Best Practice Guide: Frequently Asked Questions

Should our organisation have an IT Use Policy?
What should an IT Use Policy include?
Why should we have a specific section within our IT Use Policy or a separate policy entirely, relating to indecent images of children?
When should we report to the Internet Watch Foundation and when should we report to the police?
I’m not sure I understand what the ‘conditional defence’ referred to in the Sexual Offences Act legislation means to me?
My IT team do not wish to view potentially distressing images in order to ascertain whether they are indecent images of children or other types of potentially criminal content, can we report them to the Internet Watch Foundation for consideration?
If our IT team decides they are willing to assess internet content found on our organisation’s servers and computers, should they undergo any type of training in order to deal with potentially indecent images of children they may be exposed to, accidentally or deliberately?
It has been noticed that a member of staff has been downloading a significant number of images, are we legally entitled to look at those images to see if they are breaching our organisation’s Misuse Policies?
If we review suspects images and they breach our organisation’s Misuse Policy but are clearly not criminal, what is the appropriate course of action?
If we review suspect images and they are not indecent images of children but could still be potentially criminal, what is the appropriate course of action?
If we review suspect images and they do appear to be indecent images of children, what is the appropriate course of action?
A member of staff has received an email through the work email system that we believe advertises a website containing indecent images of children, what should we do?
A member of staff has received an email through their personal web based email system (i.e. Hotmail), that we believe advertises a website containing indecent images of children, what should we do?
We have discovered potentially indecent images of children on our servers, but we are unsure as to who has been downloading them. What should we do?
We believe we have found indecent images of children on a member of staff’s computer, what should we do? Should we email these images to the Internet Watch Foundation? The web reporting page does not seem to allow us to do this.
I have found indecent images of children on our organisation’s servers and they have been deliberately saved onto a member of staff’s electronic device, what is the appropriate course of action?
A member of staff has been reported to management by a colleague who suspects them of downloading indecent images of children. What should we do now to confirm or deny this allegation?
We have found pornographic text stories that contain descriptions of the sexual abuse of children on a member of staff’s computer, is this illegal and what is the appropriate course of action?
A member of staff has been surfing sex sites on work computers, but out of hours. We don’t know if they contain criminal images, but we are unsure what to do next.
Is it illegal for our staff to view “glamour” shots online? Many of our staff regularly visit FHM, the Sun and similar websites which contain such glamour shots.
If a person reports that they have pop-ups of potentially indecent images of children occurring on their computer, will they have been visiting that type of site, or are there other explanations?
A member of staff with a wireless laptop claims that they were unaware of images found on their machine. Is it possible that the laptop could have been “hijacked”?
Are management or personnel liable if they discover indecent images of children on an organisation’s computer or that a member of staffhas been viewing indecent images of children on an organisation’s computer and take no action?
If I report webpages with indecent images of children to the Internet Watch Foundation, how do I know they won’t report me to the police?
We provide our staff with IT equipment to use at home and they can connect remotely into the organisation’s intranet. If staff are using those machines for viewing indecent images of children or other criminal content, what is the organisation’s liability?
A member of staff has been using the organisation’s systems to send out spam emails, should we report this to the Internet Watch Foundation?
Why is the Internet Watch Foundation authorised to give information on this subject?

1. Should our organisation have an IT Use Policy?

Yes.

For the benefit of both employer and staff you should have a written policy in place which clearly explains and defines acceptable terms of use of the internet and of corporate equipment; computers, laptops and handheld devices both in and out of office hours.

There are various legal issues and risks which arise from allowing staff use of internet and email including: type of internet content which may be accessed, internet copyright law and other intellectual property issues, defamation and confidentiality, misuse of emails and disclaimers.

By having a policy in place everyone is aware of and understands what is acceptable and the implications of transgression. It allows organisations to protect themselves should a member of staff contravene any aspect of the policy and it ensures staff are aware of the conduct expected of them, when their rights of privacy apply and when, how and why their computer use might be monitored.

The policy should be explained to all staff, existing and new, on a regular basis. Senior Management, who may ultimately be held liable if a breach in the policy occurs, should also be aware of and fully understand the organisation’s IT Use Policy.

2. What should an IT Use Policy include?

The Internet Watch Foundation cannot advise you on specific policy inclusions and we recommend that you seek appropriate legal and HR advice.

3. Why should we have a specific section within our IT Use Policy or a separate policy entirely, relating to indecent images of children?

Indecent images of children under the age of 18 are criminal.

Section 160 of The Criminal Justice Act of 1988 Opens in New Window made the simple possession of indecent photographs of children an offence. This is an Arrestable Offence carrying a maximum sentence of 5 years imprisonment.

