Archived decisions
Hampshire County Council
Employment in Hampshire County Council Committee Item 5
16 March 2005
Email, Internet, Intranet and Monitoring Policy
Report of the Head of IT Services and Director of Human Resources
Contact: Ron Kane HSPN: 335 3917 email: [email protected]
1 Introduction
The purpose of this report is to seek approval from EHCC Committee for a revised Email, Internet, Intranet and Monitoring Policy ("The Policy"), a copy of which is attached to this report.
2 Purpose of Policy
The aim of this Policy is to protect the County Council against improper or unlawful use of its computer facilities, including hardware, software, systems and networks, whilst at the same time enabling continued promotion and encouragement in use of the Authority's computing facilities in the interests of the County Council.
3 Background
Members will be aware of the increasingly critical importance of the County's computer facilities, particularly in the context of the e-government agenda which in turn is central to the modernisation of local government. In pursuit of greater efficiency and effectiveness, Hampshire County Council has always sought to lead in this field through the promotion of increased use of its computer facilities. Increased use of the facilities inevitably leads to an increase in the risk of abuse and therefore a need for sound auditing and monitoring of systems.
Set against this can be seen a recent body of related legislation which has been enacted with the primary purpose of safeguarding the rights of individual computer users, particularly against unlawful or spurious and improper monitoring of communications by employers.
In order to strike the right balance between the need to protect the interests of the County Council whilst at the same time respecting the rights of computer users to privacy of their communications, the Policy has been revised and updated and in particular, now contains specific provisions to deal with the issue of monitoring and of impact assessment. The Policy is also in turn linked to a revised set of computer conditions of use and guidelines which users will in future be required to sign up to electronically as a condition of access.
4 Consultation
The Policy has been the subject of wide consultation with, amongst others, the Council's Trades Unions, the Security Managers Group, the e-Government & IT Steering Group, the Chief Executives Department and the HR Department.
5 Collective Agreements
Following consultation, the County Council's recognised Trades Unions have entered into Collective Agreements in respect of the Policy. The Agreements protect the County Council's rights to regulate the use of email, the use through Council computer facilities systems and networks of the Internet and Intranet, and the Council's right to monitor such use, albeit in line with current relevant legislation. Accordingly, the Agreements also protect employees against improper and unlawful monitoring.
6 Acceptance of the Policy
An effect of the Collective Agreements is to embody the Policy into the Contracts of Employment of all employees working under EHCC conditions of service.
All new employees will have a related clause inserted into their Contracts of Employment. Additionally, all Users will be required to accept and comply with the `computer conditions of use and guidelines' on renewing their `password' access to the computer network.
Approval of the Policy will ensure that the County Council's IT infrastructure provides a managed and safer environment in which all users can benefit, as well as the County Council.
7 Publicising the Revised Policy
In order to raise the profile of the revised Policy and make users aware of their responsibilities, an article has been published in the `Spotlight' newsletter and an associated `Stop Press' article will be published on Hantsnet. There will also be direct links to the Policy via IT, County Treasurer and HR web-pages as well as via the e-Employment Guide. This approach will ensure that current staff and other users are made aware of changes to the Policy. Additionally, the Policy will be promoted in Induction programmes for new staff and through other relevant training events.
8 Risk Assessment
The potential risks to the County Council in not endorsing this revised Policy are an increase in exposure to unlawful and/or improper use of the County Councils computer hardware, software, systems and networks. Additionally, the absence of a clearly communicated and agreed Policy is likely to lead to increased risk of unlawful and unauthorised monitoring of use which in turn may expose the Council to increased risk of related litigation. The revised Policy and computer use guidelines will also serve to limit any potential increased risk likely to arise from the current policy of promoting increased homeworking and increased personal computer use via the recently introduced Salary Sacrifice Scheme.
9 Recommendations
The Committee is asked to note and approve the revised Policy.
Section 100 D - Local Government Act 1972 - background papers
The following documents disclose facts or matters on which this report, or an important part of it, is based and has been relied upon to a material extent in the preparation of this report.
