10 laws for intranet managers
From the outset of this post, it’s vital to point out that neither of the editors of Intranetizen are lawyers — reader, if we were, we’d not be publishing this, but would be charging you a small fortune for the next few paragraphs! It is certain though that every intranet manager should be aware of a few key laws and their implications for the digital workspace you manage.
This is not exhaustive, and likely only applicable to the UK in its fullest, but as we learn more we’ll republish. Wherever possible, we’ve included a few steps you can take to ensure that you’re abiding by the law but you must not take this post as exhaustive legal advice and you must take your own steps, with your own legal team to ensure you are fully compliant. Consider this a top 10 things to discuss with your in-house legal team!
1. Regulation of Investigatory Powers Act 2000 (“RIPA”)
Impact: Monitoring Employee activity
A superbly catchy title and a subtly important piece of legislation with implications for the way you record usage on your intranet. Monitoring employees activities is often a double-edged facility proving intranet teams with important information to allow them to improve the offering, but also supporting line management desire to ‘know what ‘their staff’ are up to.
Note that any intranet features that use the identity of the individual to target information and which you subsequently monitor the use of, could be covered under this piece of law.The Regulation of Investigatory Powers Act 2000 (“RIPA”) makes it unlawful to intercept a communication in the course of its transmission. This may include ‘private’ social intranet communications.
Monitoring is normally ok if:
- It’s not a standard, blanket, ongoing monitoring of communication
- There is a clear and legitimate purpose for monitoring, for example, detecting misuse
- Monitoring is proportionate to the purpose. Intrusion on privacy is minimised
- Employees are informed and aware that the monitoring takes place. Covert monitoring can be ok if there is a good reason for it e.g. the need to keep the investigation confidential.
Stay within the law by:
- Publishing terms and conditions of use and a privacy policy
- Make it clear what monitoring takes place and the reasons for the monitoring
- Make it clear what information is stored, how and why
- Ensure the HR policy and line manager guidance reflects and respects the Intranet terms of use
2. Data Protection Act 1998 (“DPA 1998”)
Impact: Privacy
UK data protection law is primarily set out in the Data Protection Act 1998 (“DPA 1998”) which is based on EU Data Protection Directive 95/46. The DPA has a big impact in the way you govern any intranet, but the areas that are specifically difficult when it comes to a ‘social’ intranet are:
- DPA says that information should be kept current. When information is added and maintained socially (e.g. in a wiki) this becomes more difficult to demonstrate
- Specific thought needs to be given to personal data. One member of staff wishing another a ‘happy 40th birthday’ could be seen as disclosing personal data without the consent of the individual
Stay within the law by:
- Providing a clear route for content to be reported. A ‘report this content’ or ‘feedback’ button in the footer is enough.
- Include data classification in your appropriate use and privacy policies
- Make sure the moderation process is setup to respond quickly and appropriately to content reported as inaccurate or personal
- Code your intranet so that certain personal data, such as birth year, can not be inadvertently disclosed
3. EU Data Protection Directive 95/46
Impact: Data Protection and Cloud Computing
This piece of legislation is worth calling out specifically as it has a huge impact on cloud-based intranets. The purpose of the legislation is to protect EU residents from certain practices around the processing of their personal data, and on the movement of such data. Simply put, this legislation is concerns itself with how your company processes employee data and, critically for cloud-based intranets, where that data is stored. (Incidently, this would also apply to cloud Exchange services too).
The principle is that there can be no transfer of data outside of the EU that do not offer an ‘adequate level of protection’ – and that doesn’t cover many countries at all.
Stay within the law by:
- Host with EU cloud companies. Given that very nature of cloud computing is that you don’t know where your data is stored, this is problematic. Large cloud companies, such as Microsoft, are often reluctant to divulge their data geography due to the potential dangers of terrorism.
- Ensure that you ask permission from every employee to host the data outside of the EU if that’s your intention.
4. Equality Act 2010
Impact: Employment & discrimination
The new (October 2010) Equality Act makes it clearer than ever that you can’t disadvantage someone due to their gender, pregnancy/maternity, race, disability, sexual orientation, religion or belief, marriage or civil partnership and age. In an employment context, anything done by an employee in the course of their employment is treated as having also been done by the employer – i.e. an employer is vicariously liable for any acts of discrimination by any of its employees.
The Equality Act also covers web accessibility — coding, design and layout standards that should be applied to your intranet to ensure that it can be used by any employee, without disadvantage, regardless of abilities. Companies must make “reasonable adjustments” to the way in which services are offered to enable someone with an imparement to use them.
Stay within the law:
- Make it clear to individuals what is and isn’t acceptable and that they are responsible for what they say
- Ensure some kind of monitoring or report process is in place to catch discriminatory content (be clear that this monitoring is in place – see note on RIPA)
- Work closely with HR to ensure that the disciplinary processes work constructively with the intranet policies
- Make training on diversity, discrimination and related issues mandatory for all employees. Make sure this mandatory training references the intranet social features
- Ensure that you’re fully aware of W3C and their web accessibility initiative (WAI)
- Consider auditing your intranet with organisations like The Shaw Trust. They employ people with disabilities to test your intranet, provide clear guidance for improvement and accreditation for excellence when found.
