There are numerous ways in which employees can be found to be misusing IT facilities at work including computers, personal phones, social media and systems. These can quickly become disciplinary or even legal matters.
There is a wide range of matters to consider (many of which overlap):
- Social networking
- The information systems themselves
- Confidentiality and security
- Personal data
- Passwords
- Cyber bullying and harassment
- Monitoring
- Unauthorised use for personal purposes
- Data ownership
- Use of personal devices
- Homeworking
Social networking
Most employees will use these opportunities appropriately. But guidance is important. For example, it is easy to broach the rights of others in photographs placed on social media. Personal blogs that appear to come from your organisation can attract media attention (Gary Lineker springs to mind) and cause serious problems.
Information systems
Employees should be clear how they might use these systems, the purposes for which they may be used, any authorisation processes and the consequences of any mis-use or unauthorised access.
The use of external systems, such as iPlayer, Mobile apps, etc may require licencing or a subscription.
It is unlikely that an employee’s personal information, placed on your systems, can remain private and employees need to be advised of this.
Confidentiality and security
Employees need to be aware of their obligations in regard of confidentiality. Depending on the nature of the business, this can extend from not disclosing employees’ names at one extreme to protecting commercial and intellectual property, and the security of the systems themselves.
Employees should be aware of the dangers arising from social engineering. That is tricksters using confidence building or feigned authority (HMRC etc) to obtain passwords, for example.
Personal data
Employees should understand what personal data is (i.e anything that identifies to a living person) and the rules under which it can be used (and not used).
Passwords
These are of course crucial to maintaining security and authorised access. Organisations will address this in different ways. The more complex the approach, the more likely it will be circumvented, is one view.
Cyberbullying
Bullying is not precisely defined but your separate policy should indicate the behaviours that indicate it. Cyberbullying is similar in most respects except that:
- The bully is often remote, working from home perhaps
- The audience may be much wider, including the public domain
- The adverse behaviour is more intrusive, its effects need not be confined to the workplace, but can intrude into an employee’s private life
- It is, invariably, a permanent record
Employers need to be alert. Inclusion in a policy is not essential, but it would help.
Cyber harassment
Harassment is defined in the Equality Act. There are nine protected characteristics contained in the Act, which should be also contained in your Equal Opportunity policy. In addition, which may become more significant in the emerging workplace environment, Trade Union membership is also protected from discrimination and, in effect, harassment.
The points relating to cyberbullying also pertain to harassment.
Monitoring
With rare exceptions, employees need to know if their activities are being monitored online or offline (by tracking for example). They need to know the purposes for which it is being used or may be used. If data is collected for one purpose it cannot be used for another.
Unauthorised use for personal purposes
We have known of employees using excessive amounts of their employers time on personal activities and, in one case, setting up in competition while working for the employer. The use of a company’s system for job searching is another example of abuse. They are only abuse, of course, if the company’s policy defines them as such. For example, if personal use is defined, and the employee keeps within the limits, there is no abuse.
Data ownership
The jury is still out on the question of who owns LinkedIn and other social media contacts. This can be defined (and therefore offer the employer some protection) in the contract of employment, employee handbook or a specific policy. Other ownership issues are less fraught but, nevertheless, should be made clear.
Use of personal devices (BYOD)
The increasing use, by employees, of their own phones, ipads and even laptops raises more questions than can be addressed here. A carefully written policy is wise to avoid future conflicts and security breaches.
Homeworking
All the above apply with the increased risk associated with employees being remote and the potential of other family members gaining access, etc. When he was 7, my nephew picked up one of my passwords, just by looking over my shoulder. Fortunately, he boasted about it. A homeworking policy is advisable for other reasons too, health and safety ones among them.
In summary
IT is now the lifeblood of our organisations, our lives, and our economy.
But the opportunities for employees to be misusing IT facilities at work are pervasive.
Related blogs:
Monitoring employees in the workplace – fair or foul?
Homeworking makes your company data insecure
Could you be subject to ransomware?
Malcolm Martin FCIPD
Author Human Resource Practice
Blogs are for general guidance and are not an authoritative statement of the law.