NB the list excludes:
1. Published works.
2. Documents which disclose exempt or confidential information as defined in the Act.
TITLE LOCATION
Nil
Related Legislation
The legislation detailed below impacts upon the implementation and management of the Policy:
_ Data Protection Act 1998
_ Human Rights Act 1998
_ Regulation of Investigatory Powers Act 2000
_ The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
_ The Employment Practices Data Protection Code Part 3: Monitoring at Work 2003
HAMPSHIRE COUNTY COUNCIL EMAIL, INTERNET, INTRANET
AND MONITORING POLICY
Policy Statement
Hampshire County Council believes in promoting and encouraging use of email, the Internet and the Intranet for the benefit of the community and its employees. To facilitate maximum use and development of the Council's computer facilities, whilst at the same time protecting its interests, all users of the Council's computer hardware, software, systems and networks are required to comply with its computer conditions of use and guidelines and relevant schools policies in the case of school-based employees.
Monitoring
To further protect its interests, the County Council reserves the right to monitor the use of email, Internet and Intranet communications and where necessary data may be accessed or intercepted in the following circumstances:
· To ensure that the security of the County Council's computer hardware, software, networks or systems are not compromised;
· To prevent or detect crime or unauthorised use of the County Councils computer hardware, software, networks or systems;
· To gain access to communications where necessary when a user is absent from work.
The County Council respects the right of individuals to privacy of communications. At the same time it has a duty to protect the interests of itself and others against unlawful use of its computer facilities. To balance these needs, interception of personal and private communications will not normally take place unless grounds exist to show evidence of some crime or other unlawful or unauthorised use.
Access to personal and private communications will normally only take place with the approval of the Director of Human Resources, or designated representative, in conjunction with the Head of IT Services and relevant Senior Manager (or Headteacher/Chair of Governors in the case of schools-based employees) or with the approval of the Chief Internal Auditor and/or Monitoring Officer. Such access will only be authorised following an assessment to determine what, if any, access or interception is justified.
Sanctions
Where an employee wilfully fails to comply with the computer conditions of use and guidelines, and relevant schools policy in the case of school-based employees, it will normally be considered a disciplinary offence which may lead to dismissal.
Where a Member of the County Council fails to comply with the guidelines it will be reported to the Standards Committee who will make whatever decision it sees fit.
Where any other user fails to comply with the guidelines they may have their permission for future use withdrawn.
HAMPSHIRE COUNTY COUNCIL EMAIL, INTERNET AND INTRANET MONITORING POLICY - GUIDANCE ON IMPACT ASSESSMENT
Introduction
Hampshire County Council respects the right of individuals to privacy of communications. At the same time it has a duty to protect the interests of itself and others against unlawful use of its computer facilities. To balance these needs, interception of personal and private communications will not normally take place unless grounds exist to show evidence of some crime or other unlawful or unauthorised use.
In order to protect its interests, the County Council reserves the right to monitor the use of email, Internet and Intranet communications and where necessary data may be accessed or intercepted in the following circumstances:
· To ensure that the security of the County Council's computer hardware, software, networks or systems are not compromised;
· To prevent or detect crime or unauthorised use of the County Councils computer hardware, software, networks or systems;
· To gain access to communications where necessary when a user is absent from work.
Access to personal and private communications will normally only take place with approval of the Director of Human Resources, or designated representative, in conjunction with the Head of IT Services and relevant Senior Manager (or Headteacher/Chair of Governors in the case of schools-based employees) or with the approval of the Chief Internal Auditor and/or Monitoring Officer. Such access will only be authorised following an impact assessment to determine what, if any, access or interception is justified.
Impact Assessment
Monitoring of email and Internet use is not prevented by the Data Protection Act 1998 although any adverse impact which monitoring might have on workers must be justified by the benefits which such monitoring gives to the employer. Accordingly, employers intending to monitor such communications are required to observe the provisions of the Employment Practices Data Protection Code: Monitoring at Work and to carry out an "impact assessment" in order to decide if and how such monitoring should be carried out.
The key elements of an impact assessment which have been identified by the Information Commissioner are:
1. Identify clearly the purpose or purposes of the monitoring arrangement, the benefits it is likely to deliver and any likely adverse impact.
2. Consider any alternatives to monitoring or different ways in which the desired outcome might be achieved e.g. employing other methods of supervision or the use of additional training.
3. Judge whether the monitoring which is proposed can be justified.
4. Take account of the other obligations which arise from monitoring - in particular, whether workers are to be notified of the monitoring and how the information gathered through monitoring is to be kept secure.
The Employment Practices Data Protection Code makes it clear that employers who can justify monitoring on the basis of an impact assessment will not normally require the consent of individual workers. Consent should of course be obtained where in doing so it would not in any way be prejudicial to an investigation. However, where it might be prejudicial then an impact assessment will in most cases obviate the need for consent.