.Introduction. 2. Some scenarios. 3. Give your employees unlimited access. 4. What are the fundamental concerns? 5. How to inform your staff and keep them informed. 6. What are the consequences of not following the IU policy? 7. How to evaluate your IU policy. 8. Why your company must have an Internet Use policy. Go here for a version you can print. Go here for a pdf version. | Home | Hire | More Articles |
The
question is should businesses have an Internet Use (IU) policy? This includes
not only surfing the web but also email, downloads, viruses, and anything
else that is available online? This is also about sending and receiving,
who owns what, and what kind of monitoring should employees expect. The
answer is "yes" businesses should have IU policies. These policies should
be clearly stated, frequently evaluated, and distributed to everyone to
the point of annoyance. There are several matters to consider in setting
IU policy and the most important are the following: 1. The Company needs to state what is and is not appropriate use of the Internet, email, and other electronic resources. 2. The Company needs to state what the consequences are of breaking the policy. 3. The Company needs to protect itself, its employees, and its assets from misuse of electronic communication resources. While I am focussing on 'the Company' in the above listing I will also note that it is really the employees who are protected by such policies. Employers can make all the rules they want, monitor to their heart's desire, and adopt the latest in blocking and filtering software. The fact is the Internet is very hard to control and monitoring or controlling how people use it is equally difficult. It is far better to build an atmosphere of trust and mutual respect where people know what is expected of them and behave accordingly. Once this milieu is created then our people will not only behave they will protect the company: wherein they too have an interest.TOP Some Scenarios. Here are some scenarios that will directly impact on people using the Internet in a business setting. A colleague hears a great joke and sends it to everyone. This works if it is a joke a priest could use in her sermon but if not, which is usually the case, the colleague could offend someone. Another colleague is discussing confidential or proprietary information in an email and mistakenly sends it to an entire discussion list. Open an email and find a particularly juicey bit of pornography but on the list of recipients is also the VP of sales, his secretary, and the mailroom. The first inclination is to just delete the offending messages and reach for a coffee. However, it is more than likely that any or all of these messages could offend someone. If a company did not have a clearly stated policy of acceptable use then disciplinary measures could hardly be taken against the colleague(s) in question. Moreover, it is very likely that many people have no idea of how to use the Internet or email, have no idea how the Internet works, and made their mistakes in all innocence. What most people may not realise that a company owns what their employees write in, among other things, their email. It is usually created while on company time and with the company's resources. Therefore, it is essentially a work made for hire and all rights go to the employer. Employees are compensated for this work by their salary and benefits among other things. Now, if the employer owns the offending email how responsible is the firm for offending the other people? How can the company, who owns this stuff, distance itself from the effects of racist, sexist, or other offensive or stupid communications? You guessed it: by clearly stating what is and is not allowed in emails, where employees are allowed to go during the day on the Web, and what the consequences are of breaking these policies. TOP Give Your employees unlimited access. Now the first inclination may be to severely restrict Internet use among employees. Or, given that it is hard to know where they are going, install tracking software so that the employer can know where they are going and then take appropriate action. In a typical work environment this is a mistake. It is important to remember that we are dealing with adults: adults can accept the consequences of their actions. It is also important to trust your people: give them clear direction and clear expectations of what the employer want them to do. Ninety per cent of employees will give value for their work. So if they want to visit a game site, or a chat line, or whatever, they should be allowed to do so. Of the remaining ten per cent nine per cent need reminders and supervision: it is important to know who those nine per cent are so that the can be educated and brought up to the employer's standards. The remaining one per cent should be dismissed anyway and no amount of monitoring will prevent the harm they may do. But the focus should be on the majority who provide value and not the minority who do not. Know who falls into which category and deal with them appropriately. The process of developing an IU will help employers do that: learn who is producing value and who does not. Then doing something about those who do not rather than just letting them coast. If an employer decides to monitor staff's online activities the amount of information generated will be enormous. Like any monitoring situation, the expectation is that if you are monitoring it then there is someone there to check it out. Who has the time to analyse this information and then do something about what they see? Who monitors the monitors? The Internet relies on the free flow of information and the ability of adults to self-censor. Employers should let their people take advantage of that. If, however, the employer decides to track Internet use then the employees must be told. It is unfair and unethical to listen in on people without their knowledge. The lack of trust this will invoke will cost the company in the long run. Employees will focus on the monitoring rather than the producing at work. Again the focus will be on the tiny minority who need