Big brother – monitoring employee use of IT and communications systems – the legal considerations

There are a number of reasons why a company may wish to monitor and record employee use of the internet and communications systems such as email, telephone or web browsing. Employee’s are representatives of the business and thus any illegal or otherwise questionable use of such systems could lead to embarrassment for the company, leading to a damaged reputation and/or loss of custom. Further, if not adequately checked, use of these systems may lead to potential liability for, for example, copyright infringement or employee negligence. In addition, companies need to ensure that confidential information and trade secrets are not being leaked.

The legislation

A plethora of legislation exists which must be considered, including the Regulation of Investigatory Powers Act 2000 (“RIPA”), the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699) (the “LBP Regulations”) and the Data Protection Act 1998 (“DPA”).

Under RIPA, it is an offence to monitor or record communications in order to make the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient. The LBP Regulations set out when communications can be monitored or recorded, such as for establishing the existence of facts, ascertaining compliance with regulatory or self-regulatory practices or procedures, or ascertaining or demonstrating the standards which are achieved or ought to be achieved by staff. Employers must ensure that they have made all reasonable efforts to inform every user of the relevant system that communications may be intercepted.

Monitoring IT and communications systems in the workplace is likely to involve the processing of personal data. It is therefore subject to the DPA. Under the DPA, the processing of personal data must be “fair” and “lawful”. To be “fair”, employers should inform employees of, for example, the method by which monitoring will take place and the purpose for which the information is being processed. You do not necessarily need the employee’s consent in order to carry out the monitoring, but unless you do so, you will need to have some legitimate reason.

Measures to help compliance

1. Personal data must be obtained only for specified lawful purposes and must not be processed in a manner which is incompatible with those purposes.
   • The employee should understand: how and why the monitoring takes place; the circumstances in which it will take place; the information which will be collected and how it will be used; and who the information will be disclosed to. These details should be contained in an appropriate Communications Policy.
   • You should be pro-active in ensuring that employees are aware of the Communications Policy. This may be done by bringing it to their attention and explaining it clearly as an induction process for new employees and carrying out regular training.
2. The data collected should be adequate, relevant and not excessive for the purposes for which it is processed.
   • Is the reasoning for the monitoring sufficient to justify an intrusion into an employee’s personal life? Are the means of monitoring proportionate to meet those needs?
   • A practical example – in relation to the monitoring of emails, it is more likely to be proportionate if you monitor the subject headings of emails rather than the contents of emails.
3. There should be appropriate technical and organisational measures to protect the personal data from unauthorised or unlawful processing and accidental loss, destruction or damage.  Some measures which may assist in satisfying this obligation include:
    
   • appointing someone with the necessary authority to have day to day responsibility for security measures;
   • training staff so that they understand the importance of protecting personal data; and
   • putting in place technical (for example, encryption) and physical (for example, locks and alarms) security measures.

The Information Commissioner’s Code recommends that an impact assessment is undertaken to demonstrate that the correct balance exists between allowing staff to enjoy privacy in the workplace and ensuring that the interests of the company’s business are protected. Whilst the Code states that there is no need for the impact assessment to be a formal or complicated exercise, it is advisable that an assessment is carried out, recording the process undertaken and its findings, and writing up the conclusions found. This will assist for evidential purposes if required. An impact assessment may be based on the following questions:

• What are the purposes and benefits sought from the monitoring?
• Are there any adverse impacts?
• Are there any alternatives to the monitoring or different means by which the monitoring could take place?
• What are the company’s obligations arising from the monitoring?
• Is the monitoring justified?

It is important that employers have a Communications Policy in place which adequately informs employees about the monitoring activities and that employment contracts are drafted to ensure that employees provide their consent to such activities where necessary.