Computer law and privacy at work

12 Pages

20 Downloads

Words: 3708

Date added: 17-06-26

open document save to my library
Report to D’Ausecours Board 31st May 2006 Re: Acquisition of Security Control - Issues and Recommendations 1) Confidential Information Given the that the greatest value of SC lies in the ability of its employees to innovate and the quality and commercial potential of the resultant product, it is disturbing to learn that none of the employees is currently bound by any form of confidentiality clause in their contract and they have received no training or even informal guidance in the correct handling of confidential information. It is, of course counterproductive to develop a culture of obsessive secrecy such as that which results in the security classification of Ministry of Defence canteen menus but a workable definition should be developed without delay. It is suggested that this accord with the criteria expounded by Megarry V-C in Thomas Marshall (Exports) Ltd v Guinlƒ©[1] including the test of whether the employer reasonably believes that the release of information will be injurious to him or advantageous to his rivals and whether it is reasonable to believe that the information is not already public. The information will of course have to be judged in accordance with the usage and practices of our industry. In respect of the existing unregulated situation, in the event of unwanted disclosure of confidential information prior to the introduction of revised contracts of employment, it may be possible to rely upon Faccenda Chicken Ltd v Fowler[2] in which employees similarly had no restrictive covenant in their contract of employment. The employer argued that they were nonetheless bound by an implied duty of confidentiality. Although the decision of Goulding J at first instance was unsatisfactory from our point of view, the criteria stipulated by the Court of Appeal in order for such a duty to apply may be of assistance:
  • The nature of the employment;
  • The nature of the information (this can be protected if it may be classed as a trade secret or was material which was in all the circumstances of such a highly confidential nature that it should be so treated;
  • Whether the employer has impressed upon the employee the confidentiality of such information; and
  • Whether the information can be freely isolated from other information which the employee is free to use or disclose.
In respect of the third of these (impressing the nature of the information upon the employee) this may be the subject of immediate practical action. Once employees have been so informed, the implied duty should begin to apply notwithstanding the lack of express restrictive covenants in their contracts. The criminal law is unlikely to assist in this regard in its present form. An attempt in Scotland in Grant v Allen[3] to prosecute an employee who allegedly dishonestly took a quantity of computer printouts from a firm of carriers failed with the court commenting that “to make a declaratory finding that it is a crime dishonestly to exploit confidential information belonging to another would have far reaching consequences in this technological age”; it was suggested that this was a matter for legislation. However, the English Law Commission in its Working Paper on Conspiracy to Defraud[4] similarly eschewed the opportunity to make the abuse of confidential information the subject of criminal proceedings unless perhaps in circumstances in which a conspiracy had been formed with the intent to deprive a person of confidential information to their financial prejudice. Accordingly it is recommended that a programme of training be urgently implemented to make employees of SC aware of what constitutes confidential information and stresses that they are already bound by an implied duty of confidentiality. In parallel with this, Human Resources should attend without delay to the revision and reissue of the necessary contracts of employment. In the instance of short-term instances of potential abuse which may prove damaging such as employees disgruntled by the take over seeking to leave and use SC information to establish their own ventures, consideration might be given to the issuing of applications where appropriate for “springboard injunctions” as in Roger Bullivant Ltd v Ellis[5]. These of course will be strictly limited in time but should at least cover the period in which the ex-employee is seeking to gain a “head start” by the use of such information. 2) Pornography At present, employee’s contracts do not forbid personal use of the internet. As a preliminary point, it is suggested that this is reviewed. Quite apart from the specific difficulties to which such use may give rise such as, for example, in the case of the circulation of pornography discussed below, the accessing of websites and the use of the internet during working hours for the sending and receiving of personal e-mails is becoming a contentious issue in every workplace. What may be regarded as a harmless “perk” is capable of escalating to the extent that much productive working time is lost placing the employee in breach of their duty of fidelity and resulting in great impairment to the efficiency of the organisation. Happily, it appears that at present this use is restricted to the accessing of “adult” websites and there have, as yet, been no complaints from other