supervision and alienating the huge majority who do not. TOP What are the fundamental concerns addressed by an IU policy? Employers want to anticipate and avoid as many problems as possible. Moreover, employers want to insure their staff are educated about things like email and acceptable Internet use. Finally, employers want to insure that when breaches of the IU do arise it is a matter of staff making a conscious choice to do so and not acting out of ignorance. Racist and sexist jokes are no longer tolerated in the workplace. However, email has a tradition as a place to share humour and interesting facts of life. People do not necessarily edit their thoughts before they speak or write. Sending out jokes, information, and rumours is often a needless part of the noise that winds up in your in box. This sort of information is also intensely personal and subject to many factors there is no means of predicting or countering. It is better that they not be sent. There is no need for all two hundred people at work to hear the latest knock knock joke or urban legend. Self censorship is key in this case. Employees must know that humour in the workplace is ok. but keep it personal and not in email. If nothing else, the Microsoft anti-trust case tells just how important email can be as evidence in court. As part of an employee's education they need to know that email is not confidential. It goes through several computers before it reaches its intended recipient. At each computer it is possible to keep and retain a copy of the email. So even though most would delete the particular piece there is a good chance that someone somewhere has kept a copy just for good measure. Let alone server backups and the like. Confidential material must not be sent via email. Proprietary matters should not be sent either. Even though there are several encryption programs available; why give potential competitors and others the chance to even try to break the code? Keep this material safe at all times. Especially for businesses with a successful formula a little paranoia can be a good thing. TOP How to inform your staff and keep them informed. As each user is added to the network their first piece of email is the company Internet Use policy. As part of the orientation and welcome to the company they are required to sign off on the policy; that they understand and will abide by the it. Educating staff is crucial. There is a tendency is to take a top down approach to protection. That is the corporation and its assets that are at risk and should be protected. This only a part of the answer. The fact of IU is it is impossible to prevent someone from doing or viewing what they wish. It is impossible to legislate the relationships of men and women who send each other racier and racier emails designing their first fling. However, staff need to be aware of the risks they take on to themselves when they ignore or go against the IU policies. By creating a IU policy in this way the corporation kept separate from the actions of it's employees. In order to give staff a true choice then they will have to be educated about the policies, their rationale, and what the consequences are of non-compliance. Post a list of what you can do and what you cannot do. Educate staff about how email flows, who owns it, and how anonymity is an illusion. It is easy to find people on the net. Hackers and spammers have been easily discovered by tracing their route through the computers handling their mail. It must be clear what the exact consequences are for those who decide to go against company policy. TOP What are the consequences of not following the IU policy? It will happen that staff will receive objectionable email from someone outside of the company. The instructions here are easy: delete the email do not forward it no matter how tempting. Otherwise, breaches of the IU policy are met with warnings, written warnings, and dismissal. These have to be clearly laid out in the policy documents everyone signs as a condition of employment. For example someone sends out an email announcing their Tupperware party on the weekend. This would constitute a note back to the person reminding them that the IU policy does not allow for these sorts of announcements and to please use the bulletin board in the kitchen. In another case a staff member decides to send out a joke they have received from the Internet. Again this is met with a note explaining that the email network is for business purposes only. The staff member is also reminded that humour is a personal matter and not everyone will appreciate their brand of humour. Everyone in the office receives these messages to make it clear what sort of standard is expected. Second offences are met with a private written warning, another copy of the IU policy, and a signature on a compliance document from the staff member. The third time is met with dismissal. This process is a means of gradual or progressive discipline. It allows both the employer and the employee to take stock of each other and insure that the person is working in the right job with the right company. The consequences are huge payoffs to offended employees who sue or giving competitors an unearned edge. Email is not confidential. Careful attention needs to be paid to what can and cannot be sent when it concerns core competencies and mission critical issues. Customers names, opinions, and legal details must not be sent around via email. Case number references are fine. Staff must be discouraged from talking about themselves, their supervisors, and their clients in email documents. The same disciplinary process as outlined above should be followed. Monitoring of the staff who do not comply must be strictly adhered to. As well the staff member must be told that they will be monitored and their email read. Their Internet use would also be closely monitored. The period of time would vary but at the end of this time it is necessary to meet again with the staff member and go through what occurred, the rationale for it, and their own point of view. These sorts of infractions represent a means to educate both the