Porn becomes everyone's problem

Porn isn't the only nasty lurking on staff computers. Lawyer Michael Wigley has some advice for IT managers

The police porn scandal has highlighted the question of online abuse, but the issue is about more than porn. Defamatory emails and security, for instance, are also major issues.

However, porn is still a big issue — for the private as well as for the public sector. This is why State Services Commissioner is keen to improve online Acceptable Use Policies (AUPs). Only last month, Air New Zealand had to temporarily reinstate four employees it had sacked for allegedly accessing online porn. The full hearing will deal with some of the potential problems in this area, ranging from whether the employees had adequate notice of the policy, through to the issues surrounding the monitoring of software use.

Organisations are often badly set up to deal with the office porn problem. There is no perfect solution but risks can be minimised. But porn is only one of the issues that good AUPs cover. Even more important is security, given the high human component necessary in ensuring an organisation's security is robust. There are other issues, too, including:

-- Breach of copyright. For example, organisations might be liable should staff download unlicensed proprietary software.

-- Defamation. Just as libraries can be liable for defamation should they display a defamatory book, so can organisations be similarly liable should an employee send a defamatory statement through the company LAN.

Organisations must not get sidetracked away from the wider issues by focusing on porn alone. They need an integrated approach. However, online porn is a good example of why AUPs are so important and what needs to be done in this area.

AUPs must, of course, be clear about what material is unacceptable, which can be difficult. Some AUPs use the porn legislation definition as the benchmark, but this only deals with grossly offensive meterial such as child porn and violence. Context is also important. For example, an email that would be considered offensive by one person might not be seen as offensive by another, so unacceptable material should be described in a relatively flexible rather than prescriptive way. While flexibility is inherently problematic, it is better, on balance, than a definition that gets it wrong and doesn’t meet all needs.

It is also amazing how often getting the AUP accepted by employees is overlooked. It’s not enough just to have a cross-reference somewhere to an AUP in a manual or online. The AUP needs to be part of the employment contract but should stand alone to allow it to be amended quickly to take new technology as well as other threats into account.

Ask employees to sign the AUP. This is safer than online acceptance or simple cross-reference to the AUP. It is easy to get new employees, who are signing their employment contract anyway, to sign the actual AUP by hand. More difficult is to get existing employees to sign up to the AUP, including accepting changes. This, in turn, raises issues as to whether new or changed AUPs should be signed by hand, accepted by an online click or whether employees should simply be notified. Each method has risks and benefits. Signing by hand can be impractical for many organisations, but they still need to address the employee buy-in issue carefully as this is a key risk.

In addition to the AUP, there are technology solutions, including monitoring software and software that cuts out porn.

In the Air New Zealand case it is claimed that employees were recorded as having looked at a site for three minutes when they actually just glanced at a site for a few seconds. All that may have happened is that an employee received unsolicited porn that was immediately deleted. Generally, there will be other evidence, but these are the sort of issues that need to looked at when implementing monitoring systems.

Software that blocks porn leads to the bouncing of legitimate traffic. For this and other reasons there is probably not yet any legal obligation to install such software for most organisations. But, as with all aspects surrounding AUPs, there is no cookie-cutter solution. Each organisation needs to look to its own risks and needs.

The AUP must not be left on a dusty shelf: organisations should walk the talk. This can include auditing of personal emails. It’s wise to include confirmation in the AUP that personal emails and other material can be reviewed. In practice, this should be carried out judiciously to minimise employment and privacy law risk. There are enough AUP risks to justify ongoing training in this area.

Legally, there is not much difference between the public and private sectors when it comes to these issues, even though there are specific obligations placed on state sector employers and employees by the State Sector Act and the NZ Public Service Code of Conduct. Porn is just one of a number of online risks that need to be handled judiciously. Solutions should, therefore, be holistic and deal with more than just the issue of the viewing porn in the office.

Wigley is a Wellington lawyer and president of the Technology Law Society

Join the newsletter!

Error: Please check your email address.

Tags management

More about Air New ZealandLANTechnology

Show Comments
[]