Here we explain the legislation regarding how organisations can monitor calls and e-mails made by their employees.
The Regulation of Investigatory Powers Act 2000 came into force on 24 October 2000. The act governs the interception of communications over both public and private networks.
The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 came into force on 24 October 2000, published under the act. They were amended by the Privacy and Electronic Communications (EC Directive) Regulations 2003, which came into force on 11 December 2003.
What do the regulations cover?
The regulations are designed to protect businesses when they intercept communications for legitimate purposes and they cover the interception of communications, which are transmitted by means of a telecommunications system. This includes internal and external e-mails, faxes, telephone calls and voicemail.
When can an employer intercept the communications of its employees?
A private sector employer can lawfully intercept communications if the employee has consented and where the employee has not consented, but the employer is acting within the scope of the regulations.
The regulations allow an employer to intercept communications without consent for the purpose of monitoring or keeping a record in the following circumstances:
- To establish the existence of facts relevant to the business
- To check the business is complying with self-regulatory practices or procedures
- To ensure appropriate quality standards are maintained
- In the interests of national security
- To prevent or detect crime
- To investigate or detect unauthorised use of the telecommunications system
- To ensure the effective operation of the telecommunications system.
Employers may also monitor, but not record without consent:
- for the purpose of determining whether or not communications are relevant to the business or
- communications to a confidential anonymous counselling or support help line.
What else do employers need to know?
Monitoring or recording should be limited to those circumstances where it is necessary and relevant to the employer’s business.
In addition, if employers intend to make interceptions without consent for any of the above purposes, they are required to make all reasonable efforts to inform employees that their communications may be intercepted.
Have there been any codes of practice on monitoring?
The Information Commissioner has published the Employment Practices Data Protection Code. The code is in four parts and part three is entitled Monitoring at Work. The Information Commissioner has also produced supplementary guidance to part three of the code.
The code does not simply apply to employees, but also to workers, which includes job applicants, agency workers, and casual workers.
What guidance does part three of the code provide to employers?
It provides guidance to employers on complying with the Data Protection Act 1998. It does not create any new law, but provides guidance on best practice. It outlines the circumstances when an employer can monitor its workers’ electronic communications including e-mails, internet use, telephone calls and faxes.
Part three of the code also provides information on carrying out impact assessments and includes various good practice recommendations dealing with the general approach to monitoring, monitoring electronic communications, video and audio monitoring, covert monitoring, in-vehicle monitoring and monitoring through information from third parties.
The code includes the following guidance:
- Before you decide to monitor, consider the purpose – why do you want to carry out monitoring?
- After establishing that there is a legitimate purpose, carry out an impact assessment. Assess the benefit to be gained by the monitoring, the adverse impact it may have on the worker, and whether an alternative method could be used. Any adverse impact on the worker must be justified
- Ensure workers know the nature, extent and reasons for the monitoring, unless covert monitoring is justified
- Use information obtained through monitoring only for the purpose for which monitoring was carried out, unless the activity you find is so serious it cannot be ignored
- Allow as few people as possible to access the information obtained via monitoring
- Be careful about opening workers’ e-mails where it is clear the e-mail is personal. Try to confine monitoring to the address/subject matter
- Ensure workers have a right of access to information which is obtained or kept through monitoring.
Have there been any other codes of practice?
Separately from part three of the Code, the Information Commissioner has issued the following codes of practice:
- CCTV Code of Practice (published July 2000)
- CCTV Small User Checklist – Data Protection Act 1998 Compliance Advice (published September 2002)
- CCTV Systems and the Data Protection Act 1998 – Guidance Note on when the Act applies (published 1 February 2004)
The guidance note produced on 1 February 2004, CCTV Systems and the Data Protection Act 1998, seeks to interpret the significant judgment in Durant vs FSA which affected whether particular CCTV Activities are covered by the Data Protection Act 1998.
Are codes of practice legally binding?
Codes of practice are not legally binding, but they will certainly be taken into account by courts and tribunals.
Visit the Information Commissioner’s website for a copy of the codes: www.informationcommissioner.gov.uk
DTI website: www.dti.gov.uk