Making an indecent image of a child is a Serious Arrestable Offence carrying a maximum sentence of 10 years imprisonment.

Note: The term "make" includes downloading images from the internet and storing or printing them out (see R v Bowden (J) 1999).

You should have a clause within your IT Use Policy or a separate policy which relates to the relevant legislation. The Sexual Offences Act 2003 allows you to implement procedures specifically for dealing with these types of criminal images in the workplace, so there is no viable justification not to adopt an appropriate procedure.

Such a policy should clearly explain the implications should indecent images of children or other potentially criminal content be discovered on your organisation’s servers or on individual electronic devices and who within your organisation will deal with such matters. This should include an explanation as to why the policy is needed/significant and refer to the relevant legislation. There should be a clear reporting and disciplinary procedure which everyone is aware of and understands.

Include information and instructions for the Human Resources representative or department for dealing with staff who have been found to view, download, ‘make’ or possess indecent images of children at work and/or on equipment provided by the organisation. The Senior Management Team should be aware of any disciplinary procedures and action if ever taken.

Indecent images of this nature are a record of the actual abuse of real children.

Dealing with these images in the appropriate manner protects your organisation and your staff. It sends a message of zero tolerance of child abuse and exploitation and promotes your organisation’s Corporate Social Responsibility.

4. When should we report to the Internet Watch Foundation and when should we report to the police?

It is important to be aware that the Internet Watch Foundation deals specifically with online content and not suspects.

It is the role of the police to deal with suspect individuals.

This means that if a member of staff is downloading indecent images of children from the internet, then you should report the URLs (webpage addresses) to the Internet Watch Foundation and the police should be informed of the member of staff’s activities.

If a member of staff has saved indecent images of children, downloaded from the internet, to an electronic device, then you should inform the police immediately, taking care to preserve the evidence that you have discovered.

If any information on a source of indecent images of children on the internet is available, such as a URL (webpage address) or newsgroup name, you should report this to the Internet Watch Foundation.

Please note:

Report to the Internet Watch Foundation when an internet location or an email leading to an internet location is found.
Report to the police when images stored on an electronic device are found.

5. I’m not sure I understand what the ‘conditional defence’ referred to in the Sexual Offences Act legislation means to me?

If, in your professional role, through monitoring internet use or your organisation’s servers, you are at risk from accidental or deliberate exposure to potentially indecent images of children, you are now protected if you view those images which may be criminal, in order to report them to a relevant authority (the police or the Internet Watch Foundation) in order for them to be assessed and potentially used in a criminal investigation.

Prior to the Sexual Offences Act 2003, if you viewed these images accidentally or on purpose in the course of your work you would have been in breach of the law.

This legislation has been designed to afford you some protection to report these criminal images. The associated Memorandum of Understanding outlines this in more detail.

6. My IT team does not wish to view potentially distressing images in order to ascertain whether they are indecent images of children or other types of potentially criminal content, can we report them to the Internet Watch Foundation for consideration?

You should contact your local police for advice.

7. If our IT team decides they are willing to assess internet content found on our organisation’s servers and computers, should they undergo any type of training in order to deal with potentially indecent images of children they may be exposed to, accidentally or deliberately?

It is not necessary for anyone in your IT team to make such judgements if they do not wish to. The police will do this. If you do wish to implement some training on this, then you should contact your local police and discuss it with them. You should also consider putting in place appropriate counselling services for your team, should such images be found.

8. It has been noticed that a member of staff has been downloading a significant number of images, are we legally entitled to look at those images to see if they are breaching our organisation’s Misuse Policies?

Under Section 46 of the Sexual Offences Act 2003, you are legally allowed to view images to make a decision as to whether you believe they could be indecent images of children. However, if you discover such images, you must inform the police, within a reasonable time frame.

You should also consider your organisation’s policies regarding:

Staff’s personal use of the internet service at work;
Their rights to privacy;
Your right as an employer to monitor internet use and content.

These should be clarified and explained to all existing and new staff that have internet access.

9. If we review suspect images and they breach our organisation’s Misuse Policy but are clearly not criminal, what is the appropriate course of action?

If the images are clearly not criminal, it will be up to your own disciplinary regulations as to what course of action you follow. The police and the Internet Watch Foundation will not get involved.

10. If we review suspect images and they are not indecent images of children but could still be potentially criminal, what is the appropriate course of action?

If you suspect the content could potentially be criminally obscene adult content or non-photographic child sexual abuse images, you should contact the police. If the content was found online please forward the URLs (webpage addresses) where the content was found, to the Internet Watch Foundation for action.

