|
E-mail monitoring and the
law
The law on e-mail monitoring can be confusing,
just because there are several pieces of legislation to
consider. The main ones are: the Data Protection Act 1998,
the Regulation of Investigatory Powers Act 2000 and the Human
Rights Act 1998, all of which limit the extent to which one can
intrude on the privacy of others.
Monitoring of e-mail usually involves the
interception of communications. The Regulation of Investigatory
Powers Act makes it an offence to intercept communications on a
private telecommunications network, as well as public one. It
is a civil offence, rather than criminal and allows those affected
to claim compensation against the wrongdoer. However, interception
is lawful if it is done in accordance with the Telecommunications
(Lawful Business)(Interception of Communications) Regulations 2000
('the Regulations'). The Regulations allow businesses to
monitor for fundamental purposes like preventing and detecting
crime, and more mundane purposes such as “ascertaining the
existence of facts”. An intent to monitor communications that
are not relevant to the business concerned will not be lawful, nor
will the monitoring of systems that are for private use only. The
owner of the system must make reasonable efforts to inform all
users, external and internal, of the monitoring. This should be
done by means of the Acceptable Use Policy, but also can be done by
splash screens, and by means of e-mail footers that will inform
external users that monitoring is taking place. A copy of the
Regulations can be obtained at http://www.opsi.gov.uk/, and there is
a useful explanatory note at the end of the Regulations. The
DTI has also published useful guidance at www.dti.gov.uk.
The Data Protection Act is relevant because it
governs the processing of personal data and e-mail monitoring
constitutes the processing of personal data. The current
legal position is that information from which a living individual
can be recognised, which is processed automatically (eg by
computer), is personal data, where the information is focussed on
the individual, significantly biographical and capable of affecting
privacy. Whilst not every e-mail will necessarily contain
personal data, many will. Usually the organisation that controls
the internal e-mail system will be a data controller. The
data controller has an obligation to comply with the eight data
protection principles in relation to the processing of personal
data.
The major thing to take into account when
monitoring, is that data protection principle one requires that all
processing of personal data is fair and lawful. What is fair is
interpreted in the normal sense of the word. Generally you should
ensure there are no surprises for those who are subject to the
monitoring as to the nature of the monitoring. You must also comply
with all the other relevant pieces of law or you will also breach
this Act. The ideal place to give details of the monitoring
will, again, be in your Acceptable Use Policy. The Data
Protection Act requirements will require you to give slightly more
information about the monitoring than the Regulations would
require. This requirement, as with the Regulations, would require
you to make external users aware of the monitoring. Part III
of the Information Commissioner’s Employment Practices Code deals
with monitoring and is available at www.ico.gov.uk.
The Human Rights Act provides that everyone
has the right to a private life and the privacy of his
correspondence. This is a qualified right, which means that
it can be infringed provided that the infringement is sanctioned by
law, necessary in a democratic society and is proportionate given
the harm that is protected against. For example, it is
accepted that the threat posed by terrorists is sufficient to
justify monitoring of communications. The Human Rights
Act is directly enforceable against public bodies, but it affects
private sector organisations because the courts as public bodies
are required to make their decisions in line with the rights in the
Human Rights Act. In practice to comply with this, your
organisation will need to assess and document the threats that it
is trying to protect against by monitoring. If ever
challenged it will need to show the monitoring is only sufficiently
intrusive to secure that protection. Generally the privacy of
the sender of private e-mails should be respected. Employers
can be robust in telling their staff that there can be no
expectation of privacy if the business system is used for private
e-mail. However, notwithstanding this, if an e-mail is
clearly private, the privacy of the individual should still be
respected unless there are good reasons not to.
|