Cercles des DSI
Le Cercle tribune

IS directors should receive legal assistance!

Published on

By Alexandre Souillé, President, OLFEO

On 13 January, the Aix-en-Provence appeals court upheld the disciplinary lay off of an employee for daily personal internet use at work. This employee spent an hour a day on personal websites such as eBay, La Redoute, Sarenza and Doctissimo, connecting 80 000 times in two years to sites for non-professional reasons. This was the motivation for her disciplinary lay-off based on breach of the company's internal rules and computer charter.

According to the company's internal rules, computer hardware, software and internet connections provided to employees must be used "in compliance with their purpose and with the needs of the position" and the e-mail, intranet and internet use charter stated that "misuse of intranet and/or internet access for personal purposes, in particular dating sites, private shopping, on-line gaming sites" is "forbidden". The employer also stated that this misuse had been damaging to the company because the employee had been paid for many hours "with no effective work in exchange".

In the case of this dismissal, not only did the employee not fulfil her duties, but she also harmed all of the other employees by monopolising the network for personal use. Thanks to a complete computing charter and its distribution which rendered it applicable to the employee, the employer was able to legally dismiss an employee who was excessively "connected".

Once again, this order from the Aix-en-Provence appeal court highlights the importance of a computing charter to protect companies. 

However, establishing limits for internet use in the workplace is not always simple for IT personnel. They require legal knowledge in order to deal with a number of issues that help them guarantee proper functioning of the IS and the company at large.

Olfeo recently administered a legal quiz addressing the topic of the internet charter to over 2 000 IT managers (IS directors, CISO, etc.). (Olfeo legal quiz)

Almost one-quarter (23%) of respondent failed, and just 5% of them got a perfect score. 

Two prickly subjects:

The answers to the questions showed that two topics are poorly understood by IT managers: the obligation to put in place a charter and the lifting of confidentiality regarding an employee's web use with respect to an executive.

As concerns the internet charter, it is mandatory only in cases where the company collects employee personal data as permitted by law, such as the archiving of personal logs. This obligation is established in Article L. 1222-4 of the French labour code: "No personal information on an employee may be collected by any means without said employee having been informed of it in advance." Yet, 42.3% of respondents believe that the decision to do so depends only on the company's CEO. 

As for the lifting of confidentiality regarding an employee's web use, to the question "May the IS director disclose the web use data of a specific employee at the employer's request?", 55.6% of participants thought it was permitted, if dismissal proceedings were underway. 43.2% of participants thought it was illegal. Just 1.2% of respondents gave the correct answer, that is, the IS director has every right to do so. 

According to CNIL, personal data confidentiality is lifted if user behaviour threatens:

  • the information system's proper technical functioning
  • security (terrorism)
  • the company's interests

So, we can wonder whether illicit internet behaviour or internet misuse can harm the company's interests. Consequently, in these cases, confidentiality is lifted with respect to the executive. 

From a legal viewpoint, the Martin case of 2008 (Cass. Soc., 09-07 2008) shed light on the easing of confidentiality regarding employee web use. 

According to this ruling, internet connection data established by an employee using company hardware during business hours:

  • is supposed to be professional 
  • is not considered private

Consequently, a company executive may, if he wishes, consult employee connection logs in their absence, and sanction them. Therefore, IT personnel have the right to disclose internet use data to the executive. However, it is advisable for IT personnel to dispose of both a specific charter called an "administrator's charter", in addition to the company charter, in order to specify the conditions under which an administrator may act.

Necessary legal support: 

The legal framework as it applies to the internet is being defined bit by bit over time, and new cases constantly evolve the framework of internet use at work. According to recent laws and cases, if the company respects the law, it may monitor and possibly sanction employees. It must, however, set up legal tools like a computing charter and technical resources such as filtering and archive logs in order to be able to identify deviant behaviours and to take action. 

Furthermore, employers whose computing charter does not comply with legislation may be held personally liable. 

So, it is essential that IT managers regularly receive training and keep abreast of legal evolutions, or receive legal assistance from specialists. Their directors, companies and they themselves will be glad they did.

Olfeo-Cabinet Benoussan Guides and White Papers 

http://www.olfeo.com/sites/olfeo/files/pdf/guide-charte-informatique-olfeo.pdf 

http://www.olfeo.com/sites/olfeo/files/pdf/juridique.pdf 

Latest publication

CrowdStrike conducted a survey of cyberthreats affecting the supply chain. Answers in this article.

Read more