Online workshop report: How to implement an effective internet and e-mail policy

TrainingZone

Online workshop report: How to implement an effective internet and e-mail policy

By TrainingZone

This is the transcript from the online workshop held on Tuesday 20 February on the topic of how to implement an effective internet and e-mail policy.

Jason Cordingley Ian, are you here for the Internet Policy workshop?
Ian Gates Yes I am.
Jason Cordingley I work for Academee in Wilmslow, Cheshire. I am the Email admin and one of 3 in the IT department. I am also in charge of desktop support, and am looking at implementing an Internet and Email policy.
Ian Gates I am at Edinburgh's Telford College, I too am the desk top support manager and I need to produce an acceptable use policy.
Lucy Marshall Hi guys! Although I have never attended one of these sessions before I am also familiar with the OU online forum. I am an IT Training Assistant and I have been working on an e-etiquette for my Department.
Jason Cordingley I have joined the company to the NCC in Manchester, they are a non-profit making organisation that you can ask questions and they will come back with answers, we only just joined them last week and I am waiting what they can supply me on internet and email policies.
Ian Gates Hello Lucy, How is Dundee?
Stephanie Phillips Hi all. Carrol our IT Editor will be along to facilitate this session shortly.
Jason Cordingley Can we get a copy of the transcript of this workshop?
Stephanie Phillips Hi Jason. Yes - we'll post it to the site later today.
Jason Cordingley Okay.
Lucy Marshall Excellent. Thanks Ian. Have you started any prep work on your policy?
Carrol Rowe Hello all, sorry just checked to find out what you are expecting from today's session.
Jason Cordingley Anything that would enable me to produce a company Internet and email policy.
Ian Gates Yes I have, I have contacted other Colleges to see what they are doing. I have produced some 'scope guidelines'.
Carrol Rowe OK - think it important to agree a starting point, basically to clarify how you would target all those that intend using facilities within organisation.
Ian Gates The driver seems to be the creation of student accounts linked to a management information system.
Jason Cordingley Isn't that anyone with a PC that has Internet access, which in our case is everyone. We have about 30% of our users that are remote as well, and they all need internet access from home.
Carrol Rowe Many organisations seem to have developed some guidelines, but doesn't someone within the organisation need to take ownership?
Lucy Marshall Carrol I have been developing an e-etiquette for my Department. I started out by using a mindmap to get all my ideas down on paper and have progressed from there. I am now looking to review what I have and if there are any aspects that I have missed out. I also need to ensure that the policy is backed up with correct training procedures as I have a large number of users to support. I am not sure whether to split the policy and guidance or to have them together.
Jason Cordingley I would say that the executive board, or board of directors need to take ownership of it, so it comes down from the highest level
Anna Janes Its a very topical point at the moment, and I am keen to implement a policy at our company but as an e-commerce company the notion of restricting access or implementing rules governing internet useage is quite contentious!
Carrol Rowe Lucy - sounds good, what would be advantages of splitting them?
Jason Cordingley Anna, I'm in the same boat as we are a e-learning company, but people have installed napster and such like, where does that fit in?
Ian Gates The guidelines need to be supported by an enforcable discipline prodedure, otherwise they are just so many words.
Carrol Rowe That was a point considered, enforce discipline procedure, but would you not have to quite clearly state what e-mail and internet abuse is?
Lucy Marshall The advantages would be that the policy could sit with all the other Departmental policies and take the same status. That is approved at Directorate level and agreed by unions etc. if it is to include rules etc about personal use of e-mail.
Ian Gates Yes, you would, which is easier if you know that you have top level support.
Jason Cordingley How would you enforce it, if people don't want to sign it, without contradicting the Human Rights Act?
Carrol Rowe Agree, many policies originate from IT dept and then it takes a long time to seek approval from top level.
Elisabeth Coughlin Hi.
Jason Cordingley If the company already exists, how can you get people to agree to the internet and email policy. You can't say sign this or you don't have a job.
Ian Gates Jason, that is a good point, as a college we have acceptable behaviour procedures covering racism, sexual harassment that students have to sign, we are planning to add it to them.