It is illegal to publish and distribute criminally obscene adult content and non-photographic child sexual abuse images and it is also illegal to possess extreme pornography as defined by section 63 of the Criminal Justice and Immigration Act 2008 and non-photographic child sexual abuse images as defined by sections 62 to 69 of the Coroners and Justice Act 2009.

11. If we review suspect images and they do appear to be indecent images of children, what is the appropriate course of action?

It is important to be aware that the Internet Watch Foundation deals specifically with online content and not suspects.

It is the role of the police to deal with suspect individuals.

This means that if a member of staff is downloading indecent images of children from the internet, then you should report the URLs (webpage addresses) to the Internet Watch Foundation so that we can work to have the images removed from the internet and the police should be informed of the member of staff’s activities.

If a member of staff has saved indecent images of children, downloaded from the internet to an electronic device, then you should inform the police immediately, taking care to preserve the evidence that you have discovered.

If any information on a source of indecent images of children on the internet is available, such as a URL (webpage address) or newsgroup name, you should report this to the Internet Watch Foundation.

Please note:

Report to the Internet Watch Foundation when an internet location or an email leading to an internet location is found.
Report to the police when images stored on an electronic device are found.

12. A member of staff has received an email through the work email system that we believe advertises a website containing indecent images of children, what should we do?

If the email is unsolicited (spam), then you should delete any copies of the email and quarantine a single copy, the details of which should then be passed to the Internet Watch Foundation through its reporting page at https://www.iwf.org.uk/report. Once this has been done, delete the quarantined email. You should also review your spam filters to ensure that they are up-to-date and are aware of the latest spam messages.

If the email is not spam but has been sent by an individual, then you should report this to the police immediately.

13. A member of staff has received an email through their personal web based email system (i.e. Hotmail), that we believe advertises a website containing indecent images of children, what should we do?

If the email is not spam but has been sent by an individual, then you should report this to the police immediately.

You should consider your organisation’s policy on the use of personal web-based email systems on corporate machines.

14. We have discovered potentially indecent images of children on our servers, but we are unsure who has been downloading them. What should we do?

You should quarantine the images immediately in a secure location, delete any copies you find and then contact the police immediately.

15. We believe we have found indecent images of children on a member of staff’s computer, what should we do? Should we email these images to the Internet Watch Foundation? The web reporting page does not seem to allow us to do this.

Please do not email any images to the Internet Watch Foundation.

If you are concerned about images which are saved on a computer, contact the police.

The Internet Watch Foundation reporting page only allows you to report URLs (webpage addresses), newsgroups and spam relating to indecent images of children online as we deal solely with internet content. You are not able to send individual images or attachments through this service for this reason.

16. I have found indecent images of children on our organisation’s servers and they have been deliberately saved onto a member of staff’s electronic device, what is the appropriate course of action?

You must be careful to ensure that you do not tamper with the evidence chain.

Make sure that copies of the images are quarantined and then contact the police, who will advise you on how best to proceed.

17. A member of staff has been reported to management by a colleague who suspects them of downloading indecent images of children. What should we do now to confirm or deny this allegation?

If you can, you should check your logs of internet use. If this is inconclusive, you should ask permission to view the contents of the computer in question.

If you find URLs (webpage addresses) that you suspect may contain indecent images of children, you can report them to the Internet Watch Foundation and also contact your local police force.

If you find indecent images of children saved onto the computer, you should impound the computer immediately, quarantine it and then alert the police. Do not try to look for more evidence as you may disrupt the evidence.

18. We have found pornographic text stories that contain descriptions of the sexual abuse of children on a member of staff’s computer, is this illegal and what is the appropriate course of action?

It is not currently illegal in the UK to possess stories that describe child sexual abuse. However, this should be a cause for concern and you may wish to provide such information to the police and consider it within your organisational policy on IT use.

19. A member of staff has been surfing sex sites on work computers, but out of hours. We don’t know if they contain criminal images, but we are unsure what to do next.

You should refer to your organisational IT Use Policy regarding use of corporate equipment.

If you believe the sites may contain indecent images of children you should report the URLs (webpage addresses) to the Internet Watch Foundation and police for assessment.

20. Is it illegal for our staff to view “glamour” shots online? Many of our staff regularly visit FHM, the Sun and similar websites which contain such glamour shots.

It is not illegal for adults in the UK to view “glamour” shots of models over 18 years of age. FHM, The Sun and similar online publications adhere strictly to the law and as such, content on these sites should not be criminal.

You may want to consider whether it is appropriate for staff to view such sites in the workplace and as such, whether they should be included as part of your IT Use Policy.

21.If a person reports that they have pop-ups of potentially indecent images of children occurring on their computer, will they have been visiting that type of site, or are there other explanations?

