Establishing Parameters and Protocols around Employee Use of Instant Messaging Tools By Patricia Yeung, Partner, Howse Williams, Hong Kong

  Download PDF
Publish Date: 2023-01-20

中文版:就員工使用即時通訊工具訂立界限和協議

 

Key takeaways:

 

  • While instant messaging (IM) has become the preferred platform for work-related communication, it is easy for users to overlook the legal and disclosure of sensitive information risks associated with it.

  • When crafting communications policies, it is important that employers include guidelines for using IM to ensure that staff are aware of compliance and legal policies.

Instant messaging platforms such as WhatsApp and WeChat are increasingly rendering other forms of communication obsolete. In a business context, most customers and clients now expect an immediate response to their communications from the employees with which they are dealing. These exchanges frequently take place via the employees' personal mobile devices and sometimes outside office hours, and IM platforms are the overwhelmingly preferred medium. IM platforms have therefore become a workplace staple, and most employers regard them as necessary business tools.

While the advantages of IM platforms are obvious, they also carry a number of hidden risks. The perceived informality of the medium, and the expectation of a rapid response, leads to abbreviated and imprecise language. Employees also face increased stress and pressure from having to be constantly "on call", and this can lead to mistakes. One important issue that employers often overlook, however, is the problems that arise when the employer requires access to information that is stored on IM platforms in order to investigate the employee's actions.

The need for such an investigation may be triggered by a complaint or tip-off by a customer, client, or fellow employee, by enquiries from a regulator or prosecuting authority, or (increasingly) by an anonymous complaint. The investigation may concern the employee's conduct towards other employees, alleged failure to comply with company policies, potential misuse of confidential information, or even potential fraud or dishonesty.

There is little statutory regulation concerning the process of carrying out an investigation in Hong Kong, but there are some limitations on what the employer can do. Hong Kong's Personal Data (Privacy) Ordinance (PDPO) restricts access to, and use of, employees' personal data. Employees are increasingly aware of their privacy rights and will sometimes exploit them to avoid detection. They may also destroy information stored on devices (once deleted, information on IM platforms is virtually impossible to retrieve). Some employees will even resort to "losing" their devices. As a result, employers frequently face difficulties obtaining access to information on their employees' personal mobile devices. Investigations can be obstructed or even frustrated because employers have not anticipated these issues. Below are some suggested steps that employers can take to put themselves in a better position when investigating their employees' actions.

Practical steps employers can take to facilitate investigations

By providing employees with the electronic devices (ie, mobile phones and/or laptop computers) necessary for the employee to perform their duties, employers retain a much greater degree of control over the information on those devices. Employers can direct employees to use them solely for work-related matters and communications and regulate the use of IM platforms on them. As the devices remain the property of the employer, employers can demand access to them. Employers can also remotely monitor employees' use of their computer network. This is a very useful method of detecting certain kinds of misconduct.

Employers should still bear in mind that there are limits on the extent to which they can access devices issued to their employees. While they can, for instance, insist on access to chats on work-related matters, they should not attempt to view personal communications or information which is stored on these mobile devices. The monitoring of work devices should be for the purpose of protecting the safety of employees, business assets, intellectual property and other propriety rights.

It is therefore vital that employers have policies in place that regulate the use of devices issued to employees, and that spell out employees' rights of access to mobile devices. This will greatly facilitate the investigation process and reduce the risk of the investigation being obstructed by privacy issues.

Implement bring-your-own-device policy

Some employers do not issue their employees with mobile devices, often due to the cost involved. Employees are expected to use their own devices for work purposes. In this situation, employers should consider implementing a formal bring-your-own-device (BYOD) policy to ensure that protective measures are in place.

The policy should stipulate, among other things, the acceptable use of the relevant device, expectations of privacy and the employer's right of access to the content on the device (including content within IM platforms).

The following provisions may be useful for employers to consider when drafting a BYOD policy

  • Where employees use their personal devices for work-related matters, such devices should be submitted to the IT department for approval and safety configuration.

  • Employees should not be permitted to use an unapproved personal device for work-related matters.

  • In addressing the use of IM platforms for work, employers should define the acceptable use of IM platforms both in the workplace and in client communications.

  • Employers may limit or prohibit certain type of documents or information that employees are allowed to transmit (including sending and receiving) on the IM platforms.

  • Employers should reserve the right to inspect, access or wipe out content on employees' personal devices, to the extent permitted by law.

  • Employers may stipulate a reasonable time limit within which the contents obtained from employees' personal devices may be stored.