Carrol Rowe Could you devise a means on intranet that as soon as they click onto internet, that they automatically agree with policy? Or is this too heavy handed?
Lucy Marshall This is quite a negative aspect of policies. I feel that there has to be a way to implement these policies and procedures that people appreciate. Some people will always say that they have not seen the procedures therefore they did not know what was not allowed etc. So let's make it clear. Put a line in an induction pack to say you must adhere to all departmental policies, send out the policy by e-mail, put the policy on the departmental intranet site. Any thoughts?
Elisabeth Coughlin sorry, I missed the beginning, had a lot of problems getting into the chatroom but I am very worried by the amount of control and surveilance that technology makes it possible to implement.
Anna Janes Jason, I think in the interests of innovation and creativity and keeping abreast of new and exciting technologies, we have to live with a few risks, but things that blatantly break the law and/or potentially expose the business cannot be tolerated. It should be part of the basic terms and conditions of employment perhaps, so that you get people to sign it as they join the company. I am not a fan of laying down the law and dishing out forms to sign left right and centre, but this is an important and risky area, and we should not underestimate the need to tackle the issue, especially in e-business.
Jason Cordingley As far as I know, to enforce an internet and email policy you have to have it printed out, and get them to read and sign it before it becomes enforcable.
Elisabeth Coughlin Can't e-mail and internet usage be covered by existing policies for acceptable behaviour in general?
Ian Gates I would suggest that an acceptable use policy it is included as part of the enrolment document or employment contract. However, the policy should not be about restricting access, rather it should be about opening access.
Carrol Rowe Keep policies simple, so that people understand what the boundaries are.
Jason Cordingley This is fine for new users to a certain extent, but if you say to a current user, here is a new policy, sign it or else, what can you do. I know most people will accept it, but there will always be the awkward few.
Elisabeth Coughlin Yes, general standards of decency, or is that to vague?
Jason Cordingley Also, if it's not in the policy it must be acceptable, so how do you make sure that all the bases are covered?
Carrol Rowe Surely most people would accept that it was to protect themselves as well as the organisation?
Ian Gates Are you suggesting that someone should check on net usage? Jason Cordingley Unless people are aware that there email is there own words, then the company is held responsible, so if they sign a document saying they understand this, they are then making themselves liable for any emails they send. This is then taking the ownership of what they say from the company to themselves.
Jason Cordingley If you don't check on net usage, how do you know people are breaking a policy, if you don't check why have the policy?
Lucy Marshall Carrol, I think that you are right. No-one would want to misuse the e-mail system in order to protect themselves. If it is not in breach of the e-mail policy it may be in breach of a harassment policy etc.
Elisabeth Coughlin A policy without checks is still valid and useful in my opinion, a kind of 'gentlemens agreement'
Lucy Marshall Jason , I understand that you should check on what people are doing with the system. Policies have to be achievable and monitored.
Jason Cordingley But I think that any e-mail and net monitoring should be made apparent, so that people know about it, if they don't know then they can say you never warned me what you did and didn't say I can do.
Jason Cordingley But a gentlemans agreement is not worth anything when you have to sack someone for downloading porn.
Elisabeth Coughlin Yes, the potential for secret surveilance is worrying.
Carrol Rowe At the end of the day, if people are using companies systems, don't they have a right to monitor how they are used?
Jason Cordingley Not without telling them first off.
Elisabeth Coughlin True Jason, I hadn't thought of that.
Jason Cordingley If you don't tell someone that you are monitoring then you cannot use the monitoring results in a court of law, or use it for anything.
Carrol Rowe I tried contacting the TUC about rights of access to peoples e-mails and unfortunately never received a response, because they too are writing guidelines protecting the employee.
Elisabeth Coughlin Is it okay to do what we are doing now during work hours?
Carrol Rowe The TUC are trying to establish that if employees wish to contact their union they can do so without worrying that their employers are reading what is being said
Jason Cordingley I have contacted the data protection part of the government about e-mail monitoring, and the act that came in last October that allows a director to tell me to monitor someone's e-mails because they are suspected of sending out company details to a rival.
