Use of the internet and e-mail by staff can be open to abuse. To protect the efficiency and reputation of an organisation, staff should be encouraged to use the internet and e-mail responsibly. One way of doing this is to have a policy that makes them aware of their responsibilities when using the internet at work or sending e-mails using their organisation's e-mail account, and the restrictions that apply.

This article outlines what should be covered in an internet and e-mail policy, and highlights the legal and management issues involved.

Employment legislation is complicated and this factsheet is intended as a starting point only. Professional advice should be sought before taking any disciplinary action.

Why is an internet and e-mail policy needed?

Staff need to be aware of their responsibilities when using their employer's resources and the implications of their use or misuse. The consequences of misuse of e-mail and internet for staff and the organisation can include:

  • Legal liability. An organisation is responsible for any information transmitted via its e-mail system. Disclaimers added to every outgoing e-mail have only limited validity in a court of law.
  • Confidentiality breach. This could easily occur if an employee sends or copies an e-mail to the wrong recipient.
  • Loss of reputation and goodwill. Poorly written e-mails can result in the recipients taking a negative view of the organisation.
  • Loss of productivity. Staff can potentially waste hours on social networking sites or browsing the internet.
  • E-mails and social media posts can be used as evidence in court and in employment tribunals in cases such as contract liability, harassment, discrimination or wrongful dismissal.

What should the policy contain?

The contents of an internet and e-mail policy will depend on the needs of the organisation and any expectations and requirements regarding the conduct of staff.

The first decision to be made is whether all staff actually need access to internet and e-mail. Decisions also need to be made about the level of control that is going to be introduced, for example will staff be allowed personal use of the internet and e-mail during lunch breaks and after hours?

The policy should include:

  • A definition of acceptable usage of e-mail and the internet. The policy should state who is allowed to access the internet and whether they can access it for personal as well as work-related use. If staff are allowed some personal use of the internet there should be clear definitions of how long they can use it for and when this can be done.
  • Guidelines covering personal use of social networking sites such as Facebook and Twitter. The policy should include clear rules to prevent staff from divulging commercially sensitive information or making negative statements about the organisation.
  • Guidelines for staff with responsibility for updating the organisation's social network profiles. For example, rules about what information they can disclose and the range of opinions that they can express or endorse on behalf of the organisation.
  • A statement that outlines whether internet and e-mail use will be monitored and whether e-mails could potentially be accessed and read.
  • Clear guidelines on what is not allowed, including:
  • Accessing offensive, obscene or indecent material.
  • Sending offensive or harassing e-mails - either externally or internally.
  • Making inaccurate or defamatory statements in e-mails.
    • A statement that staff must not infringe the intellectual property rights of other organisations or individuals who publish material on the internet.
    • Cybersecurity rules, for example about opening attachments from unfamiliar sources or replying to possible 'phishing' e-mails.
    • Rules about the use of employee's personal devices for work purposes, for example specifying minimum antivirus protection requirements.
    • Housekeeping issues. This should include information on how e-mails should be deleted or archived. It could also include information on how to maintain password security and how often staff should change their passwords.
    • Rules on e-mail etiquette and the standard of writing that is expected in e-mails sent on behalf of the organisation.
    • Details of when disclaimers must be attached to e-mails - especially for any e-mails sent externally. This can reduce the risk of legal action in the event of an erroneous or defamatory statement being sent via e-mail.
    • Rules about data protection and privacy, to ensure that staff do not breach the General Data Protection Regulation (GDPR) or the Privacy and Electronic Communications (EC Directive) Regulations 2003.
    • Details of the disciplinary action that will be taken for breaching the rules. This could range from verbal warnings to dismissal, depending on the seriousness of the breach.
    • The policy should strike a balance between preventing misuse and allowing some flexibility for staff. It should be clearly written and be easily accessible by everyone in the organisation.

      Implementing and enforcing the policy 

      The policy should be included as part of the staff handbook. When the policy is first introduced all staff should be taken through it and have it explained to them in detail. All staff must sign a form that confirms they have read and understood the policy. After this, whenever a new employee starts, the policy should be included as part of their induction.

      Any breaches of the policy should be dealt with through the organisation's disciplinary and grievance procedures. Any disciplinary action taken should follow the procedures outlined in the policy.

      Monitoring staff use of internet and e-mail 

      Any monitoring of staff use of the internet and e-mail must comply with the General Data Protection Regulation (GDPR), which prohibits organisations from collecting personal information about staff (such as records of their internet browsing history) without a lawful basis and gives individuals certain rights in relation to information held about them.

      It is also necessary to comply with the Human Rights Act 1998, which gives staff the right to "respect for private and family life, home and correspondence".

      Monitoring must be justified and proportionate, and staff must be notified of the type of monitoring that is carried out. Personal information that is gathered as part of the monitoring process should be held securely and used only for the purpose for which it was collected.

      If an employee has marked an e-mail as personal, their privacy must be respected unless there is a valid reason for looking at the content of the e-mail.

      Hints and tips

      • The internet and e-mail usage policy of an organisation should mention and support other relevant policies, for example relating to data protection, equal opportunities and harassment.
      • Include guidelines on acceptable use of social networking sites, both at work and at home, including the prevention of damaging messages and posts.
      • Keep up to date with any changes in the law regarding use of the internet and e-mail, and include any changes in your policy.
      • If it is discovered that inappropriate material has been sent to someone outside the organisation, follow this up with a letter apologising and confirming that disciplinary procedures are underway.
      • Useful contacts

        Acas (Advisory, Conciliation and Arbitration Service) provides information, advice, training and conciliation services to help prevent or resolve workplace disputes. It provides advice, online resources and consultancy services for employers.
        Tel: 0300 123 1100

        The Information Commissioner's Office (ICO) is an independent authority concerned with information rights and data privacy, which provides information and guidance on data protection and privacy and electronic communications.