Internet Use at the Workplace: Could You Be Fired for Browsing?

The internet is at the centre of everything we do: inside and outside the workplace. It is such an integral part of our lives, that we often are unaware of the policies in place for its use at work.

We have gotten in touch with Luca Daffra, who informs us on appropriate internet use during work hours and how companies can handle cases regarding internet use.

What are the advantages of outlining a policy for internet use in the workplace?

It is essential in many respects to outline a policy on the use of the Internet in the workplace, which should be integrated with some regulations on the use of company IT equipment used by its employees for the performance of their duties. It is required to ensure the employer’s compliance with the statutory regulations regarding personal data processing (GDPR) and, consequently, the proper management of the employment relationship. With regard to the first aspect, these policies play a key role in raising workers’ awareness of the risks associated with surfing the web and the pitfalls that this may entail for company IT systems, hence the need to adopt virtuous conduct.

In addition, these policies have the essential function of making the worker aware, in a transparent manner, about the checks that the employer can perform on navigation data (i.e. storage and verification of log files). This latter function is also of considerable importance from a labour law standpoint, for the purposes of the usability in any litigation regarding disciplinary procedures of the information acquired through the said checks, without prejudice, however, to the need to comply – as I will point out below – the provisions of Article 4 of the Workers’ Statute on work performance checks from remote.

 It should be noted that, also in the light of the GDPR which has recently come into force, it is up to the employer to adopt appropriate security measures to ensure the availability and integrity of information and data systems, also to prevent misuse that may be a source of responsibility. 

What issues can arise if a policy does not exist, or is improperly implemented?

It should be noted that, also in the light of the GDPR which has recently come into force, it is up to the employer to adopt appropriate security measures to ensure the availability and integrity of information and data systems, also to prevent misuse that may be a source of responsibility. One of these measures is certainly the adoption of the policies in question. Failure to adopt them, as well as failure to implement them effectively, expose the Company to the risk of non-compliance with the GDPR. The failure to establish clear rules regarding the use of the internet and electronic instruments, such as, for example, the provisions concerning which websites may be visited and which may not, as well as the failure to set out prohibitions relative to the download of applications or programmes or the use of social media, or even to provide clear rules for the management of passwords, including those of company’s wi-fi network, would expose the computer systems of the company to the risk of attacks and, consequently, to the risk of data breaches.

The internet and new technology have certainly had a major impact on the workplace and the way work performance is carried out. This has had a clear impact on the production of labour legislation.

As regards to the employment relationship, the implementation of the policies is of considerable importance, in order to inform associates about the conduct that the employer expects from them relative to the use of the internet and company IT tools, and to be able to sanction any deviations from them. However, as mentioned above, the provisions of the policy may not be sufficient to legitimately initiate disciplinary proceedings against an employee. In fact, it should be noted that Article 4 of the Workers’ Statute allows the implementation of systems and equipment from which a control of the performance of the work activity can also derive (such as controls on log files, i.e. programmes that filter e-mails on the basis of defined parameters) only providing it is justified by technical, organisational, production or security reasons.  For these reasons, the control systems may be installed only with the prior agreement of the trade union representatives in the company or, in their absence or in the event of failure to reach an agreement, with the authorisation of the Territorial Labour Inspectorate (ITL) or, if the installation concerns several offices located in different regions, by the National Labour Inspectorate (INL). Failure to comply with the said authorisation procedure leads – in principle – to the impossibility to avail of information collected through unauthorised systems, and it is also an offence which may be prosecuted.

How have you seen the internet and technology itself, impact the workplace, legally?

The internet and new technology have certainly had a major impact on the workplace and the way work performance is carried out. This has had a clear impact on the production of labour legislation.

On this point, significant changes, for example, were made to the aforementioned Article 4 of the Workers’ Statute, where it was specified that the procedure for the installation of tools enabling checks on work activity, as mentioned above, does not apply in the case of tools used by the worker to render their work performance and the tools for recording access and attendance. And so, for example, it has been clarified by the Ministry of Labour, that “PCs, tablets, mobile phones” are to be considered work tools; conversely, computer systems and software not strictly necessary for the performance of the work may be defined as extraneous to such a definition.

More problematic, however, is the question of GPS devices, which according to the INL can be considered as working tools for the purposes of Article 4, paragraph 2 of the Workers’ Statute only in the following cases:

– if the systems are installed in order to allow “the actual and effective execution of the work performance“, meaning that the execution “is not possible without the use of such tools“;

– if the systems are installed because they are expressly required by legislative or regulatory provisions (in this regard, the circular referred, by way of example, to the “use of GPS systems for the transport of cash-in-transit vehicles in excess of 1,500,000.00 euros”).

It is essential that the policy clarifies what the employee can do using the company’s internet connection and other electronic devices, which the employer makes available to them for the performance of their duties.

Always from the regulatory standpoint, the organisational flexibility made possible by new technologies (i.e. working remotely with laptops, tablets and smartphones, etc..) has been governed by Law no. 81/2017, which regulates smart working as a mode of execution of the subordinate employment relationship characterised by the absence of time or space constraints and the organisation by phases, cycles and objectives, both established by agreement between employee and employer. The said mode helps the worker to reconcile private life and work time and, at the same time, to promote the growth of their efficiency.

The Legislator has been keen to establish that the workers who perform their duties in agile working conditions are entitled to economic and regulatory treatments not inferior to those applied overall, via implementation of collective agreements to the workers who perform the same tasks exclusively within company premises.

The Legislator, however, refers to the agreement between the parties to determine how to ensure the right to disconnection.

 

Can you outline the main issues such a policy should address?