  • The use of such content should be confined to the legitimate purpose of protecting the employer's business interests, such as for investigation or litigation.

Dealing with proprietary rights in employment contracts

As a general principle, employers own the intellectual property created by their employees in the course of their employment. Addressing the ownership of such products and materials will reduce the scope for disputes, and most employers include an IP clause in their terms of employment (either in the employment contract or the employment handbook).

The IP clause should expressly extend to anything which employees create that is stored on a mobile device, including the contents of an IM platform. This will again facilitate the investigation process by reducing the scope for employees to object to handing over documents and material stored on their device.

Draft a formal agreement with customers/clients regarding IM platforms

It is highly desirable for employers to have an expressed agreement with their customers and clients which sets out the basis upon which communication via IM platforms will be used. Ideally, the employer should try to limit the extent to which it is legally bound by these kinds of communications, but in practice this may be difficult (and some businesses use WhatsApp and WeChat to enter formal contracts). It should nevertheless be possible to regulate what kind of communications and information can be transmitted.

In the context of an internal investigation, having this kind of agreement in place will assist employers in identifying unusual or inappropriate communications. It will also mean that customers and clients are more likely to notify employers about any questionable communications or conduct.

Important points to consider before commencing an investigation against an employee

Investigations should be kept confidential in order to protect employees' personal data. Maintaining confidentiality will also reduce the risk of employees becoming aware of the investigation and deleting or tampering with information (such as WhatsApp or WeChat messages) from their mobile devices.

Preservation of evidence

It may be advisable to require employees to handover their personal devices at an early stage in order to prevent the loss of evidence. Where this potentially involves accessing employees' personal data, there will need to be an arrangement to ensure that this is protected.

Monitoring

In cases of suspect misconduct, it may be necessary to monitor employees' communications (including their chats on IM platforms). Employers should ensure that the relevant policies are in place to permit this, and that the monitoring does not breach employees' privacy rights.

Legal advice

Internal investigations can take an unexpected turn, and employers may encounter unfamiliar and difficult issues. It is prudent to involve in-house counsel or external lawyers in the investigation, to ensure that the investigation does not become derailed by (among other things) allegations of breach of privacy laws. The additional advantage is that communications in relation to the investigation are generally protected by legal professional privilege (and therefore do not need to be disclosed to employees). This could be particularly important for employers engaged in a complex investigation that involves sensitive business information.


就員工使用即時通訊工具訂立界限和協議

撰文:香港何韋律師行合夥人楊善如
  • 儘管即時通訊(instant messaging,IM)已成為職場上的首選平台,但用家很容易忽略當中的法律和敏感資訊洩漏風險。

  • 因此,僱主制定通訊政策時,應包括即時通訊平台的使用指引,確保員工清楚了解相關守則和法規。

WhatsApp 和微信等即時通訊平台正逐漸淘汰其他通訊方式。在現今的商業世界裏,大部份顧客和客戶往往希望得到員工的即時回應。雙方經常透過個人電話商討事項,有時在非辦公時間仍要繼續討論,即時通訊平台於是大受歡迎,成為職場上常用的溝通媒介,許多僱主更視之為工作的必要工具。

即時通訊平台的優勢顯而易見,但也隱藏著不少風險。這種媒介不拘形式,用語隨意,加上用家希望得到快速的回應,因此經常出現縮寫及意思含糊的語句。此外,員工經常處於「隨時候命」的狀態而承受千斤壓力,難免出錯。但當僱主需要索閱即時通訊平台上儲存的訊息以調查員工的工作行為時,一直被忽略的重要問題,便會浮現出來。

觸發僱主查閱員工通訊記錄的因素可能來自顧客、客戶或同事的投訴或密告、監管或檢察機關的查問,或(更為常見的是)匿名投訴。查閱範圍可能涉及該員工對其他員工所作出的行為、疑未遵守公司政策或濫用機密資料,甚至觸及欺詐或不誠實行為。

事實上,香港幾乎沒有法規監管公司調查員工行為的過程,但僱主可以採取的行動有限。香港《個人資料(私隱)條例》(私隱條例) 限制查閱和使用員工的個人數據,由於員工逐漸意識到自己的私隱權利,因此有時會濫用權利以避調查。他們可能銷毀儲存在裝置上的訊息(一旦刪除即時通訊平台上的訊息就幾乎無法恢復);有些員工甚至報稱「丟失」裝置。凡此種種均令僱主措手不及,要查閱員工個人流動裝置的訊息實在舉步維艱,整個過程可能受阻,甚至受挫。不過,僱主亦可參考以下建議,好讓自己調查員工行為時處於更有利位置。

