CorpComms Magazine

The net was tightening. After years of getting away with handing out expensive contracts to businesses either owned by himself or his friends - deceptions that helped fund a £1 million north London house - the executive's many misdeeds were finally being uncovered.

The man's boss, the head of a major division of a FTSE 250 company, could not believe the scale of his former friend's operations. The boss had been close to tears when laying off dozens of staff last year. To have been duped by someone he had known for more than a decade only added to the pain.

'I was completely shocked,' he explains. 'In these situations you [managers] haven't got the powers to do the investigation needed.' Instead, a three person audit team, which included former police officers, looked into the case. Acting on a minor clue that staff had come across accidentally, the team combed through the man's emails.

He denied knowing some of the people who had won work from his department; the emails showed that he was well acquainted with them on a social as well as a business basis. His situation perilous, the man quit and went on holiday.

Going through emails, even from a work web address, and other private communications is not always so easy an option. Balancing the needs of the business, be it monitoring the actions of staff or gathering vital information on the needs of their consumers, with privacy rights is a delicate task.

And getting that balancing act wrong can be harmful to the organisation's reputation. For example, Sir Christopher Rose, the government's chief surveillance commissioner, recently claimed that local authorities are tracking residents for reasons other than crime or public disorder prevention.

On the face of it, some of the reasons seem valid, such as tackling residents on dog-fouling or failing to pay their taxes. However, under the Regulation of Investigatory Powers Act (Ripa), this is illegal.

And it is clear that councils' images have been badly hit as a result, from headlines including Snooperstate and March of the state spies in the national press, to Gloucestershire councils defend snooping and Council denies snooping through families' bins in the local media.

 As a result, people are becoming far more aware of their rights. The Information Commissioner's Office (ICO), which was set up to protect personal information, provides compelling evidence. The number of complaints and enquiries referred to its office is continually rising. Last year it dealt with 25,509 cases, a three per cent year-on-year increase.

These cases related to alleged violations of two pieces of legislation. The first is the Data Protection Act, under which organisations processing personal information must meet certain guidelines, such as making sure databases are secure and that they are not transferred to other countries without adequate protection.

The second is the Privacy and Electronic Communications Regulations, which apply to unsolicited electronic marketing techniques. For example, a company needs their subscriber's consent to contact them by an automated telephone call. Privacy is a hot issue - and one which communicators must ensure that their companies are fully au fait with if they are to not to be hit by a deluge of complaints from employees and customers.

Keeping tabs on the staff

'The main constraint to a business that snoops on its staff is its reputation with the employees,' says Hazel Oliver, an employment partner at law firm Lewis Silkin. She provides hour-long briefings and half-day workshops for companies trying to understand what they can investigate without breaking privacy laws. Other law firms and FTSE 100 energy groups are among these clients.

Oliver recalls an anecdote that illustrates the quandaries in which managers find themselves. A manager noted a problem between two of his staff and, without clearing his next move with human resources, opened a series of their emails.

What he discovered was not some disagreement, but that one of his staff was in fact extremely ill. 'That's a very sensitive issue,' explains Oliver. 'The manager was disciplined, given a final warning. He was off-the-hook from being dismissed because his company didn't have a suitable privacy policy in place.'

However, Oliver adds that companies are allowed to monitor a lot of their staff's actions under the Data Protection Act, but must demonstrate that such surveillance is for 'good, legitimate business reasons'. More importantly, the monitoring must be proportionate to the company's concerns. So, if it is thought that an employee is spending too much time on personal emails during work hours, managers should look at the names of recipients of messages rather than their content. That way, personal emails can be identified, but the employee cannot complain that management is prying.

Julia Gorham, a senior associate at law firm Allen & Overy, says that some firms have no choice but to monitor emails and telephone calls in the wake of the financial crisis.

 After so many scandals in banking and financial services, those firms that work in a regulatory environment want to make sure that their staff are not taking huge risks.

'All of these types of firms should have an email policy,' explains Gorham, meaning that staff should be made aware that their emails and, possibly, telephone calls might be subject to spot checking. 'Over the past two years, we have had almost a 40 per cent increase in the number of clients interested in putting in place a monitoring policy.'

Failing to inform staff of such a policy is dangerous. Staff can complain to the ICO, sue, or even resign and claim constructive dismissal. Jail time is possible.

Jennifer McDermott, head of media law at Withers Worldwide, uses the example of her personal assistant. 'Verity had to rush home, as she was ill. I had to go into her emails, as she had sent out correspondence in my name, and I told her I would be doing that. If we didn't have a policy in place I could have been in big trouble as a person could sue for invasion of privacy.'

McDermott points to Clive Goodman, the former Royal editor at the News of the World, who in 2007 was sentenced to four months in jail after pleading guilty to intercepting telephone messages in the pursuit of stories. Although a different context, both involve intercepting information, with those involved potentially meeting the same fate.

Protecting the customer

Consumer data protection is, at first glance, more straightforward than the privacy issues relating to staff. McDermott's colleague at Withers, senior associate Tamsin Turk, points out that companies processing information that identifies any living individual can only be used with their approval. When gathering the data, perhaps through leafleting, the company simply needs to have a statement with a tick box to confirm that the individual knows that the information gathered could be used for future marketing purposes. 'It's a company obligation to fairly process data,' says Turk.

According to ICO guidance, simply gathering names and addresses of people businesses deliver goods and services to, is personal information. This cannot then be forwarded to third parties without approval.

Phil James, a senior associate and colleague of Hazel Oliver at Lewis Silkin, adds: 'A business cannot hold information for longer than necessary. The principles set out in the Data Protection Act mean that if I ordered flowers for Hazel from a florist, then they would need the delivery address, but wouldn't have any reason to hold that information after they were delivered.'

James argues that businesses should use commonsense if they do have approval to use the information. 'If you barrage customers with emails every hour, then you're going to alienate them.' However, there are situations that are more complicated than simply applying commonsense. Phorm, an alternative investment market-listed online advertising firm, has a product, Webwise, that is of interest to Internet service providers (ISPs) like BT, Virgin Media and TalkTalk.

The technology tracks the Internet habits of customers and last year signed commercial agreements with the ISPs. However, privacy campaigners believe that the product amounts to spying, and, as a result of their campaigning, the three companies have mothballed plans to use Webwise.

This has badly hurt the company. When the Office of Fair Trading announced in August that it would be investigating how personal information is used in online advertising, Phorm's shares collapsed 27 per cent.

Privacy invasion concerns

Gareth Mead, head of corporate media relations at Virgin Media, said that the company 'has conducted a comprehensive technical and legal assessment of Phorm's technology and consumers' attitudes towards interest-based advertising'.

While not ruling out Phorm as a potential supplier, Mead insisted that the company recognised that 'consumers have significant concerns' about privacy invasion from such technology.

Phorm insists that users will be able to decide whether or not to participate in the tracking. However, such is the feeling over privacy rights, Phorm's message is being overwhelmed by the fear of being snooped upon by major corporates.

 This is a classic example of how communicators will struggle to be heard if their companies are perceived as being little more than the extension of a 'Big Brother' state. 

share me: del.icio.us | digg | reddit | Tweet