New rules on monitoring have led to cries of snoopers’ charter from civil
rights campaigners and trade unions. Malcolm Pike and Joe Glavina ask, are they
justified?
The need for employers to be able to carry out lawful monitoring of their
telephone, e-mail and other electronic communications has long been recognised.
The new business-friendly Telecommunications (Lawful Business Practice)
(Interception of Communications) Regulations 2000 ("the Regulations")
that have recently come into force give employers wide monitoring powers that
can be exercised without the need to get consent of employees. Not
surprisingly, this has led to cries of a snoopers’ charter from civil rights
campaigners and trade unions alike. But are they justified?
When introducing the new rules the Government intended balancing the
interests of employers (to carry out monitoring) with the interests of
employees (to enjoy privacy) and they extended the consultation period to be
sure they got it right.
The result is legislation that appears to be significantly biased towards
employers. However, they should not be considered in isolation. The key point
is that these new rules represent just one dimension to the privacy-related
legislation protecting employees’ rights in this country.
Taken together with the Data Protection Act 1998 ("DPA") and the
Human Rights Act 1998 ("HRA"), the overall package is far from a
snoopers’ charter.
Background: the Regulation of Investigatory Powers Act 2000 (RIPA).
The Regulation of Investigatory Powers Act 2000 ("RIPA") came into
force in October 2000 and established the new legal framework governing the
interception of communications. Basically, it reflects changes that have taken
place in the communications industry over the past 15 years. It sets out the
rules regarding recording, monitoring or diverting communications in the course
of their transmission by way of a public or private telecommunications system,
and so brings private businesses within the scope of regulation. Most employers
operate an office network that is linked to the public network and so RIPA
applies to those networks (although an entirely self-standing system, such as
an office intranet, is not covered).
RIPA, which is in five parts, implements Article 5 of the Telecommunications
Data Protection Directive (97/66/EC) and repeals the existing arrangements for
the interception of communications that were established by the Interception of
Communications Act 1985. In brief, the Directive requires member states to
protect the confidentiality of communications and specifically prohibits
activities such as recording or tapping by others. In the past, businesses
operating private telecoms systems were at liberty to carry out monitoring on
their own systems.
Under RIPA, however, businesses will now need to ensure that their actions
are legally authorised. An employer that unlawfully intercepts a telephone call
or e-mail on its own system risks being sued by the maker or sender, or the
recipient or intended recipient. The remedy is an injunction or, if the
claimant can show they suffered a loss as a result of the interception,
damages.
According to the new regime, monitoring may be authorised in two ways:
either with consent under RIPA, or, alternatively, in certain circumstances,
without consent under the Regulations. In the case of monitoring with consent,
RIPA requires the employer to have reasonable grounds for believing that both
the sender and the intended recipient have consented. The obvious problem for
employers will be communicating effectively with third parties outside the
workplace.
As a minimum, companies would need to give third-parties a clear opportunity
to refuse consent and to be able to continue with the communication without
being monitored. Apart from the cost, this poses a number of practical
difficulties and, for this reason, the Regulations, which dispense with the
need for consent in various circumstances, are far more important for employers
intending to carry out monitoring.
The Lawful Business Practice Regulations
The purpose of the Regulations is to provide for circumstances where it will
be lawful for businesses to intercept communications without consent. The
consultation paper published in the summer provided a draft of the Regulations
but came under heavy criticism from businesses for failing to allow routine
interceptions for operational purposes such as backing up, forwarding e-mails
to the correct destination and checking voicemail systems during staff absence.
The lobbying was successful and while employers are still required to inform
staff, the final version of the Regulations gives businesses very wide scope
for carrying out monitoring without consent.
Authorised interceptions
The Regulations authorise employers to monitor and record the contents of a
communication without consent for the following purposes:
– To establish the existence of facts – for example, keeping records of the
terms of an agreement discussed over the telephone.
– To ascertain compliance with regulatory or self regulatory practices or
procedures relevant to the business – for example, monitoring to enable the
employer to check the business is complying with its own policies (its own
e-mail policy for example).
– To ascertain or demonstrate standards that are or ought to be achieved by
persons using the telecoms systems – for example, monitoring for purposes of
quality control or staff training.
– To prevent or detect crime – for example, monitoring staff e-mails to
detect evidence of fraud or corruption or preventing the downloading and
publication of pornographic material from the Internet.
– To investigate or detect the unauthorised use of the telecommunications
system – for example, monitoring to ensure that employees do not breach company
policies. In practice, this is likely to prove the most important source of
authority for employers and will allow them to monitor employees’ e-mails as
part of a disciplinary investigation. But for this authority, an employer that
carried out monitoring without consent as a means of gathering evidence would
risk an employment tribunal finding any subsequent dismissal to be unfair by
reason of the unlawfulness of the investigation (leaving the employer with only
a contributory fault argument).
