A usage policy is imperative
Executive director, Tif
There are clearly contradictions in existing legislation. Recent government guidance and legal advice is to ensure the existence of legitimate business reasons for monitoring, and to be able to prove that actions are reasonable, measured and relative to the scale of risk.
Take the following steps:
Stick to justified e-mail monitoring
Privacy and data protection manager, Engage
Your confusion is perfectly understandable. The rule-makers have done a good job of baffling employers in this area.
On the one hand, the Regulation of Investigatory Powers (RIP) Act 2000 gives the Government the right to monitor e-mails or Internet transactions and demand access to an employer's decryption codes. RIP Act regulations also allow employers broad scope to intercept and record employee communications lawfully in circumstances such as establishing facts, checking compliance with working standards, preventing or detecting crime or misuse or checking the operation of the e-mail system. On the other hand, an employer monitoring personal e-mail without employee notice and consent may conflict with the fair and lawful processing requirements of the Data Protection Act 1998 or infringe an employee's right to privacy under the Human Rights Act 1998.
Make sure that your HR director publishes a clear policy on the use of e-mail and Internet that sets down the boundaries for acceptable staff use of e-mail. Limit monitoring of staff e-mail to circumstances where there is a clear justification, and ensure that staff are aware of the criteria for establishing a clear justification for monitoring. Finally, allow all employees the ability to delete permanently private e-mails they send or receive.
Adhere to the Human Rights Act
There does appear to be some incompatibility between UK law and the European Human Rights Act. In the UK, the RIP Act provides organisations with more power over e-mail monitoring than is suggested by the European Human Rights Act or indeed the UK Draft Code of Practice published by the Data Protection Commissioner.
It is likely that the RIP Act will be contested in light of the Human Rights Act and until there is legislative harmony we suggest you adhere to the Human Rights Act and specifically Article 8, which addresses the individual's right to a "private life", and perform the following:
Monitoring controls must respect individual's privacy (as per Article 8) and selective monitoring is preferred as opposed to adopting a "monitor-all" stance. We suggest monitoring could include the adoption of the following types of rules:
Keep an eye on test cases
IT director at the Corporation of London
Two sets of advice now exist and appear to be in conflict. These are the Lawful Business Practice regulations issued by the DTI under the RIP Act and the draft Code of Practice relating to employer/employee relationships issued by the Data Protection Commissioner. It should be noted that the second of these was issued as a draft for consultation last October and the consultation period ended in early January. The draft was written before the RIP regulations were finalised and the RIP regulations changed dramatically from their draft to the final issue, so we can see how the conflict has arisen.
The RIP regulations were re-drafted because of pressure from business groups and generally allow e-mails to be monitored so long as the possibility of monitoring has been advertised. The Data Protection draft is much more restrictive on the conditions under which monitoring can take place, being more on the side of the protection of the privacy of the individual, as one would expect.
The DTI regulations are in force and can be followed, but it would be wise to get legal advice before doing so. Watch out for the Data Protection regulations to be re-issued and keep an eye out for test cases brought under the Human Rights Act, which might restrict employers' monitoring rights and cause the regulations to be revised yet again.
Feedback from my team suggests that there are concerns about training and career progression. I realise this is important if we are to hold on to valuable IT staff. Can you give me some practical pointers on how to set in motion a meaningful career progression strategy programme?