Last week the commission released a draft of its long-awaited guidelines on employee monitoring to selected industry bodies - the final version is expected in June. The guidelines represent the commission's interpretation of the Data Protection Act.

Companies that wish to covertly monitor staff for inappropriate behaviour face stringent limits: the guide says that no such action should be taken until a "documented assessment has been made, concluding that notifying workers of monitoring would prejudice the investigation".

It warns that the police must be consulted and involved whenever staff are monitored without their knowledge.

Rupert Battcock of law firm Nabarro Nathanson said, "Some firms may need covert monitoring, but this should only be used when it is justified." He added that the guide is not actually law, but "it is useful for supporting an argument in court. A court would certainly be willing to look at the code, even though it has informal status". He advised that to avoid problems, employers should tell staff about monitoring activities.

The commission's guide also recommends that firms should fully inform staff whenever they are likely to be monitored. Companies should "display a set of conditions concerning access, which workers must accept" at the start of every online session.

Dave Brunswick, director of technical services at email filtering software firm Tumbleweed, approved of this measure, and added that he has spoken to firms that have taken legal advice on how to monitor. "It is no good joining an organisation, signing its policy and then not seeing that document for another five years. People should be regularly updated on their rights," he said.

Brunswick noted that some firms are providing separate work and private email accounts. "This may have bigger overheads, but you have a way of giving people a channel for their personal correspondence."

One difficulty is that it is easy to inform staff that their correspondence may be read, but not as easy to inform people from outside the organisation. Battcock said, "We are beginning to think that companies should include notices in their standard email auto-signatures that inform recipients that their email correspondence could be monitored."

Battcock warned companies to consider the legal risks of not following good practices. He said they should regularly update policies, and inform staff because "even a sleeping dog can turn around and bite you". He added that although the Information Commission may be unlikely to take legal action over data protection laws, employees may be inclined to do so.