« FORCED RETIREMENTS | Main | UNISON STRIKE 16TH AND 17TH JULY »
July 05, 2008
REVISED CODE OF CONDUCT - NAPO'S OBJECTIONS
The revised code of conduct recently placed on the database is not recognised by Napo, because there was insufficient consultation and negotiation on its contents.
The third paragraph of the document says:
‘We have agreed the code with the relevant trade unions and it applies to all staff, whether you are permanent, temporary or voluntary’ and the last paragraph says: ‘This policy has been agreed through the joint consultative machinery’
Both these statements are untrue.
We will be making further formal representations to HPA about this policy and we hope a proper agreement can be reached.
The main purpose of this note, however, is to explain to members why we object to the policy as it stands.
The first point to make is that we are agreed with the majority of its contents. Most of the content flows from the agreed 2003 code of conduct. You may recall last year we consulted with members about a proposed dress code. We received helpful feedback and this in turn informed our discussions with HR. The original dress code ran to some four pages and was unnecessarily prescriptive. It was subsequently incorporated into the 2008 code of conduct in a single paragraph. That was positive evidence of consultation and negotiation.
The areas where we are not content relates to the extensive sections on data protection, email and internet monitoring and some language.
INTELLIGIBILITY AND TRAINING
Paragraph 9 refers to duties and responsibilities in relation to data protection and says you should ‘familiarise yourself with, and comply with, all NPS security policies. (Incidentally in paragraph 20 which draws attention to related policies and key documents there is no mention of any security policies, so not clear what policies should be read!)
Presumably one of the key documents is the Email & Internet Communications Policy March 2006 – this runs to 21 pages. We don’t imagine many staff are familiar with this. The Napo view is that telling staff to ‘familiarise’ themselves is unreasonable. HPA we say must have a duty to ensure that staff understand policies and know the parameters of what is acceptable practice. It leaves staff extremely vulnerable to disciplinary charges if they unknowingly break the rules. There is a duty of care that HPA is failing to demonstrate and advice to ‘familiarise’ is insufficient in our view.
Data protection remains an arcane area for many staff and before an employer wishes to hold staff accountable for conduct the employer should ensure that staff are trained and clear in their responsibilities. This is the point that Napo has previously made about intelligibility. Paragraph 4.2 of the NPS Email and Internet Policy cautions:
‘Ensure all authorised users read this policy, are provided with adequate training and are both regularly reminded to comply and do comply with all “authorised user responsibilities” contained within this policy’
Where is the evidence of ‘adequate training’? This policy clearly puts an onus on HPA to take positive steps – adequate training – and we say that advice to familiarise yourself falls well below the threshold of adequate training.
MONITORING EMAIL AND INTERNET.
In paragraph 16.5 the code says …’employees should not assume that any emails sent are private and confidential....’ The clear inference here is that HPA will monitor your emails in the same way, irrespective of whether they are marked private or personal. We submit they are exceeding their authority in doing so and actually putting themselves at odds with advice on how monitoring at work should be conducted. The employer does not have a free hand to invade privacy.
Although not on the database, and seemingly forgotten by HPA, there was a document prepared in February 2006 which was shared with the unions (see download) and it represented an attempt to put some discipline into the process of monitoring. It set out three levels of monitoring and it stated on page 1:
‘…every effort will be made to avoid reading personal notes, although sometimes this will be inevitable. As soon as a note is identified as personal the note will be exited.’ (my italics). So there is a code of conduct that presumes unlimited powers to monitor all emails indiscriminately and another HPA document saying it will endeavor to respect emails that are marked private.
The Information Commissioner, who has published a code of practice on ‘monitoring at work’, makes it clear that employers should undertake an impact assessment of their monitoring practices towards ensuring that the impact of monitoring is as least intrusive as possible. The February document was a step in the right direction, but the code of conduct appears to adopt an unreasonable approach that does not respect an individual’s right to privacy, which does not evaporate when he/she enters the workplace. A weakness in the February document is that it is silent on whether the individual should be told if their email or internet use is being specifically rather than just routinely monitored. We say subjects should be informed and this is consistent with advice from the information commissioner. We therefore cannot accept the code of conduct as set out – it is unclear, suggests indiscriminate monitoring, contradicts the February 2006 document and is therefore in our view not compliant with good data protection practices.
LANGUAGE
The language of ‘theft’, ‘fraud’ and ‘deception’ in paragraph 15 is unnecessary. We have put this to HPA before but to no avail. All the foregoing are criminal offences and to say one too many personal emails constitutes theft, for example, is using alarmist language. It would be more measured to refer to ‘inappropriate’ usage. In that same section it says ‘very limited’ personal use of phones, emails, faxes will be tolerated – it gives an example of tolerable use – emergency contacts. This loose use of language leads to ambiguity. For example, in relation to email in paragraph 16.2 it says personal use of email is acceptable as long as it’s not excessive – and this is what the national policy, where it has been cut and pasted from, also says. This point is laboured to argue that personal use is not being abused if it’s not an emergency contact. In paragraph 2 there is mention to using ‘common sense’. We suggest the policy has suffered from some poor drafting and this will lead to confusions that could be avoided by leaving personal use in the realm of common sense and not seeking to be over-prescriptive.
DATA PROTECTION ADVICE FROM THE INFORMATION COMMISSIONER
INFORMATION COMMISSIONER: Monitoring at Work
The code states that workers are entitled to a degree of privacy in the workplace and, as a result, monitoring is usually intrusive. Employers can still carry out monitoring, but only when it can be justified by the benefits delivered (e.g. recording telephone calls for training purposes). In the view of the Information Commissioner, covert monitoring can only be justified in few exceptional circumstances.
What should employers do?
Outline in writing when workers can use the organisation’s telephone, e-mail and internet systems. Any restrictions on private use should be clearly expressed e.g. limits on the size of e-mail attachments, making overseas calls etc.
Restrictions on internet use should be specific. A ban on downloading “offensive material” would not be clear enough, without providing examples (e.g. pornographic images, racist terminology etc).
Clearly explain in writing if you intend to monitor your workers
You need to explain:
Purposes and reasons for monitoring.
The extent of monitoring.
The means used to monitor.
Penalties for breach of policy.
Take extra care if monitoring e-mails
Avoid opening e-mails, especially ones that clearly show that they are private and personal.
Encourage workers to mark personal e-mails as such. If it is necessary to check a worker’s e-mail account in their absence, make sure that they are aware of this.
Posted by Hampshire at July 5, 2008 06:15 PM