Previous Article Next Article New rules on monitoring have led to cries of snoopers’ charter from civilrights campaigners and trade unions. Malcolm Pike and Joe Glavina ask, are theyjustified?The need for employers to be able to carry out lawful monitoring of theirtelephone, e-mail and other electronic communications has long been recognised.The new business-friendly Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (“the Regulations”)that have recently come into force give employers wide monitoring powers thatcan be exercised without the need to get consent of employees. Notsurprisingly, this has led to cries of a snoopers’ charter from civil rightscampaigners and trade unions alike. But are they justified? When introducing the new rules the Government intended balancing theinterests of employers (to carry out monitoring) with the interests ofemployees (to enjoy privacy) and they extended the consultation period to besure they got it right. The result is legislation that appears to be significantly biased towardsemployers. However, they should not be considered in isolation. The key pointis that these new rules represent just one dimension to the privacy-relatedlegislation protecting employees’ rights in this country. Taken together with the Data Protection Act 1998 (“DPA”) and theHuman Rights Act 1998 (“HRA”), the overall package is far from asnoopers’ charter. Background: the Regulation of Investigatory Powers Act 2000 (RIPA). The Regulation of Investigatory Powers Act 2000 (“RIPA”) came intoforce in October 2000 and established the new legal framework governing theinterception of communications. Basically, it reflects changes that have takenplace in the communications industry over the past 15 years. It sets out therules regarding recording, monitoring or diverting communications in the courseof their transmission by way of a public or private telecommunications system,and so brings private businesses within the scope of regulation. Most employersoperate an office network that is linked to the public network and so RIPAapplies to those networks (although an entirely self-standing system, such asan office intranet, is not covered). RIPA, which is in five parts, implements Article 5 of the TelecommunicationsData Protection Directive (97/66/EC) and repeals the existing arrangements forthe interception of communications that were established by the Interception ofCommunications Act 1985. In brief, the Directive requires member states toprotect the confidentiality of communications and specifically prohibitsactivities such as recording or tapping by others. In the past, businessesoperating private telecoms systems were at liberty to carry out monitoring ontheir own systems. Under RIPA, however, businesses will now need to ensure that their actionsare legally authorised. An employer that unlawfully intercepts a telephone callor e-mail on its own system risks being sued by the maker or sender, or therecipient or intended recipient. The remedy is an injunction or, if theclaimant can show they suffered a loss as a result of the interception,damages. According to the new regime, monitoring may be authorised in two ways:either with consent under RIPA, or, alternatively, in certain circumstances,without consent under the Regulations. In the case of monitoring with consent,RIPA requires the employer to have reasonable grounds for believing that boththe sender and the intended recipient have consented. The obvious problem foremployers will be communicating effectively with third parties outside theworkplace. As a minimum, companies would need to give third-parties a clear opportunityto refuse consent and to be able to continue with the communication withoutbeing monitored. Apart from the cost, this poses a number of practicaldifficulties and, for this reason, the Regulations, which dispense with theneed for consent in various circumstances, are far more important for employersintending to carry out monitoring. The Lawful Business Practice Regulations The purpose of the Regulations is to provide for circumstances where it willbe lawful for businesses to intercept communications without consent. Theconsultation paper published in the summer provided a draft of the Regulationsbut came under heavy criticism from businesses for failing to allow routineinterceptions for operational purposes such as backing up, forwarding e-mailsto the correct destination and checking voicemail systems during staff absence.The lobbying was successful and while employers are still required to informstaff, the final version of the Regulations gives businesses very wide scopefor carrying out monitoring without consent. Authorised interceptions The Regulations authorise employers to monitor and record the contents of acommunication without consent for the following purposes: – To establish the existence of facts – for example, keeping records of theterms of an agreement discussed over the telephone. – To ascertain compliance with regulatory or self regulatory practices orprocedures relevant to the business – for example, monitoring to enable theemployer to check the business is complying with its own policies (its owne-mail policy for example). – To ascertain or demonstrate standards that are or ought to be achieved bypersons using the telecoms systems – for example, monitoring for purposes ofquality control or staff training. – To prevent or detect crime – for example, monitoring staff e-mails todetect evidence of fraud or corruption or preventing the downloading andpublication of pornographic material from the Internet. – To investigate or detect the unauthorised use of the telecommunicationssystem – for example, monitoring to ensure that employees do not breach companypolicies. In practice, this is likely to prove the most important source ofauthority for employers and will allow them to monitor employees’ e-mails aspart of a disciplinary investigation. But for this authority, an employer thatcarried out monitoring without consent as a means of gathering evidence wouldrisk an employment tribunal finding any subsequent dismissal to be unfair byreason of the unlawfulness of the investigation (leaving the employer with onlya contributory fault argument). – To ensure the effective operation of the system – for example, monitoringfor viruses or to prevent hackers. TheRegulations also authorise businesses