It is essential that the policy clarifies what the employee can do using the company’s internet connection and other electronic devices, which the employer makes available to them for the performance of their duties. In particular, it is necessary to provide:

  1. directions regarding the types of conduct which are not permitted as for “browsing” the internet (e.g. downloading music files and/or software) or keeping certain files on the intranet;
  2. indication of the extent to which employees may use e-mail and network services also for personal purposes, even when this is made possible only from certain workstations and/or accounts or else via webmail systems. In these particular cases, information should be given regarding the relevant arrangements and time limitations (e.g. whether using such systems is only allowed outside working hours or during breaks, or whether they may also be used with moderation during working hours);
  3. information on the types of data recorded on a temporary basis (e.g. which log file components are recorded, if any) and on the persons who are lawfully entitled to access such data (including external entities);
  4. information on the types of data which are kept for longer, in a centralised or decentralised manner, also by backup copies and/or by the technical management of the network and/or log files;
  5. specification on whether and to what extent the employer reserves the right to carry out controls in pursuance of the laws, also on an occasional and/or non-regular basis, whereby the legitimate grounds on which such controls would be carried out will have to be specified in detail (as also related to the checks on operation and security of the system) and the relevant arrangements should be spelled out; in particular, it should be specified whether the occurrence of individual and/or repeated cases of misuse results into the issuing of prior collective and/or individual warnings and the performance of controls on individual employees and/or individual devices and workstations;
  6. indication of the consequences, including disciplinary action, on the employees in the event that the employer established that email and internet services are misused;
  7. any suitable action, taken with the collaboration of the same employees, to ensure work continuation also in the absence of employees – especially in case of planned leaves – with particular regard to the use of out-of-office auto-reply messages;
  8. some regulations about the possibility for employees to use the available systems for personal purposes bearing the relevant costs;
  9. indication of the measures taken in specific employment contexts where it is necessary to abide by the professional secrecy obligations imposed on certain professions;
  10. indication of the internally adopted data and systems security measures.

Failure to comply with these formal requirements will result in the inoperability of the data acquired through these instruments.

What are [legally] unacceptable uses of internet at work?

What is unacceptable in the use of the internet is established by the relevant company policies, which establish what is permitted and what is not. In fact, for example, these policies can just prohibit navigation or limit it to only some sites or even allow it only during breaks. In the absence of policies setting specific rules for the employees, the general duties provided by the Civil Code regarding the diligence of the employee (article 2104 of the Civil Code) and the obligation of loyalty of the same (article2105 of the Civil Code) shall apply: therefore, the use of the internet, which negatively impacts on the correct execution of the work performance may be considered unlawful because, for example, part of the working time is diverted for private purposes.

Can your employer check your email and internet history?

As noted above, article 4 of the Workers’ Statute allows the installation of tools which also enable checks on work performance (such as a software that stores navigation log files) only where this is justified by organisational, production and safety reasons and subject to agreement with the RSA or authoriation of the ITL.

Moreover, for the use of data collected in such way in any litigation regarding disciplinary matters, the same article 4 requires the employer to provide employees with adequate information in accordance with article 13 of the GDPR. Failure to comply with these formal requirements will result in the inoperability of the data acquired through these instruments. According to case law, this prohibition does not apply to so-called defensive checks, i.e. the checks performed consequent to a well-founded suspicion that the employee is engaging in illegal conduct that may lead to crime or to financial or non-financial damage even to the image.

The implementation of a disciplinary code is essential to clarify what standards the associates are required to abide by so that they are deemed to properly fulfil the obligations arising from the employment relationship.

Expanding onto other internal regulations: what are common issues you see clients coming to you for advice on?

In addition to these policies, companies often ask me to prepare regulations on the proper management and classification of information and documents, which establish the criteria for classifying information as confidential, confidential or in the public domain.

In addition, I am often requested to draft Codes of Ethics and Conduct.

Recently, there has been a growing demand for regulations governing corporate welfare plans in order to benefit from the more favorable tax regime, compared to that applicable to remuneration, and the exemption from the payment of social security contributions; in this way, companies can guarantee their employees better treatment than the minimum rates set out in the national labour contracts, but with significant cost savings compared to what they would have had to incur in order to grant a monetary equivalent.

 

In your opinion, what do you think is an ideal disciplinary code if these regulations are not adhered to, which will benefit employers?

The implementation of a disciplinary code is essential to clarify what standards the associates are required to abide by, so that they are deemed to properly fulfil the obligations arising from the employment relationship. This is even more essential when the expected conduct reflects specific needs and/or rules of the employer’s organisation, rather than just commonly shared values. For example, if an employer does not want employees to use social media during working hours, an expressed prohibition needs to be provided to that effect, otherwise such conduct can be challenged against the worker only to the extent that it has a real impact on the work performance, because the time devoted to it is excessive; in the event of litigation following up to such circumstances, however, the judge will have the discretion to determine the borderline between a  moderate or excessive amount such as to trigger, or not, a sanction for this behaviour.

It is important, hence, that the Disciplinary Code is drafted in a clear manner and establishes the rules to which the worker is required to adhere.

It is also useful for the code to provide, in relation to individual violations, for the applicable sanction, it being understood that, in the event of litigation, it is always the judge who has the final say in assessing the proportionality between the conduct complained about and the sanction applied.

Finally, it should be noted that in order for the Disciplinary Code to have binding effect, it must be displayed in a place where employees have free access.

 

Luca Daffra
Partner
email: luca.daffra@ichinobrugnatelli.it
phone: 0039 02.48.19.32.49
fax: 0039 48.100.102
https://ichinobrugnatelli.it

Leave A Reply

Your email address will not be published.