實際措施以便進行調查   為員工提供電子裝置

僱主可為員工提供工作所需的電子裝置(即流動電話及/或手提電腦),以確保對裝置儲存的訊息留有更大的控制權。僱主可限制員工將這些裝置用於與工作相關的事宜和通訊,並監管他們使用即時通訊平台的情況。由於這些裝置屬僱主擁有,因此他們有權查看當中的訊息,還可遠程監察員工使用電腦網絡的情況。這不失為調查員工不當行為的上策。

但僱主要切記,裝置雖由公司提供,但要查閱訊息亦有一定限制。例如,僱主可堅持查看與工作相關的對話,但就不應查看儲存在這些流動裝置上的個人通訊記錄。監管用於工作的裝置目的應為保護員工、公司資產、知識產權和其他專利。

因此,僱主必須制定政策,指引員工如何使用公司提供的裝置,並闡明僱主可查閱這些流動裝置的權利。這將令調查過程變得順暢,同時減低因私隱問題而令調查受阻的風險。

實施自備裝置政策

有些僱主通常會因成本問題而不為員工提供流動裝置,並期望員工將其個人裝置用於工作之上。在這情況下,僱主應考慮實施正式的「自備裝置」政策,確保雙方都得到保障。

政策應釐定相關裝置的可接受使用範圍、私隱期望,以及僱主查看訊息內容(包括即時通訊平台上的內容)的權利。

僱主草擬「自備裝置」政策時可參照以下條款內容:

  • 如果員工將其個人裝置用於工作之上,則該裝置應交由資訊及科技部門批准和檢查安全配置。

  • 員工不應將未經批准的個人裝置用於工作相關事宜。

  • 僱主應界定員工在辦公室以及與客戶通訊時使用即時通訊平台的可接受情況。

  • 僱主可限制或禁止員工在即時通訊平台上傳送(包括發送和接收)某類文件或訊息。

  • 在法律允許的範圍內,僱主應就查看、索取或清除員工個人裝置上的內容保留權利。

  • 僱主可以訂下合理時限,儲存員工個人裝置上的訊息內容。

  • 使用此類內容應僅限於保護僱主的合法商業利益,例如調查或訴訟。

僱傭合約闡明擁有權

就一般原則而言,僱主擁有僱員在受僱期間所創作的知識產權。闡明相關產品和資料的擁有權將縮窄糾紛範圍,大部份僱主因此會在僱傭合約中(僱傭合約或僱傭手冊)包含知識產權條款。

條款應清楚訂明,所指產權包括員工在其個人裝置上建立並儲存的任何內容,包括即時通訊平台上的內容。這將減少員工拒絕交出裝置儲存的文件和資料的機會,有利進行查閱。

與顧客或客戶草擬有關即時通訊平台的正式協議

僱主最好與顧客和客戶訂立明確協議,闡明透過即時通訊平台進行對話的各項原則。在理想情況下,僱主應盡量限制在法律上,受此類通訊約束的範圍,但在現實環境中,這卻談可容易(有些企業使用 WhatsApp 和微信來簽訂正式合約)。儘管如此,僱主應可以規管傳送的訊息類別。

若公司需要進行內部調查,達成此類協議則會有助僱主辨識異常或不恰當的通訊行為;顧客和客戶亦會更主動將有問題的通訊或行為告知僱主。

展開調查前必須三思以下要點

調查必須保密以保護員工的個人數據。保密還可減低員工在得知調查后刪除或篡改其流動裝置訊息(例如 WhatsApp 或微信訊息)的風險。

保存證據

僱主最好要求員工儘早交出個人裝置,以防丟失證據。為免觸及員工的個人數據,僱主應作出妥善安排,確保個人數據受到保護。

監控

若發現可疑的不當行為,僱主或有必要監控員工的通訊情況(包括他們在即時通訊平台上的對話)。但僱主應確保已訂下相關政策允許這類監控行為,且不會侵犯員工的隱私權利。

法律諮詢

不過,內部調查往往會出現始料不及的情況,僱主可能會遇到陌生和棘手的問題。謹慎的做法是讓內部法律顧問或聘用坊間律師參與行動,確保調查不會因(除其他外)觸及隱私而偏離軌道。此外,與調查相關的通訊一般受法律專業特權保護(因此不需要向員工披露)。對於僱主來說,這對涉及敏感商業資訊的複雜調查尤其重要。