Businesses in the U.K., including U.S. firms with branch offices there, may soon face limits on their ability to monitor employee Web surfing and e-mail activity under a new privacy code due to be released by a government body in the next two months.
The U.K. privacy protections also illustrate the sharp difference in privacy approaches that exist between the U.S. and European nations, many of which have stringent privacy rules.
The code, which sets out workplace privacy rights, will call for employers to spell out their monitoring policies to employees and conduct monitoring that is "proportionate" to the risk posed by the employee activity.
Here are two examples of how the standard could be applied:
-- If employees write 10 e-mails a day on average, but one employee is writing 200 e-mails, that would give an employer grounds to look at the content of those e-mails, David Clancy, a strategic policy officer at the Information Commission in London.
-- Employers with sensitive information to protect, such as the secret ingredients of a soft drink, could reserve the right in their monitoring policy to check all communications -- such a policy would be proportionate to the risk, said Clancy. "The risk is that the business would collapse if the recipe was loose," he said.
The code would also call on companies to give consideration to an employee's privacy rights, said Clancy, because there "is a blurring between work and personal communications, especially with the growth of people working away from the office and the use of mobile communications." The mixed nature of messages can cause problems when a message to the human resource department, while work-related, is "quite often highly personal and private," he said.
But a major U.K. industry group, the Chartered Institute of Personnel and Development, called the code "unrealistic and inappropriate" and said it will halt virtually any employee monitoring and create new risks for businesses.
The code "does not allow any covert monitoring" of such activity as telephone calls and Internet use "unless criminal activity has been identified and the police are involved," said Diane Sinclair, the lead advisor on public policy at the London-based personnel management group.
The code is the Information Commission's interpretation of the Data Protection Act. The code isn't a law, but if a company doesn't follow the code, it risks a legal challenge from an employee.
Companies operating in the U.S. are allowed to monitor workplace computer activity without restriction, said Christopher Wolf, an Internet law expert at Proskauer Rose LLP in Washington. In short, U.S. law, which is backed by court rulings, makes clear that "he who owns the computers gets to see what is going on with their computers," he said.
But U.S. businesses in England will have comply with the privacy code. Although companies with servers located in the U.S. might have the capability of remotely monitoring a workstation in England -- and may technically be able to get away with it -- they could face legal risk if they do so, said Wolf.
There have been high-profile cases in the U.K. of employees who have been dismissed for surfing the Internet, said Carolyn Jones, who heads the Institute of Employment Rights in London. She argued, however, that the boundary between family and the workplace is no longer what it was and that there should be some flexibility.