Firms must be cautious about ‘eavesdropping’

Legislation conflicts over employers’ rights to monitor employees’ e-mails, phone calls and use of the Internet.

In an attempt to catch up with the evolving world of electronic communications, the Government passed the Regulation of Investigatory Powers Act 2000 (RIP) in July this year. Originally, RIP sought to prohibit businesses from intercepting and monitoring e-mails and telephone conversations between employees and third parties without consent.

But after the consultation process, the Government backtracked, and the result was the Telecommunications (Lawful Business Practice) (Interception of Communication) regulations.

The regulations came into force on 24 October 2000. Their purpose is to allow businesses to intercept communications without consent for certain legitimate purposes, namely:

  • To detect crime and the unauthorised use of telecom systems.

  • To protect against viruses and other similar purposes.

  • To determine whether communications are relevant to the business.

  • For quality control purposes.

Although the regulations remove the requirement to inform all parties that communications may be intercepted, businesses still need to make "all reasonable efforts" to inform users of their telecoms systems that interceptions might take place.

Many heralded the regulations as granting a licence for employers to eavesdrop on their staff. However, at the same time that the regulations were coming into force, the Data Protection Commissioner quietly published a draft code of practice for employers on the use of personal data. Unfortunately this is where matters become complicated.

The draft code of practice deals at some length with best practice for employers on monitoring communications to ensure compliance with the Data Protection Act 1998. Among other things, this Act provided that personal data must be processed in a way that is both lawful and fair to employees.

Therefore any monitoring of communications (in the context of the Act) should not intrude unnecessarily on employees’ privacy or autonomy. The draft code gives this phrase a very wide meaning and interprets it as not just referring to employees’ right not to have their personal information widely known but also a right to determine their own actions without being constantly watched.

In this context, the draft code makes it clear that employers should not monitor the content of e-mails and telephone calls. Private e-mails should not be opened. Third parties making or receiving telephone calls should also be told that calls might be monitored.

There is therefore a clear dichotomy between the so-called eavesdropping regulations and the draft code. This conflict is unlikely to be resolved until at least January 2001, when the consultation period ends and the final version of the draft code is published. To add further confusion, the regulations also appear to conflict with the right to privacy under the Human Rights Act 1998.

What, then, are employers to do? Err on the side of caution is the only sensible approach at present. Any intrusion into employees’ privacy must be in proportion to any benefits obtained by monitoring. Tips would include:

  • A communications policy setting out the circumstances in which employees may use communications for private use.

  • When assessing whether to monitor communications, consider the risks that you may be seeking to control.

  • Consider whether to undertake spot checks rather than continuous monitoring or target areas of higher risk.

  • Limit monitoring to traffic data rather than the contents of the communication.

By Jason Smith, a solicitor in the employment department of Palser Grossman Solicitors

Comments are closed.