Brought to book: staff should be made aware of any company monitoring policy from the start of their employment

The age of consent

In the final part of our definitive guide to network management, Dino Wilkinson examines some of the legal concerns around communications and monitoring staff emails

Written by Dino Wilkinson

Computing, 28 Feb 2008

A monitoring policy should set out clear limits on use and the extent to which private use of the network is permitted, and explain the purpose of such monitoring

Dino Wilkinson senior associate, communications, media and technology, Norton Rose LLP

Implementing and managing a corporate IT network does not simply create issues of a technical nature, there are also a number of legal factors to consider. Managing and monitoring data and content can present a number of serious issues.

I want to monitor email communications sent by staff as well as their use of the internet – are there any legal restrictions to stop me?

Many employers are nervous about the potential for an errant email to cause embarrassment to their business. Email monitoring may seem like a simple safeguard, but there are a number of laws and regulations that govern the extent to which employers can monitor the electronic correspondence of their staff.

Such monitoring may be prohibited by the Regulation of Investigatory Powers Act 2000 (RIPA). Under RIPA, it is an offence to intercept without authority any communication in the course of its transmission by means of a public postal service or a public telecommunication system.

As well as criminal liability under RIPA, monitoring of communications could be seen as an infringement of data protection rights. In this regard, the Employment Practices Data Protection Code, Part 3: Monitoring at Work provides a number of good practice recommendations, with the aim of striking a balance between the legitimate expectations of workers and employers.

What are the consequences of monitoring without the knowledge of my employees?

Interception of communications without authority is a criminal offence under RIPA. Criminal liability can be excluded where the interception is made by a person with a right to control the operation or the use of the system, or where there is express or implied consent to make an interception.

Interpretation by English courts on the meaning of control in various cases makes it unlikely that employers would be able to rely on the first of these exclusions. Accordingly, you should ensure that consent has been obtained from employees in respect of email monitoring to protect against criminal liability under RIPA.

Within English employment law, there is also an implied duty of trust in the contract between employer and employee. Secret and unjustified monitoring could be deemed a breach of duty and, if the employee resigns as a result, this could give rise to a claim for constructive dismissal by the employee.

Staff should be made aware of any company monitoring policy from the start of their employment and perhaps given periodic reminders or training. Employers should also make regular checks to ensure that the policy is being enforced; failure to do so might create an argument for employees that the policy is not enforceable as it was not being applied by the organisation.

Are there any circumstances where I can monitor emails without notifying employees?

RIPA permits an employer to monitor an employee’s email and internet usage in the absence of consent if the purpose of the monitoring is:

To establish the existence of facts relevant to the business, such as checking email accounts to access business communications during staff absences.
To ascertain compliance with regulatory or self-regulatory practices or procedures relevant to the business.
To ascertain or demonstrate standards that should be achieved by persons using the system in the course of their duties, such as quality control or staff training.
In the interests of national security.
To prevent or detect crime, such as to detect fraud or corruption.
To investigate or detect the unauthorised use of that or any other telecommunications system, such as to ensure employees do not breach company rules regarding use of the telecommunication system.
To ensure the effective operation of the system. For example, monitoring for viruses or other threats to the system and automated processes, such as caching or load distribution.

In addition, the Employment Practices Data Protection Code is primarily directed at systematic monitoring; that is, regular and indiscriminate monitoring by the employer.

The code recognises there may be need for occasional short-term monitoring in certain situations, for example monitoring the content of emails of an employee suspected of racial harassment or installing hidden cameras if workers are suspected of illegal activities.

An important point to note is that the Data Protection Act will still apply to the latter type of monitoring, so appropriate consideration should be given to the relevant legislation before implementing even this level of observation.

What steps does the company need to take if my board decides that it wants to establish a systematic monitoring programme?

One of the key recommendations of the Employment Practices Data Protection Code is that employers should conduct an impact assessment exercise to determine whether the monitoring is a proportionate response to the problem it seeks to address.

Employers are also recommended to establish a policy and communicate it to workers. The policy should set out clear limits on use and the extent to which private use of the network is permitted. Where any monitoring is to be conducted, the purpose of such monitoring should be explained.

We would recommend that companies consider whether there is an objectively justifiable reason for monitoring and whether the aim of the monitoring could be achieved in less intrusive ways.

Another important aspect to consider is the reaction of your employees to being monitored: would the introduction of systematic monitoring have an adverse impact on the relationship between employees and the employer?

If, on reflection, an adverse impact is likely, then you need to weigh up the benefit of taking action against the potential damage to morale.

Are there any legal risks in relation to operating wireless networks?

The same obligations in respect of data flows, monitoring and other aspects apply to all types of network, whether the technology is fixed or wireless. However, the use of wireless networks carries a potentially greater risk of unlawful access and should be an additional consideration in relation to legal compliance.

It may be that the network supplier is confident of the security aspects, in which case appropriate assurances may be provided in the contract.

It should also be noted that there are offences in UK legislation relating to unauthorised access to computer systems and dishonestly obtaining electronic communications services under the Computer Misuse Act 1990 and the Communications Act 2003.

The first “war-driving” conviction in the UK saw a man fined in 2005 under the latter piece of legislation, although loss of trade secrets and other commercially sensitive information may be of more concern to the average business than unauthorised use of a broadband connection.

If I am outsourcing some of my network management functions, does the outsourcer take on the legal responsibilities in relation to data legislation compliance?

The Data Protection Act distinguishes between a data controller and a data processor. If you collect personal data in relation to your employees or customers and determine the purpose and manner in which that data is processed, you will fall within the category of data controller.

You may delegate some of the processing to a third party – the data processor – subject to certain restrictions, for example, you must have a contract in writing under which the data processor agrees to act only on your instructions.

However, you will remain the data controller for the purposes of the Data Protection Act and will still be subject to the same obligations. Accordingly, it is important that the contract with third party processors includes proper measures and controls to safeguard data that is being processed on your behalf.

The importance is particularly acute when services are offshored to foreign countries, where the service recipient needs to be careful to ensure they retain overall management of the contract for both legal and commercial reasons.

Some of the key areas to consider in relation to legal or regulatory compliance within the outsourcing of any aspects of network management are:

Monitoring and governance: ensuring accurate, detailed and timely reports are produced by suppliers and having a suitable governance model in place to monitor performance under the contract.
Audit and access rights: the ability for the customer (and, importantly, regulatory bodies and other relevant authorities) to be able to access information and premises of the supplier.
Service levels: ensuring that key performance indicators and service levels reflect required standards that might vary between regions.
Business continuity and disaster recovery: these provisions will be important from a commercial perspective, as well as frequently being a regulatory requirement.

Dino Wilkinson is a senior associate in the communications, media and technology team at international legal practice Norton Rose LLP

Next week: part one of Computing’s definitive guide to personal computing