Acceptable use policies – answers to ten common employer questions

I’ve been doing substantial work on employer acceptable use policies lately and would like to publish a draft Q&A for feedback.

If you have feedback please comment or send me an e-mail.


1. What should employers do today to ensure their acceptable use policies effectively manage the implications of personal use?

In light of recent developments, employers should ensure that their acceptable use policies (1) articulate all the purposes for which management may access and use information stored on its system and (2) make clear that engaging in personal use is a choice employees make that involves the sacrifice of personal privacy.

2. What are the most common purposes for employer access?

Consider the following list: (a) to engage in technical maintenance, repair and management; (b) to meet a legal requirement to produce records, including by engaging in e-discovery; (c) to ensure continuity of work processes (e.g., employee departs, employee gets sick, work stoppage occurs); (d) to improve business processes and manage productivity; and (e) to prevent misconduct and ensure compliance with the law.

3. How should employers describe the scope of application of an acceptable use policy?

Acceptable use policies usually apply to “users” (employees and others) and a “system” or “network.” To effectively manage employee privacy expectations, policies should make clear that devices (laptops, handhelds…) that are company owned and issued for work purposes are part of the system or network even though they may periodically be used as stand alone devices.

4. Should employers have controls that limit access to information created by employees even though they don’t want to acknowledge that employees can expect privacy in their personal use?

Access controls are an important part of corporate information security. Rules that control who can access information created by employees (e.g., in an e-mail account or stored in a space reserved for an employee on a hard drive) are, first and foremost, for the company’s benefit. Access controls should be clearly framed as being created for the company’s benefit and not for the purpose of protecting employee privacy.

5. How should passwords be addressed in an acceptable use policy?

Password sharing should be prohibited by policy. Employees should have a positive duty to keep passwords reasonably secure. An acceptable use policy should also make clear that the primary purpose of a password is to ensure that people who use the company system can be reliably identified. Conversely, an acceptable use policy should make clear that the purpose of a password is not to preclude employer access.

6. Does access to forensic information raise special issues?

Yes. Acceptable use policies often advise employees that their use of a work system may generate information about system use that cannot readily be seen – e.g., information stored in log files and “deleted” information. It is a good practice to use an acceptable use policy to warn employees that this kind of information exists and may be accessed and used by an employer in the course of an investigation (or otherwise).

7. How should an employer address the use of personal devices on its network?

Ensuring work information stays on company owned devices has always been the safest policy, though cost and user pressures are causing a large number of organizations to open up to a “bring your own device” policy. Employers who accept “BYOD” should use technical and legal means to ensure adequate network security and adequate control of corporate information stored on employee-owned devices. For example, employers may require employees to agree to remotely manage their own devices as a condition of use and with an understanding that they will sacrifice a good degree of personal privacy.

8. Should an acceptable use policy govern the use of social media?

Only indirectly. An acceptable use policy governs the use of a corporate network. A social media policy governs the publication of information on the internet from any computer at any time. In managing social media risks, employers should stress that publications made from home are not necessarily “private” or beyond reproach, so putting internet publication rules in an acceptable use policy sends a counter-productive message.

9. Should employers utilize annual acknowledgements?

Annual acknowledgements are not a strict requirement for enforcing the terms of an acceptable use policy but are helpful. The basic requirement is to give notice of all applicable terms in a manner that allows knowledge to be readily inferred in the event of a dispute. “Login script” with appropriate warning language is also common and helpful. Nowadays, a good login script will say something like, “If you need a confidential means of sending and receiving personal communications and storing personal files you should use a personal device unconnected to our system.”

10. Are there special concerns for public sector employers?

Most public sector employers in Canada are bound by the Canadian Charter of Rights and Freedoms and by freedom of information legislation. Many have workforces that are predominantly unionized. The guidance to public sector employers on their acceptable use policies is no different than to employers in general, but the need to manage expectations that employees may derive from personal use is particularly strong for public sector employers given the legal context in which they operate.

Case Report – Employer owns mixed contact list stored on its system

In this United Kingdom departing employee case from this June, the High Court held that an employer had exclusive ownership of a contact list alleged by an employee to be his personal contact list because it was maintained on its computer system.

The defendant was a journalist who worked in trade publication and conference buisnesses for a number of years before joining the claimant, who operated a similar business. He gave evidence that he maintaned a personal contact list, updated it from time to time, and had over eight years of editorial and industry contacts amassed when he commenced employment with the claimant. Nine years later, and after transferring the list to an MS Outlook database maintained by the claimant and adding work-related contacts, the defendant left with two other employees to start a competing business. In addition to suing to recover damages for the defendant’s pre-departure breach of loyalty and fidelity, the claimant disputed his ownership of the list.

Although it held that the company had not effectively incorporated its computer use policy into the defendant’s contract of employment, the court nonetheless found it had exclusive ownership of the list. It made the following broad statement:

I am satisfied that where an address list is contained on Outlook or some similar program which is part of the employer’s e-mail system and backed up by the employer or by arrangement made with the employer, the database or list of information (depending whether one is applying the Database Regulations or the general law) will belong to the employer…

In all those circumstances, I find that such lists will be the property of the employer and may not be copied or removed in their entirety by employees for use outside their employment or after their employment comes to an end.

Because this is not likely to be appreciated by many employees, it is in my judgment highly desirable that employers should devise and publish an e-mail policy…

In the absence of such a laid down policy, I next have to consider the status of contact details which have been put on to an employer’s system by an employee for their own use outside their employment, in ignorance of the fact that they would thereby become part of the Claimant’s property…

In my judgment it is reasonable to imply in the absence of any laid down guidance a term that an employee will at the end of their employment be entitled to take copies of their own personal information and, where the information is person [sic.] and confidential to them, such as details of their doctor, banker or legal adviser, to remove them from the employer’s system.

Most forms of e-mail system will permit the creation of compartmentalised address books, so that ordinarily an employee will be able to put their own personal contact details of friends, relations, and the like into a personal address book. In those circumstances, in the absence of clear evidence of an e-mail policy, I would be inclined to the view that ownership of that part of the database resided with the employee…

In assessing the facts, the Court held that the defendant copied the entire mixed list for the purpose of competing with the defendant and that it would not be appropriate for it to parse the list. It ordered the sequestered database to be delivered up to the claimant and enjoined the defendant from using it except for contact information “known by other means.”

Pennwell Publishing (UK) Ltd v. Ornstien, [2007] EWHC 1570 (QB).