employees about the distribution of such material. Nonetheless, it is submitted that this is a practice which should be discouraged. Although internet pornography is a relatively new phenomenon, it is still within the ambit of the Obscene Publications Act 1959. This provides that an article is obscene and thus its distribution is liable to criminal prosecution where it has a tendency to deprave or corrupt persons who are likely, having regard to all the relevant circumstances, to come into contact with it. The fact that this rather antiquated piece of legislation which could never have foreseen current technological developments should still be taken seriously can be observed from R v Perrin[6] in which the appellant had been convicted of publishing an obscene article, namely a web page which contained images of coprophilia and fellatio. This was accessed by a police officer. The conviction was challenged under Article 10(1) of the European Convention on Human Rights on the ground that it breached the right of freedom of expression. However, the Court of Appeal held that Article 10(2) allows derogation from the right of freedom of expression where this is necessary in a democratic society for the prevention of disorder or crime or the protection of morals. The Court of Appeal took the opportunity to refine and update the applicable test: “First, whether any person or persons were likely to see the article, and if so, whether the effect of the article, taken as a whole, was such as to tend to deprave and corrupt the person or persons who were likely, having regard to all the relevant circumstances, to see the matter contained or embodied on it.” A discussion of this subject is always likely to give rise to a certain amount of juvenile mirth. It may be suggested, for example, in the light of the comments circulated about my understanding of motor car brands (the subject of a further brief below) that the employees of SC are already beyond the risk of being depraved and corrupted the damage already apparently having been done. However, it is recommended that this issue be taken seriously. In particular, regard should be had to the Protection from Harassment Act 1997 which makes it an offence to pursue a course of conduct designed to cause alarm and distress to another. While, for example, it may be considered amusing to send graphic sexual images to young female employees or, more probably, the “ladies of a certain age” in the Accounts Department, if this were to reach a certain level of intensity, it could form the basis of criminal prosecution. More immediately, such conduct could be presented as sexual harassment (which can also be directed against same-sex colleagues and transsexuals: Chessington World of Adventures v Reed[7]) which could give rise to a liability on the part of the employer if the conduct was known of and not acted upon or there was found to be insufficient supervision in place to guard against such conduct. This, in itself, could expose the company to proceedings in the Employment Tribunal. These might become particularly serious if an employee were driven to the point of leaving and then claiming constructive dismissal. It is strongly recommended therefore that guidelines regulating the use of the internet in general and the accessing of pornography in particular be immediately promulgated with it being made clear that any breach will be considered a disciplinary offence. 3) Defamation I am quite confident in my ability to distinguish rusting heaps of Scandinavian metal from the more intimate aspects of the female anatomy and I make it clear therefore that I do not propose on this occasion to take any action in respect of the “hilarious” e-mail circulated on the subject. However, the existence of an office culture in which the circulation of such material is considered not only permissible but potentially amusing gives cause for concern. The law of defamation is quite clear. A defamatory statement is one which injures the reputation of another by exposing him to hatred, contempt or ridicule or which tends to lower him in the esteem of right thinking members of society (Parmiter v Coupland & Another[8]). Employees should be advised that while the common perception of libel is limited to statements published about celebrities in tabloid newspapers, it is just as capable of applying in the workplace. The important issue in this context is “publication”. Once again, while this would seem to be a concept applicable only to the Press, a salutary lesson can be learned from Riddick v Thames Board Mills[9]. This concerned an internal memo following the dismissal of two employees. It was based on the report of two other employees which was found to be inaccurate and malicious. This report formed the basis of a memo which a manger dictated to his secretary and then sent to another manager who read it and filed it away. Although Lord Denning dissented in the Court of Appeal on the basis that this was a document which was only produced during discovery and ought therefore to be regarded as privileged, Stephenson and Waller LJJ disagreed and held that communications between employees, often involving communication with secretaries, had for a long time been treated as publications. (This principle is one which may well surprise many of our managers and it is worth observing in passing that an element of guidance and