Cyberlaw@SA - Chapter 7


Lance Michalson BA LLB Hofmeyr Herbstein Gihwala Cluver & Walker Inc.

1. Introduction

Computer use in the workplace¹ is now a standard occurrence. In the ordinary performance of their tasks employees are required to make use of increasingly sophisticated electronic communications tools. Computer networking, the use of e-mail facilities and Internet access have significantly broadened an employee’s access to information on the company’s computer network, and the Internet has allowed employees virtually unrestricted access to the World Wide Web from their desktops. Never before has it been so difficult for employers to police the information which employees either access or disseminate in the business environment.

Highly sensitive business information and trade secrets can now be accessed and disseminated with relative ease and anonymity, with the incremental potential for exposing a company to loss and litigation. Moreover, abuses of the electronic communication facilities for non-business related activities, by employees who often unwittingly compromise the employer, occur daily in the business environment. How to police employee use of these electronic communications tools raises a number of vexed legal issues, as it is extremely difficult to differentiate between business and private usage, and in particular, to monitor the content of such usage.

While the use by employees of electronic communications tools for non-business purposes will not increase direct costs to the company significantly, the hidden and contingent costs to a company are potentially enormous: lost productivity and potential exposure to law suits emanating from third parties as a result of inappropriate use of these tools being the most dominant.

To reduce and potentially eliminate these potential risks and losses, companies must address the issue of how best to control employee use of electronic communications tools. This will require a re-education of both employer and employee as to what dangers exist where appropriate controls are not put in place and will necessitate the development of a detailed written electronic communications policy (ECP), as well as educating employees on the potential damage which reckless use of e-mail and the Internet poses to the company.

2. The necessity for an electronic communications policy

It is vital, rather than optional, that companies introduce a written electronic communications policy. An ECP serves several purposes:

to protect the company by reducing potential legal liability in respect of claims by employees or third parties
to protect proprietary or confidential business information from unauthorised access or disclosure to third parties
to prevent losses (e.g. of data and other proprietary information), errors and mistakes
to educate employees in the proper use of e-mail and create an awareness of the risks that are associated with conducting business using electronic communication tools in an online environment (for example, the fact that when you surf the Internet, you may be leaving an audit trail that identifies you or your company as the source)

By articulating what is permissible and what is not, a company may be able to demonstrate that certain activities engaged in by its employees fall outside the course and scope of their employment with the company (thereby avoiding vicarious liability for employees’ actions), when called on to defend its position (or institute legal proceedings to protect or enforce its rights).

3. Employee reaction to imposed ECPs

While the imposition of ECPs in the workplace has distinct advantages for an employer, the real or perceived rights of the employee will potentially conflict with those of the employer.

Issues of privacy aside, one of the most important issues is whether the implementation of an ECP amounts to a change in the employee’s terms and conditions of employment.² While this has not yet been tested in South African courts, it has been argued by certain labour lawyers that the implementation of an ECP does not amount to a change in contract and is part of the directives which constitute the ordinary and necessary running of the business i.e. it is the prerogative of management (which, for example, can be equated to changing working hours from 08:00 to 08:30).³

Employees could also argue that the implementation of an ECP is not a “fair labour practice” under the Constitution. It is, however, submitted that as long as there is a genuine business reason for implementing the ECP from a business point of view, it can be justified.⁴

It is also important to remember that in terms of employment law, employees have a right to strike in certain circumstances.⁵ Considerations of rights to privacy aside, it could be argued that the reading of e-mail by an employer could, for example, constitute a legitimate grievance. Employees could call to strike on the basis of such grievance and force the employer to abandon the ECP.

4. Assimilating ECPs with existing policies

If the company has other formal policies, it might be necessary to co-ordinate the ECP with such policies (e.g. in an employee handbook). Other policies which may have some bearing on an ECP include:

confidentiality of company and customer proprietary information
security practices
pre-publication clearance requirements
monitoring of telephone conversations
telecommuting
using company computer equipment at home
personal use of company telephones, photocopiers, facsimile machines, etc.

The ECP should not be at variance with other agreements which might apply in given circumstances – for example, the company may have third-party software licence agreements permitting (under certain circumstances) simultaneous home-installations of company-licensed software.

Finally, it is important to carefully determine the scope of the ECP when measured against the range of company facilities and equipment which might possibly be involved. Does the company wish to reach e-mail facilities only? E-mail and Internet browsers? Company-owned computers? What about fax machines, or company-paid cellular phones?

