There are a number of reasons why a company may wish to monitor and record employee use of the internet and communications systems such as email, telephone or web browsing. Employee’s are representatives of the business and thus any illegal or otherwise questionable use of such systems could lead to embarrassment for the company, leading to a damaged reputation and/or loss of custom. Further, if not adequately checked, use of these systems may lead to potential liability for, for example, copyright infringement or employee negligence. In addition, companies need to ensure that confidential information and trade secrets are not being leaked.
The legislation
A plethora of legislation exists which must be considered, including the Regulation of Investigatory Powers Act 2000 (“RIPA”), the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) (the “LBP Regulations”) and the Data Protection Act 1998 (“DPA”).
Under RIPA, it is an offence to monitor or record communications in order to make the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient. The LBP Regulations set out when communications can be monitored or recorded, such as for establishing the existence of facts, ascertaining compliance with regulatory or self-regulatory practices or procedures, or ascertaining or demonstrating the standards which are achieved or ought to be achieved by staff. Employers must ensure that they have made all reasonable efforts to inform every user of the relevant system that communications may be intercepted.
Monitoring IT and communications systems in the workplace is likely to involve the processing of personal data. It is therefore subject to the DPA. Under the DPA, the processing of personal data must be “fair” and “lawful”. To be “fair”, employers should inform employees of, for example, the method by which monitoring will take place and the purpose for which the information is being processed. You do not necessarily need the employee’s consent in order to carry out the monitoring, but unless you do so, you will need to have some legitimate reason.
Measures to help compliance
The Information Commissioner’s Code recommends that an impact assessment is undertaken to demonstrate that the correct balance exists between allowing staff to enjoy privacy in the workplace and ensuring that the interests of the company’s business are protected. Whilst the Code states that there is no need for the impact assessment to be a formal or complicated exercise, it is advisable that an assessment is carried out, recording the process undertaken and its findings, and writing up the conclusions found. This will assist for evidential purposes if required. An impact assessment may be based on the following questions:
It is important that employers have a Communications Policy in place which adequately informs employees about the monitoring activities and that employment contracts are drafted to ensure that employees provide their consent to such activities where necessary.
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.