Jason Cordingley I was told that its a grey area, and its a toss up between the Human Rights Act, which means e-mails are private, and the company's right to see what company resources are being used for.
Carrol Rowe The rules of monitoring as I understood them are that yes, people should be informed and the only rights that an employer has is if they suspect some form of foul play.
Elisabeth Coughlin I had better be off, my lunch hour is up. Thanks all.
Jason Cordingley Fine, but as far as I understand it, if someone is suspected of foul play, and a director tells me to look at their e-mail, I have to tell the suspect of what I am about to do, else it contravenes their human rights.
Lucy Marshall There seem to be different rules. One for e-mails and the other for internet use.
Carrol Rowe It appears because this area touches so many areas that you could end up simply going round in circles.
Jason Cordingley How about that a company policy says that you cannot use e-mail for personal business, therefore the whole e-mail stuff is company business and therefore company property, then you shouldn't need to give notice?
Ian Gates That is unenforcable, like no private phone calls.
Carrol Rowe Like all policies, is it better to have a basic policy that is constantly reviewed, than none at all?
Jason Cordingley I know that you cannot make someone not have private phone calls, but Smith & Nephew got round this by supplying pay boxes around the company so you had to use one of them and pay for it if you wanted to make a private call.
Lucy Marshall Jason, I understand your point but we allow the use of e-mail for personal use outside works time i.e. lunch hour etc. and so long as no other employee needs the resources for company business at that time.
Ian Gates What if someone phones you or e-mails you for non-work reasons?
Jason Cordingley Okay, so you monitor what e-mails are being sent and then bill them for each email? After all the company has to pay for the bandwith used. Also, how do you stop someone getting a personal e-mail during working hours?
Carrol Rowe Elizabeth Frances, who is the information commissioner for the data protection suggested installing phone boxes and she was snubbed because this could cost billions.
Lucy Marshall I feel that if you have too many dont's in a policy you restrict the employee too much. The main reason for our allowing to use the e-mail system outside work time is to encourage the use of the IT resources and to encourage people to learn.
Ian Gates The cost of monitoring should not outweigh the cost of free access.
Jason Cordingley It goes as far as that if you take a pen home from work you are supposed to declare it to the tax man. Crazy, but that's the law.
Jason Cordingley But it's not free access, the company has to pay to have it set up.
Michiel Erasmus Who should 'own' such a policy?
Carrol Rowe OK, how are we going to start considering an effective policy?
Carrol Rowe Michiel, refer to earlier transcript, we touched this earlier.
Lucy Marshall If the lines are there and you have a contract with whoever for the year then it does not matter how many e-mails are sent. What is important is that continued use reinforces practice and therefore good practice. Also the more e-mails there are the better value you are getting for your money.
Michiel Erasmus Apologies all, arrived late.
Carrol Rowe No probs, glad you are here.
Ian Gates I feel that enforced guidelines are as far as we want to go, that will include staff and students signing an agreement. It is the monitoring I am unclear about.
Jason Cordingley Well the policy has to be specific, what isn't mentioned is okay as its not mentioned you can't do it.
Carrol Rowe Is that where an e-mail policy should start then - about monitoring?
Jason Cordingley If you have a dial on demand line any e-mail that goes through it costs money, also we have 256k leased line, with personal and business stuff it is too slow as we are using VPN through it, so after 4 months we are going to have to upgrade it to a 2MB line, this is going to cost money, IF we had an internet and email policy we could stop people sending and receiving personal stuff and maybe we wouldn't have to upgrade our lines.
Ian Gates As long as you guidelines like the phrase "likely to cause offence" are reasonable broad you should cover all the bases.
Jason Cordingley Monitoring and the policy should go hand in hand, you cannot enforce a policy without monitoring, but the policy should inform people that you are monitoring.
Carrol Rowe At least that is a starting point, like all policies, they need to change with the technology and times.
Jason Cordingley Napster doesn't cause offence, but uses loads of bandwith and if you don't have the CD it's illegal to have the MP3. How do you cover this?
