Apparent contradictions between the Data Protection Act 1998, the Regulation of Investigatory Powers (RIP) Act 2000 and the Human Rights Act 1998 are creating much uncertainty for employers over whether they can monitor their staff's e-mail and Internet usage.
This has become a common management target when investigating fraud, theft of intellectual property or inappropriate Internet browsing. Advanced forensic techniques can recover conclusive evidence in these types of cases but the employer's initial procedures are important.
Previously the legal profession's view was that the company had a right to view all mail passing through its e-mail system. The Data Protection Registrar (DPR), however, issued a Draft Code of Practice on the use of personal data in employer/employee relationships in October. The code makes it clear that the employer is expected to "target" their investigations more tightly and avoid routine sweeping of all mail.
The DPR says, "When assessing the benefits of monitoring communications take care to realistically identify risks that might be controlled. For example, it is claimed that e-mail monitoring is necessary to prevent loss of trade secrets. However, trade secrets can be communicated in many ways and have been well before the advent of e-mail.
"Unless there is some evidence that the use of e-mail poses a particular risk to trade secrets, the organisation is particularly vulnerable and e-mail monitoring is part of a package of carefully considered measures to tackle the problem, it is difficult to see how routine monitoring can be justified. Where monitoring is justified limit it to the e-mails of those employees who actually have access to the trade secrets."
Clearly the organisation must be able to prove that it acted in a reasonable and measured manner, and that any precautions are relative to the scale of risk.
The code raises other concerns for the employer:
Standards for e-mail monitoring
"Only consider the monitoring of content if neither a record of traffic nor a record of both traffic and the subject of e-mails achieves the business purpose. In assessing whether monitoring of content is justified take account of the privacy of those sending e-mails as well as the privacy and autonomy of those receiving them."
The fact that you may be breaching the e-mail sender's privacy does not immediately spring to mind and may result in a clear breach of the Data Protection Act if not handled delicately.
Standards for Internet usage monitoring
"Ensure, as far as possible, that if employees are allowed to use the employer's system to access the Internet for personal reasons no record is kept in the system of the sites they have visited or the content they have viewed."
This has significant implications for those organisations that allow their staff to browse the Internet during breaks. Many organisations allow their staff this freedom on the basis that they feel it will raise their level of IT skills, but there is usually a price to pay. Misuse of company Internet facilities is a large and growing problem, with many cases of the downloading of pornography and the browsing of "hobby" sites during working hours.
To ensure that such facilities are not abused, it is vital that careful checks are carried out on a regular basis and logging is a vital part of any package of deterrents. Again targeted checks are most appropriate in the current climate and the forensic examination of selected systems is often the best approach.
Using specialist software, which indexes the contents of whole systems, it is possible to be very selective in your searching; recovering say just references to "sex" sites in deleted browser history files. This obviates the need to examine every site that staff have visited, avoiding unnecessary invasion of privacy, and speeding up the search dramatically.
The recent regulation on lawful business practice, introduced by the Government, plugs a weakness in the RIP Act enabling the monitoring of business communications in certain circumstances. The most important consideration for the employer is that they must have grounds for suspicion in order to intercept say e-mails to an employee. Whether or not there is a clear company policy saying that communications may be monitored, there must be a good reason for the monitoring, and the measures taken must be in line with the risk.
Overlying all of this you have the Human Rights Act which introduces such laudable principles as:
Just think how these Articles could be applied to routine interception of employee communications. What if an employee receives an unsolicited e-mail from a relative concerning a medical condition and the contents become common knowledge by accident through monitoring?
E-mail "banter" is often grounds for disciplinary action, or embarrasses the organisation. Where does that leave the employer?
The apparent conflicts between the three Acts will make for some interesting times for employers and the courts. However if firms accept that any investigative or preventative measures must be commensurate with the level of risk to the organisation, they are unlikely to experience any problems.
If your organisation suspects internal fraud or even just Internet abuse, a carefully planned investigation, rather than 'trawling for evidence', will yield the best results and avoid falling foul of the new legislation.
Clifford May is computer investigations manager at security specialist Vogon International