to monitor, but not record, withoutconsent in the following two situations: – For the purpose of determining whether or not the communications arerelevant to the business – for example, checking e-mail accounts to accessbusiness communications in the absence of staff. – For the purpose of monitoring communications to a confidential anonymouscounselling or support helpline – for example, charities that provideconfidential or welfare helplines where there is a need to monitor calls totheir counselling helplines in order to protect their staff. The requirement to inform staff before monitoring While the Regulations dispense with consent, businesses intending to carryout monitoring without consent must nevertheless make all reasonable efforts toinform “every person who may use the telecommunications system inquestion” that monitoring may be carried out. The draft version of the Regulations required not only the employer’s staffto be informed but also the third-parties to the communication. Notsurprisingly, businesses were concerned about the additional costs of settingup systems to inform third parties and the practical difficulties involved. For example, while it might be easy in relation to telephone calls to play arecorded message that informs the user that the call may be recorded, it wouldbe more problematic in relation to e-mails sent by third parties to thecompany. How does an employer inform the sender before the e-mail is despatchedthat the e-mail may be intercepted? Although the duty is to make “all reasonable efforts to inform”,the Government bowed to pressure and dropped the requirement to inform thirdparties. It did, however, retain the requirement for employers to inform theirown staff and this is now a key feature of the new regime. For most, it shouldbe relatively straightforward and can be achieved by implementing an effectivecommunications policy (for example, an e-mail policy that extends to Internetand telephone use) and taking the usual steps to bring it to the attention ofstaff. In light of these new rules, existing policies of this type should bechecked, and if necessary, amended, to refer specifically to the Regulations,or at least to reflect the scope of any monitoring that the employer intendscarrying out. The Data Protection Act 1998 It is important to realise that compliance with the Regulations does not givecompanies carte blanche to carry out monitoring. Companies recording telephonecalls or filtering e-mails will almost certainly be processing personal datafor the purposes of the DPA. Obtaining or recording communications by means of automated equipment andholding or processing personal data after the initial interception has takenplace will fall within the data protection legislation that says thatprocessing should be both lawful and fair. The Data Protection Commissioner published on her Website on 9 October adraft code of practice on the use of personal data in employer/employeerelationships that specifically considers the question of e-mail and telephonemonitoring. Unfortunately, the Regulations were published too late for the Commissionerto take them into account and it remains unclear how the Regulations and theDPA inter-relate. A prime concern is that monitoring that is lawful under, andin compliance with, the Regulations could still be in breach of the DPA. It is to be hoped that when the final version of the code is published,following a period of consultation that ends on 5 January 2001, this issue willbe clarified. In the meantime, companies carrying out monitoring in compliancewith the Regulations will have a strong argument that processing is”necessary for purposes of legitimate interests pursued by the datacontroller” and so lawful under the DPA too. Nevertheless, as the assistant data protection commissioner has been atpains to point out, that only clears the lawfulness hurdle: staff still have tobe treated fairly. The code sets out a list of data protection standards (forexample, suggesting as a first step that employers carry out”traffic” monitoring to determine whether the system is being abusedwhich, if followed, would help achieve fairness. So, mere compliance with the Lawful Business Practice Regulations is notnecessarily enough. Employers need to be aware that they should only bemonitoring where there is a real business need and the methods used should beproportionate and not unduly intrusive into an employee’s privacy. Human Rights Act 1998 Whilst the Human Rights Act does not create direct obligations towardsemployees outside the public sector, employment tribunals will be required tointerpret existing UK employment law in line with the principles of theEuropean Convention on Human Rights and its associated case law. Article 8 of the Convention provides for the right to respect private andfamily life, home and correspondence and this extends to the workplace. Thecase law under the Convention, however, makes it clear that employees cannotexpect privacy if they are made aware that their employer reserves the right tocarry out monitoring. This means that employers who comply with the LawfulBusiness Practice Regulations and who implement a communication policy whichthey bring to the notice of their staff are unlikely to breach the right toprivacy. On a cautionary note, there is a hidden trap, however. Employers thatimplement a policy but do not carry out monitoring may be feeding a falseexpectation of privacy. If monitoring is introduced at a later date then staffshould be issued with a further warning. Conclusion Given the absence of case law under the HRA and the failure of the DataProtection Commissioner’s code to address the Lawful Business PracticeRegulations, the privacy laws relating to monitoring could be clearer but theyare far from being a snoopers’ charter. The requirement to make “allreasonable efforts” to inform staff (Lawful Business Practice Regulations)and the rules of proportionality (HRA and DPA) provide significant protectionfor staff. Provided employers have a legitimate reason for monitoring and clearpolices that are communicated to staff there should be few complaints. Malcolm Pike is a deputy managing partner and Joe Glavina is aprofessional support lawyer at Addleshaw Booth Comments are closed. Monitoring: A snoopers’ charter?On 1 Dec 2000 in Personnel Today Related posts:No related photos.