To satisfy data protection requirements, a company's policy for the use of electronic communications should as a minimum:
- set out clearly the circumstances in which workers may or may not use the employer's phone systems (including mobile phones), email system and internet access for private communications;
- make clear the extent and type of private use that is allowed (e.g. any restrictions on overseas phone calls or limits on the size or type of email attachments, etc.);
- specify clearly any restrictions on website material that can be viewed or copied. A simple ban on 'offensive material' is unlikely to be sufficiently clear for workers to know what is and is not allowed. Employers should at least give examples of the sort of material that is considered offensive (e.g. material containing racist terminology, images of nudity, etc.);
- advise workers what personal information they are allowed to include in particular types of communication, or the alternatives that should be used (e.g. communication with the company doctor should be sent by internal mail rather than email);
- lay down clear rules regarding personal use of communication equipment when used from home (e.g. facilities that enable staff to dial in to a company network from outside);
- explain the purposes of any monitoring, its extent, and the means used; and
- outline how the policy is enforced and the penalties for breaching it.
The existence of an electronic communications policy should be communicated clearly to staff, and they should be able to access it easily to find out what it covers.