5. Access to electronic communication tools

Certain employees will be furnished with communication tools that are owned by the company to assist them in the performance of their jobs. The term “electronic communication tools” includes the following:

telephones, mobile phones and voice-mail facilities
e-mail facilities
fax machines, modems and servers
computers
network tools (e.g. Internet browsers and Internet access facilities)

It is important to remember that the tools are provided to facilitate business communications and to enhance the productivity of company employees. As the tools are owned by the company, it should be able to decide the manner in which they should be used as well as to regulate their use.

Such regulation should address issues pertaining to personal use of the communications tools by employees. Decisions affecting such personal use by employees must be clearly formulated and stated in an ECP, as this is the area which is likely to create potential pitfalls regarding employee rights to privacy in particular.

One of the principal purposes of an ECP is to state, clearly, what kind of privacy expectations employees should hold. Failure to do so will entitle employees to argue with persuasion that both their common law and constitutional rights to privacy are being abrogated by company scrutiny of personal communications, notwithstanding that they may have been conducted in the employer’s time, at its expense and with company-owned communications tools.

Every ECP should include a well-drafted computer security policy, which will contain guidelines on individual password management (e.g. requirements that passwords contain a mixture of letters and other characters, are of minimum length, are not written down, and are changed frequently). In most cases, effective execution of these procedures requires that employees choose (and periodically change) their own passwords. The simple fact that employees are permitted to choose their own passwords should not support an argument-by-implication that they thereby have justifiable privacy expectations in the material protected by the password.⁶

Every ECP should address the question of which persons’ conduct will be affected or regulated:

Do only employees use your systems?
Do any independent contractors have access to affected systems?
Do any clients or customers have access?
Do any employees’ spouses, children or other family members have access?

Non-employees should be provided access to secure communications facilities only with some form of written agreement restricting their use and disclosure of confidential and proprietary information to which such facilities may provide them access. In addition, such persons should be provided with notice of the company’s “rules of access and use” or a specially tailored ECP...

If you want to read more please buy the book on Kalahari.net

Author biography

Lance Michalson was born in Johannesburg, matriculated from Kimberley Boys High and went on to study at Rhodes University, Grahamstown, where he obtained his BA and LLB degrees. He served his articles at Prisman Wilson Choritz & Goldberg in Cape Town where he qualified as an attorney in 1994, and joined Hofmeyr Herbstein Gihwala Cluver & Walker Inc. in 1996. He was made a partner in 1999 and currently heads the Internet law department. He has been at the forefront of emerging IT law issues since 1995 and his practice extends countrywide and internationally.

Lance is the author of South Africa and the Millennium Timebomb – A Guide to the Legal Issues (Francolin Publishers 1998). He is a regular speaker at Internet law conferences and has contributed articles on electronic commerce and Internet law for various online and offline publications. Lance also serves on two government working groups which are dealing with the Department of Communications discussion paper on Electronic Commerce.

226

Portions of this chapter contain material from the draft American Bar Association Model Policy on Electronic Communications Policies and the author’s comments on it in terms of the necessary adaptations for use in South Africa by multinational companies based in the United States of America wanting to do business in South Africa. (Back)
Another issue is whether a so-called “workplace forum” can compel an employer to discuss the implementation of an ECP, bearing in mind that such a forum can compel an employer to discuss issues such as restructuring the workplace (which includes the introduction of new technology and new work methods), changes in the organisation of work, education and training (employers may have to train employees how to use electronic communications tools).
Section 64(4) of the Labour Relations Act 66 of 1995 prevents employers from unilaterally changing terms and conditions of employment. The question is whether an ECP would fall under this category.
Section 23 of the Constitution of the Republic of South Africa Act No 108 of 1996
Section 23 of the Constitution of the Republic of South Africa Act No 108 of 1996. The right to strike only relates to an “interest dispute”. An “interest dispute” includes a grievance, but excludes any issue where the law allows for arbitration or adjudication (schedule 7 deals with residual unfair labour practices that gives employees the right to go to court). (Back)
The existence of “superuser” accounts with systems privileges and the ability to also change all users’ passwords is well known (at least to anyone who has ever forgotten one of their passwords), and also should negate any such possible argument.
See discussion: para 2 below