– To ensure the effective operation of the system – for example, monitoring
for viruses or to prevent hackers. The
Regulations also authorise businesses to monitor, but not record, without
consent in the following two situations:
– For the purpose of determining whether or not the communications are
relevant to the business – for example, checking e-mail accounts to access
business communications in the absence of staff.
– For the purpose of monitoring communications to a confidential anonymous
counselling or support helpline – for example, charities that provide
confidential or welfare helplines where there is a need to monitor calls to
their counselling helplines in order to protect their staff.
The requirement to inform staff before monitoring
While the Regulations dispense with consent, businesses intending to carry
out monitoring without consent must nevertheless make all reasonable efforts to
inform "every person who may use the telecommunications system in
question" that monitoring may be carried out.
The draft version of the Regulations required not only the employer’s staff
to be informed but also the third-parties to the communication. Not
surprisingly, businesses were concerned about the additional costs of setting
up systems to inform third parties and the practical difficulties involved.
For example, while it might be easy in relation to telephone calls to play a
recorded message that informs the user that the call may be recorded, it would
be more problematic in relation to e-mails sent by third parties to the
company. How does an employer inform the sender before the e-mail is despatched
that the e-mail may be intercepted?
Although the duty is to make "all reasonable efforts to inform",
the Government bowed to pressure and dropped the requirement to inform third
parties. It did, however, retain the requirement for employers to inform their
own staff and this is now a key feature of the new regime. For most, it should
be relatively straightforward and can be achieved by implementing an effective
communications policy (for example, an e-mail policy that extends to Internet
and telephone use) and taking the usual steps to bring it to the attention of
staff. In light of these new rules, existing policies of this type should be
checked, and if necessary, amended, to refer specifically to the Regulations,
or at least to reflect the scope of any monitoring that the employer intends
carrying out.
The Data Protection Act 1998
It is important to realise that compliance with the Regulations does not give
companies carte blanche to carry out monitoring. Companies recording telephone
calls or filtering e-mails will almost certainly be processing personal data
for the purposes of the DPA.
Obtaining or recording communications by means of automated equipment and
holding or processing personal data after the initial interception has taken
place will fall within the data protection legislation that says that
processing should be both lawful and fair.
The Data Protection Commissioner published on her Website on 9 October a
draft code of practice on the use of personal data in employer/employee
relationships that specifically considers the question of e-mail and telephone
monitoring.
Unfortunately, the Regulations were published too late for the Commissioner
to take them into account and it remains unclear how the Regulations and the
DPA inter-relate. A prime concern is that monitoring that is lawful under, and
in compliance with, the Regulations could still be in breach of the DPA.
It is to be hoped that when the final version of the code is published,
following a period of consultation that ends on 5 January 2001, this issue will
be clarified. In the meantime, companies carrying out monitoring in compliance
with the Regulations will have a strong argument that processing is
"necessary for purposes of legitimate interests pursued by the data
controller" and so lawful under the DPA too.
Nevertheless, as the assistant data protection commissioner has been at
pains to point out, that only clears the lawfulness hurdle: staff still have to
be treated fairly. The code sets out a list of data protection standards (for
example, suggesting as a first step that employers carry out
"traffic" monitoring to determine whether the system is being abused
which, if followed, would help achieve fairness.
So, mere compliance with the Lawful Business Practice Regulations is not
necessarily enough. Employers need to be aware that they should only be
monitoring where there is a real business need and the methods used should be
proportionate and not unduly intrusive into an employee’s privacy.
Human Rights Act 1998
Whilst the Human Rights Act does not create direct obligations towards
employees outside the public sector, employment tribunals will be required to
interpret existing UK employment law in line with the principles of the
European Convention on Human Rights and its associated case law.
Article 8 of the Convention provides for the right to respect private and
family life, home and correspondence and this extends to the workplace. The
case law under the Convention, however, makes it clear that employees cannot
expect privacy if they are made aware that their employer reserves the right to
carry out monitoring. This means that employers who comply with the Lawful
Business Practice Regulations and who implement a communication policy which
they bring to the notice of their staff are unlikely to breach the right to
privacy.
On a cautionary note, there is a hidden trap, however. Employers that
implement a policy but do not carry out monitoring may be feeding a false
expectation of privacy. If monitoring is introduced at a later date then staff
should be issued with a further warning.
Conclusion
Given the absence of case law under the HRA and the failure of the Data
Protection Commissioner’s code to address the Lawful Business Practice
Regulations, the privacy laws relating to monitoring could be clearer but they
are far from being a snoopers’ charter. The requirement to make "all
reasonable efforts" to inform staff (Lawful Business Practice Regulations)
and the rules of proportionality (HRA and DPA) provide significant protection
for staff. Provided employers have a legitimate reason for monitoring and clear
polices that are communicated to staff there should be few complaints.
Malcolm Pike is a deputy managing partner and Joe Glavina is a
professional support lawyer at Addleshaw Booth