As more workplaces expand online access to employees, the importance of having a clear Internet and e-mail use policy in place is increasingly paramount.
The recent case in Toronto where two men were arrested for possession of child pornography, not just on their home machines but on their workplace computers as well, underlines the need for a policy. Toronto police were quick to point out that if a company knows an employee has offensive material on a workplace computer, and does nothing about it, then the corporation and company officials could face charges.
“We’re not saying companies should spy on their employees,” said staff superintendent Gary Ellis, head of the Toronto Police sex-crimes unit. “We’re asking employers to be responsible. They’re responsible for what goes through their computers.”
Ellis said police receive about two or three calls per week from employers who find pornography on their systems, but don’t know their legal rights.
But it’s more than just pornography employers need to keep an eye on. Employees could potentially access hate material online or pass around inappropriate and offensive jokes through the company’s e-mail system. All of this means organizations need to have a clear Internet policy in place to ensure employees don’t engage in these kinds of activity. Setting up an effective policy doesn’t have to be time consuming or expensive.
Case study
Almost two years ago, Carswell, a publisher based in Toronto, set out to implement a clear usage policy after giving almost all of its nearly 600 employees access to the Internet at work.
This spurred the HR department into developing a policy which has been effective in ensuring corporate assets aren’t abused, said Barb Conway, vice-president of human resources.
“With most of the people in the company accessing the Internet, and with what we were hearing in the news and what was happening generally, we felt it was time to tighten up our policies and issue something that would give people a guideline,” said Conway. “The policy is straightforward. It’s fairly stringent, but I don’t think it’s draconian. If somebody is going somewhere they shouldn’t, our goal is to stop it.”
The first step in setting up the policy was to meet with the company’s lawyer. In this case, the lawyer had a sample policy that had been implemented at a sister company. Carswell’s HR department took the sample to the director of information systems to make sure it was relevant to the systems and procedures in place. Then the sample was taken to the executive team to ensure they were onboard with what was being proposed. They made some minor revisions, sent it back to the lawyer to go over the fine points, and the policy was set. All in all, it took about five weeks from the day the decision was made to implement the policy until the completed draft was ready to present to employees.
Monitoring Internet use
Carswell uses software that blocks employees from accessing prohibited Web sites. The software has a list of prohibited sites, continually updated, that employees cannot access.
“If somebody tries to go in and access something that is deemed to be inappropriate, they will get a message from HR and IS together that says you’ve tried to access something that is on our inappropriate list. Please don’t,” said Conway.
This approach is more proactive than what the company was originally doing, she said, which consisted of generating reports of sites accessed and having someone go through them looking for anything offensive. Under that system, HR would then phone the individual to warn the employee not to access the sites.
“Now, it stops people from going in,” she said. “It sends the automatic message, we’re not having to make those phone calls.”
Monitoring e-mail use
Stopping employees from visiting inappropriate sites was a no-brainer, but monitoring e-mail was a bit trickier to come up with a policy on, said Conway. There was a lot of conversation around privacy, and the company didn’t want to go too far in monitoring employees.
“We were trying to balance privacy with making sure we had a policy that said there are certain things that are acceptable and not acceptable and make sure you understand that,” she said. “There were some interesting perspectives on people’s right to privacy versus the organization’s right to do these types of things.”
Eventually, Carswell decided to block inappropriate external e-mail from coming in by using filtering software but chose not to monitor e-mail being sent by employees around and outside the company. Instead, they came up with a written policy that sets out clearly what employees can, and can’t, use e-mail for.
“We can imagine that certainly things get sent around that may have inappropriate language or things like that,” Conway said. “But it doesn’t appear to be a widespread issue for us. In hindsight, that may turn out to be incorrect but that’s the initial approach we took. Let’s make sure there is a policy out there and make sure people know there are consequences if things are used inappropriately, but also going on a bit of a trust system. Time will tell, but so far we seem to be okay.”
Communicating the policy to employees
Even the best policy is ineffective if employees aren’t clearly aware of what the policy is and what the ramifications are for breaking the rules.
“The key to us was that we communicated what the policy was, what the procedures were going to be and I have not had a lot of personal concern expressed,” said Conway. “We wanted to be really clear that the systems are for business purposes and we have to make sure that we’re protecting our information and our reputation.”
The policy is also communicated to new employees who are required to sign a business conduct policy that includes e-mail and Internet use.
“From the reports we’ve seen, we don’t have a widespread misuse of the system,” she said. “It’s definitely declining, and we can address pockets where there still might be problems.”
Conway said it’s important to remember that the policy needs to keep changing as time and technology change the way business is done.