5. Defamation Act 1996
Impact: What can and cannot be said about colleagues and companies
With a social intranet you give employees voices, but when they say something on the intranet the company could be as liable as the individual. Intranet managers should be aware of defamation law since whatever is published on your intranet could give rise to a libel claim. At the heart of this law is the principle of whether, as a result of a published statement, there has been damage to anothers. A corporation could also have a reputation and as such could also be libelled.
Examples of libels include:
- any statement which is likely to lower a person in the estimation of right-thinking people;
- any statement which injures a person’s reputation by exposing him to hatred, contempt or ridicule;
- any statement which tends to make a person be shunned or avoided.
Stay within the law by:
- Make it clear to individuals what is and isn’t acceptable and that they are responsible for what they say
- Ensure some kind of monitoring or report process is in place to catch libellous content (be clear that this monitoring is in place – see note on RIPA)
- Work closely with HR to ensure that the disciplinary processes work constructively with the intranet policies
6. Freedom of Information Act 2000 (“FOI”)
Impact: Limited except for public sector intranets
The purpose of this piece of legislation is to provide for the disclosure of information held by public authorities or by persons providing services for them and essentially gives the public the “right to know“. It does not apply to any companies and their intranets unless they are wholly owned by the state. Even then, not all information could be released as other restrictions may take precedence such as the Official Secrets Act or if the information is of commercial value (such as that in a University intranet) by way of example. A full set of exemptions can be found here. However, seek advice if your company does lots of work for the public sector!
Stay within the law by:
- Understanding what information on your intranet might be subject to FOI. Consider tagging it as such.
- Ensuring that your intranet search can easily find FOI related materials.
- Ensure that all intranet materials are name stamped so that when an FOI request comes in, it’s clear who needs to be involved
- Ensure that everyone receives training on FOI
7. EU Electronic Communications Framework aka EU Cookie Law
Impact: None, unless you’re using cookies on your intranet
While this framework has been in place since 2002, the recent changes due to be implemented in law in May 2011 may have significant impact on the way you manage your intranet. In short, the framework will insist that websites ask their users for permission before recording their activities online. The implication is that if you use cookies on your intranet, you may have to ask for your employee’s permission first.
This is a very new piece of legislation which is yet to see time in parliament so the full impact is not yet known. Ensure that your legal team is aware of the change and start discussing the implications for your intranet and internet sites now.
8. Human Rights Act 1998
Impact: Personal data storage and use.
Article 8 of the Convention states that everyone has the right to respect for his private and family life, his home and his correspondence. So, in addition to the privacy laws and monitoring guidance above, note that you may be in breach of your employee’s human rights if you allow abuse of personal data. Tread carefully now.
9. Financial Services and Markets Act 2000
Impact: What you can and cannot say on news or CEO blog
This law concerns itself with the regulation of the financial services and markets and much of the law is not directly relevant to intranet managers (albeit that your legal and finance teams will be well versed on the finer details). Section 118 of the act is concerned with market abuse and describes countless examples of behaviours that would constitute a breach of law.
In short, if information on company performance is disclosed, but is not generally available to the markets and someone were to act on that information by buying or selling stock, that would be illegal. Don’t expose your employees to this potential risk!
Stay within the law by:
- Never report company performance indicators unless they have been already disclosed to the markets via analyst briefings, press releases or other channels.
- If in doubt, seek legal review of your news or CEO blogs
10. Trademark Act 1994 / Copyright, Designs and Patents Act 1998
Impact: Images you use on your intranet
Consider the images that you use on your intranet to accompany news articles or within knowledge stores? Are they your photos? Are they your brands? If you’re using other people’s images, their logos, designs, styles and other proprietory intellectual property then you may like to seek some legal advice.
All content – unless stated otherwise – is considered the property of the content creator. While its unlikely that the company or another employee would profit from the use of someone else’s content on your intranet, it’s important to recognise the ownership. If that content — be it text, image, logo — is not presented correctly, they may feel it damages their ‘brand’ – consider how Ford might feel if images of their cars were used in association with motor claims or accidents on an insurance company intranet.
Finally, remember that you cannot use an image of a person without permission and you cannot use copyrighted professional photographs without giving appropriate credit. You may have some rights to use it while they are an employee and if they give permission, but if they were to leave the company these rights are revoked.
Stay within the law by:
- Not using other people’s or company’s intellectual property but if you do:
- Seek permission!
- Accredit usages
- Add legal lines
- Never amend or deface
- Always apply their style guides
- Provide guidance to your employees about using trademarks and copyrights to ensure that you are compliant within published content but also within your user-generated content.
- Tagging photographs used with the names of the employees pictured. Run routine checks to ensure that these employees are still employees (and therefore you continue to have permission to use them)
Acknowledgements and References
In addition to acknowledging, with thanks, the authors of the links already provided, there are a few other acknowledgements to make.