training at this level may be appropriate - it will be noted that I have taken care elsewhere to describe the present standard of record keeping as “inconsistent” when more choice language may have sprung to mind!) However, this being so, these strictures must apply with still greater force to intra-office e-mails. Quite apart from any issues which arise in respect of the conduct of individual employees in this regard (I repeat my comments in Brief 2 in respect of an employer’s liability for harassment and discrimination and potential remedies under employment law), I am concerned about certain developments in respect of the law of libel as applied to electronic communication. In Godfrey v Demon Internet[10], it was held that Internet Service Providers (“ISPs”) can be held liable for the publication of defamatory material if they store such material on their servers where it is accessible to customers. The argument that they were simply the holders of an electronic device through which information was transmitted was rejected. Although I have not been able to locate any authority exactly on point as yet, I am concerned lest it might be possible to apply this principle to our company on the basis that we might in certain circumstances be seen to be publishing such libels by allowing them to be accessible on our systems. I recognise that this would not apply in the case of personal or group e-mails since we cannot be responsible for their content and are not making them generally available but open for a such as departmental message boards and discussion groups might not be able to escape liability in the same way. Of course, there is now a statutory defence available under section 1 of the Defamation Act 1996 provided it is possible to show that an administrator of an electronic network of this type took all reasonable care in relation to the publication of the statement and did not know (nor could have known) that what they did contributed to the publication of the statement. Obviously, such a defence will be negated if we continue to maintain systems without supervision upon which it is possible to post such material particularly having regard to the fact that even at this stage of acquisition we have become aware of an apparent propensity on the part of certain employees to circulate material of this type. In any event, ongoing monitoring and regulation will be required. The statutory defence failed in Demon Internet because it was shown that the ISP had had the relevant material drawn to its attention and had not taken steps to remove it for some two weeks. 4) Data Protection It is disturbing to note that SC is the subject of a number of complaints to the Data Protection Commissioner. (This issue also impinges upon the area of record keeping discussed at the presentation). A review of systems is therefore imperative. The Data Protection Directive[11] prescribes five principles relating to data quality. It must be:
  • Processed fairly and lawfully;
  • Collected for specific, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
  • Adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
  • Accurate, up to date and complete; where this is not so the data must be erased or rectified;
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.
These principles are largely replicated (albeit numbered at eight) in the Data Protection Act 1998. I am concerned at certain aspects of the current SC approach to data. For example, there is much in the current recruitment and ongoing employment of staff that is, to put it mildly, irregular. Where data is collected from a subject as in our current recruitment process, Schedule 1, Part 2, para.3 of the 1998 Act requires that the subject must be supplied with: “…any further information tat is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.” This means that prospective employees should be informed whether providing answers to any questions is voluntary or compulsory and as to the possible consequences of a failure to reply. At present, there is no distinction on the application forms between the questions in relation to previous criminal convictions (and no reference to the Rehabilitation of Offenders Act 1974) and the other questions which are asked about ethnicity (to which the subject is not required to reply) and which, it must be made clear, are for equality and diversity monitoring purposes only. The existing question relating to sexual orientation is wholly unacceptable under the terms of the Employment Equality (Sexual Orientation) Regulations 2003[12]. The present approach to storage of data is entirely haphazard. The most cursory review of the HR Department files reveals personal files which relate to employers who left SC many years ago (while the retention of such information for a period of time for purposes such as the supply of references is legitimate, some of these files are now so antiquated that it might be doubted that the subject is still living). In any event, it is clear that even the information in respect of current employees has not been kept updated. There is therefore a breach of the obligations imposed by the Directive and the Act either to update such information where appropriate or to erase it. Of greatest concern is the issue of data security. The seventh data protection principle contained in the 1998 Act requires that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” The