Spam emails can carry scripts that write directly to computers and can deliver pop-up images of pornography and in some cases indecent images of children. Additionally, computers that are not on a secure network can be hijacked and such pop-ups can then occur.

Please report URLs (webpage addresses) you suspect to contain indecent images of children to the Internet Watch Foundation.

22. A member of staff with a wireless laptop claims that they were unaware of images found on their machine. Is it possible that the laptop could have been “hijacked”?

This will depend on the type of connectivity you allow the user to make. If there is open access to the internet, then such “hijacking” is possible. However, if a secure internet service or appropriate encryption and firewall technology are used, then such hijacking is highly unlikely. Your technical support personnel or department should be able to advise accordingly.

23. Are management or personnel liable if they discover indecent images of children on an organisation’s computer or that a member of staff has been viewing indecent images of children on an organisation’s computer and take no action?

Potentially, yes.

Through inaction the organisation could be considered culpable if such a crime is committed under Section 3 of the Protection of Children Act 1978 and a court ruled that this was attributed to neglect on part of the organisation.

The central point to remember is that indecent images of this nature reflect actual abuse of real children.

Dealing with these images in the appropriate manner protects your organisation and your staff. It sends a message of zero tolerance of child abuse and exploitation and promotes the organisation’s Corporate Social Responsibility.

24. If I report webpages with indecent images of children to the Internet Watch Foundation, how do I know they won’t report me to the police?

TheSexual Offence Act 2003 provides a conditional defence if you have been viewing indecent images of children because of the nature of your job as an IT professional or similar and if you have reported the images to the Internet Watch Foundation or the police within a “timely” manner (see the associated Memorandum of Understanding for further clarification).

Additionally, you may report all such instances anonymously if you wish.

There is the following disclaimer on the reporting form:

We will keep your contact details strictly confidential. If you prefer to remain completely anonymous you can do so, but if we need to contact you further about the reported content or you wish to be able to respond back to us with your unique reference number regarding your report then we need some contact details, including an email address.

If you submit your details they will be recorded on the Internet Watch Foundation database for 3 months in case we need to contact you for more information. They will then be deleted in accordance with the Data Protection Act. Your details will not be disclosed to third parties without your permission.

25. We provide our staff with IT equipment to use at home and they can connect remotely into the organisation’s intranet. If staff are using those machines for viewing indecent images of children or other criminal content, what is the organisation’s liability?

The organisation should have a suitable policy in place to cover out of office working. If the organisation does not provide the internet connectivity, nor the security arrangements for that computer whilst liability is severely reduced it could still be an issue.

26. A member of staff has been using the organisation’s systems to send out spam emails, should we report this to the Internet Watch Foundation?

The distribution of spam emails in the UK is an offence under the EU Directive 2002/58/EC on Privacy and Electronic Communications, which was enacted into UK law in December 2003. If the emails direct users to potentially criminal websites, then the Internet Watch Foundation can consider the websites and act accordingly. The police should always be informed of any such activity by an individual or group of individuals.

27. Why is the Internet Watch Foundation authorised to give information on this subject?

The Internet Watch Foundation is the only recognised “authority” other than the UK police that is allowed to consider indecent images of children for breaches of the law. Having been established since 1996, the Internet Watch Foundation has built up a reputation of trust, cooperation and expertise that is recognised throughout industry, law enforcement and government, which ensures that the Internet Watch Foundation’s integrity and assessment is considered to be of the highest order.

The Internet Watch Foundation has a wealth of specialist knowledge which it provides to its various stakeholders to ensure the online safety of UK residents. Through the work of the Internet Watch Foundation and its stakeholders, the amount of UK hosted child abuse content has dropped from 18% in 1997 to less than 1% since 2003.

Glossary of Terms

‘Indecent image of a child’

This refers to any images of children, apparently under 18 years of age, involved in sexual activity or posed to be sexually provocative.

Other terms used to describe these images are: ‘child abuse images’, ‘criminal images of children’, ‘child pornography’ or ‘child porn’ and ‘kiddie porn’.

The Internet Watch Foundation uses the term child sexual abuse content to accurately reflect the gravity of the images we deal with. Please note that child pornography, child porn and kiddie porn are not acceptable terms. The use of such language acts to legitimise images which are not pornography, rather, they are permanent records of children being sexually exploited and as such should be referred to as child sexual abuse images. If you see such content online please report it to the Internet Watch Foundation.

‘Make a report to the Internet Watch Foundation’

This refers to completing the step-by-step reporting form which is accessed via the Internet Watch Foundation website www.iwf.org.uk Reports can only be submitted this way.