Case study: Staff checks stay within law

To prevent such problems, many firms carry out some monitoring of email and Internet use. One such company is legal practice Morgan Cole. As a law firm, it is aware of the importance of complying with the Data Protection Act (DPA) when carrying out staff monitoring, and is keen to strike an acceptable balance between employee privacy and company protection.

However, Morgan Cole’s system did not offer enough functionality. ‘We didn’t find it flexible enough to do what we wanted to,” says solicitor Mark Smith. “It didn’t match our acceptable usage policy.” Morgan Cole wanted proven technology with a good reputation to help it uphold its usage policy, and manage disclaimers on staff emails.

Access control

It chose tools from Clearswift’s MimeSweeper family of monitoring products. MailSweeper was installed to analyse incoming and outgoing email messages at the Internet gateway, and WebSweeper was set up to monitor and control Web-site access.

MailSweeper is also helping to enhance disclaimers in staff emails. ‘We’ve been looking at the wording of the disclaimer, and the introduction of a split-level one,’ says Smith. A solution is under development to create tailored disclaimers, which add a short summary of the disclaimer at the top of an email – where it is legally required – and add the full details at the end.

Smith says this type of system will make disclaimers more effective. ‘If you put a confidentiality clause on every email, somebody could argue against its validity because a simple lunch invite would have such a clause,’ advises Smith. ‘We want to put extra confidentiality disclaimers on some emails according to keywords. So, as an example, if the solution detects an email relating to a merger codenamed Bobcat, it would put a stricter disclaimer on this text.’

As well as implementing the Clearswift solutions, Morgan Cole has updated its acceptable usage policy. ‘A new policy has been signed by all employees,’ says Smith. It clearly tells staff what is expected of them.

Legal compliance

It is essential to ensure that use of monitoring solutions complies with the DPA. Paul Rutherford, chief marketing officer at Clearswift, says that if firms are employing tools to analyse and control Internet and email use, they need to ensure that staff are made aware of the processes and guidelines.

The first step is to define a policy that spells out for staff the type of content that is and is not acceptable. ‘Firms must also educate employees on these rules and why they have been introduced,’ adds Rutherford.

To ensure that staff are aware of the monitoring procedures, firms could include a section on the policy in employment contracts and induction courses, or ask staff to tick a box to acknowledge monitoring each time they log on to the network, says Rutherford. Firms might also hold briefings about email and Web use, and send reminders about good practices via email.

Summary

Business need: Law firm Morgan Cole wanted a more flexible content monitoring system to help it comply with data protection legislation.

Technical considerations: The system needed to support its policy on email and Internet use.

Solution: Morgan Cole bought new content monitoring tools and set them up after informing staff how the tools would be used.