“It’s something you always have to be looking at,” she said.
The recent case in Toronto where two men were arrested for possession of child pornography, not just on their home machines but on their workplace computers as well, underlines the need for a policy. Toronto police were quick to point out that if a company knows an employee has offensive material on a workplace computer, and does nothing about it, then the corporation and company officials could face charges.
“We’re not saying companies should spy on their employees,” said staff superintendent Gary Ellis, head of the Toronto Police sex-crimes unit. “We’re asking employers to be responsible. They’re responsible for what goes through their computers.”
Ellis said police receive about two or three calls per week from employers who find pornography on their systems, but don’t know their legal rights.
But it’s more than just pornography employers need to keep an eye on. Employees could potentially access hate material online or pass around inappropriate and offensive jokes through the company’s e-mail system. All of this means organizations need to have a clear Internet policy in place to ensure employees don’t engage in these kinds of activity. Setting up an effective policy doesn’t have to be time consuming or expensive.
Case study
Almost two years ago, Carswell, a publisher based in Toronto, set out to implement a clear usage policy after giving almost all of its nearly 600 employees access to the Internet at work.
This spurred the HR department into developing a policy which has been effective in ensuring corporate assets aren’t abused, said Barb Conway, vice-president of human resources.
“With most of the people in the company accessing the Internet, and with what we were hearing in the news and what was happening generally, we felt it was time to tighten up our policies and issue something that would give people a guideline,” said Conway. “The policy is straightforward. It’s fairly stringent, but I don’t think it’s draconian. If somebody is going somewhere they shouldn’t, our goal is to stop it.”
The first step in setting up the policy was to meet with the company’s lawyer. In this case, the lawyer had a sample policy that had been implemented at a sister company. Carswell’s HR department took the sample to the director of information systems to make sure it was relevant to the systems and procedures in place. Then the sample was taken to the executive team to ensure they were onboard with what was being proposed. They made some minor revisions, sent it back to the lawyer to go over the fine points, and the policy was set. All in all, it took about five weeks from the day the decision was made to implement the policy until the completed draft was ready to present to employees.
Monitoring Internet use
Carswell uses software that blocks employees from accessing prohibited Web sites. The software has a list of prohibited sites, continually updated, that employees cannot access.
“If somebody tries to go in and access something that is deemed to be inappropriate, they will get a message from HR and IS together that says you’ve tried to access something that is on our inappropriate list. Please don’t,” said Conway.
This approach is more proactive than what the company was originally doing, she said, which consisted of generating reports of sites accessed and having someone go through them looking for anything offensive. Under that system, HR would then phone the individual to warn the employee not to access the sites.
“Now, it stops people from going in,” she said. “It sends the automatic message, we’re not having to make those phone calls.”
Monitoring e-mail use
Stopping employees from visiting inappropriate sites was a no-brainer, but monitoring e-mail was a bit trickier to come up with a policy on, said Conway. There was a lot of conversation around privacy, and the company didn’t want to go too far in monitoring employees.
“We were trying to balance privacy with making sure we had a policy that said there are certain things that are acceptable and not acceptable and make sure you understand that,” she said. “There were some interesting perspectives on people’s right to privacy versus the organization’s right to do these types of things.”
Eventually, Carswell decided to block inappropriate external e-mail from coming in by using filtering software but chose not to monitor e-mail being sent by employees around and outside the company. Instead, they came up with a written policy that sets out clearly what employees can, and can’t, use e-mail for.
“We can imagine that certainly things get sent around that may have inappropriate language or things like that,” Conway said. “But it doesn’t appear to be a widespread issue for us. In hindsight, that may turn out to be incorrect but that’s the initial approach we took. Let’s make sure there is a policy out there and make sure people know there are consequences if things are used inappropriately, but also going on a bit of a trust system. Time will tell, but so far we seem to be okay.”
Communicating the policy to employees
Even the best policy is ineffective if employees aren’t clearly aware of what the policy is and what the ramifications are for breaking the rules.
“The key to us was that we communicated what the policy was, what the procedures were going to be and I have not had a lot of personal concern expressed,” said Conway. “We wanted to be really clear that the systems are for business purposes and we have to make sure that we’re protecting our information and our reputation.”
The policy is also communicated to new employees who are required to sign a business conduct policy that includes e-mail and Internet use.
“From the reports we’ve seen, we don’t have a widespread misuse of the system,” she said. “It’s definitely declining, and we can address pockets where there still might be problems.”
Conway said it’s important to remember that the policy needs to keep changing as time and technology change the way business is done.
“It’s something you always have to be looking at,” she said.
