Email monitoring

I am confused by the legal aspects of e-mail monitoring. What must I be doing? What can I do? It seems to me that the laws of...

I am confused by the legal aspects of e-mail monitoring. What must I be doing? What can I do? It seems to me that the laws of the UK are at odds with European human rights. Please help me, as my HR director keeps asking me for clarification.

A usage policy is imperative

David Roberts

Executive director, Tif

There are clearly contradictions in existing legislation. Recent government guidance and legal advice is to ensure the existence of legitimate business reasons for monitoring, and to be able to prove that actions are reasonable, measured and relative to the scale of risk.

Take the following steps:

  • Build a risk quantification model. Ownership and approval of actions taken should lie with the business

  • Create and implement a usage policy. Clarify organisational expectations, responsibilities and consequences. Guidance must be clear and consistent, and HR involvement is essential. Educate to raise user responsibility

  • Put in place technical controls and processes appropriate to the risk. Be selective in areas of examination. On discovery of misuse, further investigation should be conducted by an external body. Remember, the role of the IT function is to enable the business, not to act as a policeman.

    Stick to justified e-mail monitoring

    Sally Annereau

    Privacy and data protection manager, Engage

    Your confusion is perfectly understandable. The rule-makers have done a good job of baffling employers in this area.

    On the one hand, the Regulation of Investigatory Powers (RIP) Act 2000 gives the Government the right to monitor e-mails or Internet transactions and demand access to an employer's decryption codes. RIP Act regulations also allow employers broad scope to intercept and record employee communications lawfully in circumstances such as establishing facts, checking compliance with working standards, preventing or detecting crime or misuse or checking the operation of the e-mail system. On the other hand, an employer monitoring personal e-mail without employee notice and consent may conflict with the fair and lawful processing requirements of the Data Protection Act 1998 or infringe an employee's right to privacy under the Human Rights Act 1998.

    Make sure that your HR director publishes a clear policy on the use of e-mail and Internet that sets down the boundaries for acceptable staff use of e-mail. Limit monitoring of staff e-mail to circumstances where there is a clear justification, and ensure that staff are aware of the criteria for establishing a clear justification for monitoring. Finally, allow all employees the ability to delete permanently private e-mails they send or receive.

    Adhere to the Human Rights Act

    Paul Williams

    Arthur Andersen

    There does appear to be some incompatibility between UK law and the European Human Rights Act. In the UK, the RIP Act provides organisations with more power over e-mail monitoring than is suggested by the European Human Rights Act or indeed the UK Draft Code of Practice published by the Data Protection Commissioner.

    It is likely that the RIP Act will be contested in light of the Human Rights Act and until there is legislative harmony we suggest you adhere to the Human Rights Act and specifically Article 8, which addresses the individual's right to a "private life", and perform the following:

  • Prepare an e-mail- and Internet-acceptable usage policy

  • Publicise and integrate the policy within your organisational working procedures and employees' terms and conditions

  • Educate staff on their responsibilities and inform them that e-mails and Internet usage may be monitored and violation of the policy may invoke disciplinary proceedings

  • Implement e-mail and selective Internet usage monitoring controls

    Monitoring controls must respect individual's privacy (as per Article 8) and selective monitoring is preferred as opposed to adopting a "monitor-all" stance. We suggest monitoring could include the adoption of the following types of rules:

  • Use keyword searches

  • Intercept, or prevent the receipt of, e-mails containing certain keywords

  • Prevent and/or log access to specific Web sites

  • Implement random reviews of e-mails

  • Review outgoing e-mails containing large attachments or certain file types, ie .jpg, .asf, .wav.

    Keep an eye on test cases

    Roger Marshall

    IT director at the Corporation of London

    Two sets of advice now exist and appear to be in conflict. These are the Lawful Business Practice regulations issued by the DTI under the RIP Act and the draft Code of Practice relating to employer/employee relationships issued by the Data Protection Commissioner. It should be noted that the second of these was issued as a draft for consultation last October and the consultation period ended in early January. The draft was written before the RIP regulations were finalised and the RIP regulations changed dramatically from their draft to the final issue, so we can see how the conflict has arisen.

    The RIP regulations were re-drafted because of pressure from business groups and generally allow e-mails to be monitored so long as the possibility of monitoring has been advertised. The Data Protection draft is much more restrictive on the conditions under which monitoring can take place, being more on the side of the protection of the privacy of the individual, as one would expect.

    The DTI regulations are in force and can be followed, but it would be wise to get legal advice before doing so. Watch out for the Data Protection regulations to be re-issued and keep an eye out for test cases brought under the Human Rights Act, which might restrict employers' monitoring rights and cause the regulations to be revised yet again.

    next week

    Feedback from my team suggests that there are concerns about training and career progression. I realise this is important if we are to hold on to valuable IT staff. Can you give me some practical pointers on how to set in motion a meaningful career progression strategy programme?

  • Read more on Operating systems software