Carrol Rowe Don't allow it and explain reasons why.
Ian Gates Jason, Your guidelines will come from a cost point of view, as a College ours will come from a more social viewpoints.
Michiel Erasmus Shouldn't the policy include areas of responsibility, content allowed, guidelines (if any) around private use etc.? Monitoring may not even be included as is a management function.
Ian Gates Jason, your ICT acceptable use should cover illegal software. You know people are using it, so the policy will allow you to do something, the law is on your side.
Jason Cordingley Okay, but MP3's are only a small thing, what about wares sites? Not only non-offence material should be mentioned but also anything that is illegal in the country you are based in, I think.
Jason Cordingley What's ICT?
Lucy Marshall Information communications technology.
Carrol Rowe Information and Communication Technology.
Jason Cordingley Is this something we should have written or is it something that exists already?
Michiel Erasmus Exists already.
Michiel Erasmus What should a policy framework constitute?
Jason Cordingley Where do I get a copy from? I don't think that we have anything like this in the company.
Jason Cordingley What is acceptable, not acceptable, in stages, what will happen if you break the any stage and what are the repercussions will be. How the company will enforce the policy.
Jason Cordingley Downloading porn is a lot more of a problem than downloading a shareware screensaver.
Carrol Rowe That would have to be down to individual company's e.g. as you have already said the needs of a college are entirely different to that of a small business, for example.
Jason Cordingley So there should be different levels of acceptable behavour?
Michiel Erasmus The problem with a policy is that it should not include too much technical detail as this could cause havoc in updating it (due to the dynamic nature of internet etc.)
Carrol Rowe It depends on the nature of the crime.
Jason Cordingley But wouldn't the repercussions on any company or college be the same if a crime has been committed, i.e. illegal software is still dealt with the same way, isn't it, whether you are a college or a company?
Ian Gates I think that the only acceptable way to go is either black or white, e.g. You cannot install any software without so and so's permission.
Jason Cordingley I agree with Ian.
Carrol Rowe Anyway, sorry to have to say this, we are going to have to round this session up as we are coming to the end of the time.
Carrol Rowe How do you wish to progress this?
Michiel Erasmus Does anyone know of a 'draft' copy of such a policy on the net?
Jason Cordingley Before we go does anyone have any internet sites that give example internet policies that a company has already used?
Ian Gates have a look at Napier University.
Carrol Rowe Only other places are the data protection sites.
Michiel Erasmus Carrol ...url for data protection site?
Carrol Rowe Bear with me - busily searching desk.
Michiel Erasmus Thanks
Michiel Erasmus the http://www.cio.com site could be of use....
Carrol Rowe Here are some addresses, have been looking into this myself.
Jason Cordingley I think the only thing we have got is that each policy is going to be individual to each company, its directors and the staff who work for it.
Carrol Rowe http://www.open.gov.uk
Carrol Rowe Also the regulation of investigatory powers (RIP) act
Carrol Rowe http://www.homeoffice.gov.uk
Carrol Rowe http://www.eff.org - but when I tried this could not get it to work, so may be out of date.
Michiel Erasmus for those interested I could have some url references available in 3 weeks time, currently doing research in that regard for MBA e-commerce lecturing. Welcome to contact me on e-mail at mailto:[email protected].
Lucy Marshall OK so we need employee responsibilities, personal use rules whatever they may be, but what about attachments this covers your software and stuff. There are also other things like viruses, sending information out, confidentiality of e-mails , levels of confidentiality. I have done quite a lot of prep work and would be happy to share with you. Send me an e-mail if you want to discuss further.
Ian Gates Do you all have things like purchasing policies ? We have found that the increasing use if ICT in the workplace a catalyst to review all of our old work practices.
Carrol Rowe Thank you, will do.
Michiel Erasmus Thanks Carrol...a great help. Could provide you with more in about 3 weeks time (after research)
Carrol Rowe I will attach this session to the IT Training Page of TZ, please add further comments below so that we could share this useful information, thank you for today.
Ian Gates Cheers.