To @chieftech and others who responded to a twitter question posed by @digitaljonathan; to @sharonodea who sparked some inspiration in a conversation on twitter with @lukemepham; to out-law.com for some strong guidance on the law and intranet accessibility; to website law for their views on libel; to Patrick Van Eecke (DLA Piper Brussels) for thoughts on cloud computing and to all of you for promising to seek full legal advice and for not pointing out that there are 11 laws listed.
It’s rare to find a summary of intranet relevant law in one place.
We are writing a ‘Managing risk in the Digital Workplace’ briefing paper for our members, so this is a timely point of reference.
It’s a great reminder that behind the firewall doesn’t necessarily mean under the radar.
Thank you Lucy. I hope this of some help.
[…] 10 laws for intranet managers | Intranetizen (tags: intranet) Share this: […]
[…] Read Luke’s original post with all the relevant links, and note the legal caveats and aknowledgements at the bottom 🙂 […]
An excellent summary of the key UK legislation. Thank you for all the effort that you put in to developing this invaluable checklist.
I would just like to highlight three issues in the data privacy area which go beyond just the concept of cloud computing. First there are some important distinctions between personal information and ‘sensitive personal information’. the latter requiring informed consent by the employee. Second, make sure that your in-house legal team, and/or your external advisors, have expertise in global data privacy issues. It is a very complex area with little in the way of precedents. Third, track developments in the USA, where there could be important new regulations emerging over the next couple of years.
HP have taken the lead in issues around the legal implications of cloud computing, and http://www.hpl.hp.com/techreports/2009/HPL-2009-54.pdf is a good place to start.
Finally I’m pretty sure that the copyright of a photograph is owned by the photographer, and not the individual. http://www.copyrightservice.co.uk/protect/p16_photography_copyright
Great post, I will bookmark it for future reference!
I may have missed this, but what about subject access requests? Under the DPA you can request any information about yourself held in an IT system – see http://www.ico.gov.uk/tools_and_resources/glossary.aspx#s. I haven’t had any experience of trying to do this but I assume info on an intranet (eg about an ex-employee) would have to be supplied if requested.
@Martin Thank you for your comments. I’ll be delighted to update the post with your links and credit you. You’re right about the photography. The copyright lies with the photographer but for privacy laws (and frankly, sheer employee courtesy), you need permission to publish. If a professional photographer has been used, it’s appropriate to note their copyright on the photo (within the image, or as text)
@Camilla — Thank you for your update too. I can see this list expanding 🙂 Luke and I will edit and update.
I enjoyed your article but I thought you might want to know that it would be nice if you had clarified where these regulations applied. I live in the US and didn’t really realize that this article doesn’t really apply to me until I had started to pull up some of the links.
PS: I came across this article from a CodeProject email.
PPS: Having your “leave a comment” text boxes’ text color as a light grey on white background makes it VERY hard to read.
Jake
First up – thanks for solving a mystery for us. This post received thousands of views at the end of last week and we were at a loss to really understand where it was coming from. Analytics showed lots of mailservers, but obviously, not the source.
In our introduction, we state that these laws are likely to be only fully applicable to those in the UK. However, many of these issues raised have parallels in EU and US law – it’s worth checking with your legal team for precise details. We’d be delighted to try and create a bespoke US version in due course.
Finally, thank you for the comment on the text box for comments. Quite right. It’s not easy. We’ll look for an alternative and apply it to the CSS shortly.
J
[…] there’s absolutely no excuse for them. Such links are lazy and possibly even illegal (see our accessibility section on our 10 laws post). Treat yourself, use a unambiguous, meaningful […]
[…] Intranetizen 10 laws for intranet managers: Ok, it’s one of ours, but this handy post covers 10 important laws for intranet managers to consider, including those on intranet accessibility. […]
[…] 10 laws for intranet managers (May 2011) by Luke […]
[…] in 2011 we wrote about 10 laws that every Intranet manager should know. Number 7 on that list is the EU Cookie Law, and since then the legislation has been through a few […]
Very interesting post.
I do have a question, I am not sure it’s pertinent though. I am just asking myself which laws you have to take into account when an intranet is used by a workforce made of members located in different countries?
Many thanks in advance.
Caroline
Hi Caroline,
Some of these laws have their origins in European Law and therefore will be relevant to multi-national workforces. Naturally, the landscape is further complicated when you consider truly global companies.
Our advice is to get time with your legal teams who will be aware of the laws that apply in your geographies. This post may help alert them to some of the possibilities.
[…] will need assurance that Facebook can meet compliance requirements around employee and client data (see our ten laws post for details). It will also likely face an uphill battle to change its perception in the board room from waste […]
[…] in your organisation increases. Naturally, there will be some very genuine concerns about privacy that every organisation will have to address before the big switch […]
[…] There are lots of laws covering your corporate intranet and it’s wise to get clued up on these before you go too much further. See the ever-popular 10 intranet laws post for more details. […]