Employers should tread carefully to ensure they remain within the law when monitoring staff emails and web use according to advice published today by the Information Commissioner.

The Employment Practices Data Protection Code — Monitoring paper declares that those employers that fail to stay within the law on this matter will be subject to criminal proceedings. "The Data Protection Act 1998 places responsibilities on any organisation to process personal information that it holds in a fair and proper way. Failure to do so can ultimately lead to a criminal offence being committed," the code explains.

The Code sets out guidelines to help employers guarantee that their monitoring practices do not breach the Data Protection Act. This severely limits the extent to which bosses can covertly spy on their workers' personal correspondence, whether by email, on the phone, in writing or on the internet. In most cases employers must get consent or at least inform staff before checking up on them.

The advice stresses the importance of creating a policy for monitoring personal information, and making sure that this policy is communicated effectively to employees. "Workers should be aware of the nature, extent and reasons for monitoring," it explains.

The advice says that while monitoring is allowed under the terms of the Data Protection Act, employers must stay within the limitations set out by the Act and should also bear in mind Article 8 of the European Convention of Human Rights.

The latter states: "Everyone has the right to respect for his private and family life, his home and his correspondence," and sets out the very strict criteria under which employees and public authorities may break this confidentiality — for example, where public safety may be at stake.