I often hear IT managers say that although they have an Acceptable Use Policy (AUP), it "is not worth the paper it is written on". What they usually mean, however, is not that the document is worthless, but rather that it is not enforced.
But why are organisations reluctant to enforce AUPs?
Organisations may hesitate to take serious action against those who infringe their AUPs for fear of a claim for unfair dismissal. An employer may only fairly dismiss an employee who has a year's service for misconduct if it can show that it has followed the statutory dismissal procedures, that it has acted reasonably and that its actions fell within the band of reasonable responses. This means it needs to show that another reasonable employer would have dismissed the employee in the same circumstances.
Where the misconduct is gross misconduct, the employer is entitled to dismiss the employee immediately without notice, but it must still comply with the requirement of reasonableness.
Some HR departments will err on the side of caution when considering the requirement of reasonableness and avoid dismissal. Others may simply not appreciate the seriousness of the breach of the AUP. If IT misuse is not being taken seriously enough in your organisation, it is worth educating your HR department and wider management on the risks.
There are good legal reasons to ensure policies are enforced consistently.
First, if employers become complacent and do not comprehensively enforce the policy, different treatment of employees can undermine the reasonableness of a dismissal, because it goes against what the offending employee has come to expect.
But how do you give your organisation the best chance of enforcing its AUP?
For a start, compliance with the AUP should be an express term of the employment contract. And the AUP needs to make it clear which activities will be in breach of the policy. Without a clear statement of the type of behaviour that constitutes misconduct and gross misconduct, the employer will find it more difficult to justify its actions.
For example, in 2005, Waterstones the bookshop sacked an employee of 11 years standing, for statements he made in blogs, referring to "Bastardstones" run by the "sandal-wearing" "Evil Boss". There was nothing in Waterstones' AUP which made reference to blogging being a breach of policy, and Waterstones was forced to make a settlement with Mr Gordon when he appealed against his dismissal.
A regular review of the policy should ensure that new threats - such as blogs - are dealt with as they arise. Any changes should be clearly publicised throughout the company and training given.
It is also important that the AUP makes it clear what penalties will be levied for failure to comply. The AUP should outline not only which acts will be deemed to be misconduct, but also state what the result of the breach will be.
It is common to see policies that give comprehensive guidance as to what acts are unacceptable, but relatively rare to see the penalties detailed. This kind of detail also makes it more likely that the policy will be enforced consistently.
A recent case involved an employer that used a grid system to determine the relative seriousness of various aspects of IT misuse. However, it was found to be unreasonable when making a dismissal on the basis of this grid, because the grid had not been disclosed to employees.
Finally, the organisation should have proof that the policy has been read and understood. A signature block that states that by signing the policy the employee is indicating that he or she has read and understood the policy will add to the weight of evidence if a case comes to tribunal. Ideally, it should be a condition of access to IT systems that the policy has been signed.
Tamzin Matthew is a partner in law firm Blake Lapthorn Tarlo Lyons, and specialises in IT law. She can be contacted at Tamzin.Matthew@bllaw.co.uk or on 01865 254262, and thanks Debbie Sadler of the firm's employment team for her assistance in the production of this article.