employees and the employer about what the company is doing and how email can be used. Moreover, staff can be apprised of the risks they themselves take when they do not follow the IU policy. It practically goes without saying that more serious breaches are met with dismissal. At the same time the Internet and the law changes at a frightening pace and it is important the IU policy keep up with these changes. Take monitoring for example. It is very easy to read email, access hard drives, and generally know a lot about what employees are doing. But what are the reasonable expectations of privacy? If it is reasonable to expect that postal mail not be opened and read then is it not also reasonable that email fall under the same criteria? Just because the employer, or canny employee, can monitor, pry, and discover a lot about what is going on does not mean that they should do so. In the absence of direction from the courts and government use common standards to govern behaviour and govern policy. TOP How to evaluate your IU policy. While Internet case law is in it's infancy there are some trends that, while following other more defined areas of the law, are emerging. Sexual harassment, racism, personal attacks, have all found their way to the court. While at one time we were encouraged to ignore such things it is now no longer the case to allow them. The role of the employer in preventing these abuses is clear: so creating a strong IU policy is a matter of due diligence. Enforcing the IU is equally important a there is no sense in giving the IU teeth and then not using them. Email and Internet Use policies need to reflect the fact that these subjects will not be tolerated and anyone engaging in them are doing so on their own and not with the support of the company. By providing the computers, the network, and Internet access the company is simply doing business in a responsible way. By creating strong IU policies and with clearly defined consequences and monitoring or dismissing offenders the company performs its duty in this regard. As well the company takes the time to educate and learn about its staff. It is important too to run the policies by your legal counsel. While Internet law is anyone's guess the likelihood is that it will be largely based on regular case law and this is where your lawyer's expertise comes in handy. As well the webmaster or Internet consultant will also be aware of trends and possibilities in the legal as well as technological areas and should therefore be used as a resource. Open up the policy making to your staff. They are the ones to whom the directives are issued and they should have some say in what is and is not acceptable to them. Some terms of course are not negotiable but many others could be. Compliance is a lot easier to maintain when everyone has a say in the decision making. At the same time someone has to stop and say what is appropriate and what is not. The standards mentioned here are really minimum standards and more can always be said. TOP Why your company must have and Internet Use policy. The Internet is a new and tumultuous place to do business: it is an increasingly important place to do business. It allows us to communicate and express our ideas without regard to time or distance. At the same time this connection allows for abuse and exposure to abuse. It is incumbent on corporations and employees to be aware of the risks, to clearly state the consequences, and develop the means to monitor changes in the system. To put it plainly: 1. A strong IU policy protects both the corporation and the employees from misuse of the Internet, email, and other electronic resources. 2. It insures that those who do breach the policy do so from a conscious and independent choice and not from ignorance. 3. In the event of legal action the company is separate from the actions of individuals and has taken steps as a means of due diligence to have prevented their occurrence. 4. An effective IU policy is continually evaluated in regards to its legal relevance, Internet relevance, and with the standards and expectations of all involved. We are creating a living document here. It represents the intent of the corporation to protect itself and its employees from misusing company time and property. No amount of legislation or blocking and monitoring software is going to prevent people from using the Internet and email in any way they want. It is for this reason it is vital to create an atmosphere of mutual trust and support where employer and employee see the need to create and adhere to appropriate behaviour: to set and meet high standards. There are means to discover those who will not comply. These people make a conscious choice to do something then they should be prepared to accept the consequences: they will know what the consequences are. Employers must clearly state what those consequences are and enforce them. Employees must protect themselves from offending colleagues or exposing their firms to competitive dangers . An appropriate Internet Use policy must be developed with an eye to changing technologies and changing times. A Final Reminder. This article is not legal advice. Case law and legislation for the Internet is in it's infancy and there is no certainty what the final, or even the next, laws will look like. At the moment it is important for all of us to protect ourselves. The best way to do that is through an awareness of what we are doing and what we want from our actions. To act without thinking is the worst. This article may be distributed freely only with this copyright notice intact. This article is copyright 1999-InterActive Arts-all rights reserved. Any omissions and errors are the responsibility of the author, Bernie Monette. While the subject matter is legal this article does not represent legal advice. Please go to our legal information page for further information. InterActive Arts is a full service Internet consulting company. We help businesses find the right balance between the Internet and their corporation: to our mutual profit. We would be glad to help you. |Home| Legal| Hire| More Articles| TOP | |