practical position in this regard at present is appalling. None of the computer systems in Payroll is password protected. A recent visit to the coffee bar revealed employees leafing through HR Department files which have been left in there in an unlocked “overspill” filing cabinet. I recommend the immediate appointment of a data controller to review as his/her first priority, the security of all computer and manual systems and implement adequate training and supervision to ensure the competence and reliability of all staff having access to personal data. 5) Disciplinary Procedures Finally, I am asked to identify another issue which will impinge upon the take over of SC. While there is so much to choose from (!), I am concerned to note that in common with the current raft of complaints to the Data Protection Commissioner, the HR Department appears to be awash with Forms ET1 commencing proceedings against SC in the Employment Tribunal. A review of these applications demonstrates that a great many problems stem from the currently cavalier approach of Managers to the disciplining of members of their department. There exists a macho and “laddish” culture that would be unacceptable on a building site still less in a high-tech company. For example, following a recent dispute over the way in which a software design task was to be carried out in the IT Department, the Manager was heard to say to an employee, “You do it my way or you can f*** off!”. When the unwanted method of work was repeated, the employee was summoned to the Manager’s office and told, “I’ve told you once you pusillanimous little w*****, now sling your hook!”. The employee was escorted from the premises by security. Following receipt of the ET1 alleging unfair dismissal, the Manager was interviewed by the HR Department and indignantly claimed that he had administered a “verbal warning” and was therefore entitled to sack the employee “on the spot”. This is disastrous. First, it should be obvious to even the most insensitive of managers that the ability summarily to dismiss an employee is restricted to instances of gross misconduct. A useful test is contained in Laws v London Chronicle (Indicator Newspapers) Ltd[13] in which it was formulated as: “…whether the conduct complained of is such as to show the servant to have disregarded the essential conditions of the contract of service”. Therefore, while instances such as fighting or theft might warrant dismissal without notice, a dispute over the approach to a computer project can hardly be said to fall into this category. In any event, even if there had been a dismissal with notice, it would probably have been regarded as unfair on the merits but, more particularly for the purpose of the internal organisation of the company, it would have been held to have been “automatically unfair” by virtue of the Employment Act 2002 which introduced the new s.98A(1) into the Employment Rights Act 1996 and requires adherence to the procedures laid down by the Employment Act 2002 (Dispute Resolution) Regulations 2004[14]. As a matter of the greatest urgency all managers should be made aware that there is now a statutory procedure to be followed in all instances where the disciplining or dismissal of an employee is contemplated. The employee should be informed of the allegation against him and given an opportunity to consider it before attending a meeting (at which he has the right to be accompanied by a work colleague or Trade Union representative) at which the allegation is investigated and a decision reached. Thereafter, there is still a right of appeal to be exhausted before a dismissal can be confirmed. This is known as the ‘Standard Procedure’. Even in instances of gross misconduct requiring immediate dismissal and removal from the premises, there is a Modified Procedure to be followed. In the event of a claim of unfair dismissal where these procedures are not followed, the dismissal will be deemed automatically unfair even if it could have been justified on other grounds. Worse still, the Tribunal is then obliged to increase the appropriate award by 10% and may where it considers it appropriate to do so increase it further up to an overall maximum of 50%. I recommend therefore that the HR Department is overhauled to ensure that they are fully conversant with these requirements and managers instructed to consult and involve them before taking any action relating to matters of discipline. Bibliography Bainbridge, D., Introduction to Computer Law, (5th Ed., 2004) Bowers, J., A Practical Approach to Employment Law (7th Ed., 2005) Deakin, S., Johnston, A. & Markesinis, B., Markesinis and Deakin’s Tort Law (5th Ed., 2003) Lloyd, I., Information and Technology Law (4th Ed., 2004) Westlaw www.opsi.gov.uk

Footnotes

[1] [1978] ICR 905 [2] [1986] IRLR 69 [3] 1987 SCRR 402 [4] Law Com No.104 (1987), paras.10.45-10.46 [5] [1987] IRLR 491 [6] [2002] EWCA Crim 747 [7] [1998] ICR 97 [8] (1840) 6 M&W 105 [9] [1977] QB 881 [10] [1999] 4 All ER 342 [11] Directive 95/46/EC, Art.6 [12] SI 2003/1661 [13] [1959] 1 WLR 698 [14] SI 2004/752
Read full document← View the full, formatted essay now!
Is it not the essay you were looking for?Get a custom essay exampleAny topic, any type available
banner
x
We use cookies to give you the best experience possible. By continuing we'll assume you're on board with our cookie policy. That's Fine