Untangling the legal Web

Changes to the law mean businesses can legally monitor the communications of their employees

Changes to the law mean businesses can legally monitor the communications of their employees

E-mail monitoring

From 24 October, businesses can legally monitor the communications of their employees without their consent, but only for certain specified business purposes.

This is due to the introduction of the Lawful Business Practice Regulations, which, according to Patricia Hewitt, minister for e-commerce, "will help users of e-commerce to be confident about giving information over the telephone, e-mail and internet". The regulations follow on from the controversial Regulation of Investigatory Powers Act, passed in July this year, which makes the monitoring of staff without consent illegal. But these regulations provide a crucial exception to this rule.

The fundamental principle is that businesses may only monitor or record the communications of their staff for the following purposes:

  • To establish the existence of facts. The DTI says that this will cover keeping records of transactions where it is "necessary" or "desirable" to know the specific facts of a conversation. Although this seems like a catch-all, it's likely that it will only cover serious instances, such as where an employee is suspected of giving away confidential information to a competitor.

  • To ascertain compliance with regulatory practices or procedures. Employers are therefore allowed to check that staff are adhering to any best practice requirements, codes or guidelines that might be in force.

  • To ascertain or demonstrate standards that are achieved or ought to be achieved by persons using the system. This permits monitoring for quality control purposes, such staff training.

  • To prevent or detect crime.

  • When in the interests of national security.

  • To investigate or detect unauthorised use of the business telecoms system. Employers, therefore, have scope to ensure employees are not accessing offensive material on the Web or sending e-mails that might be considered abusive.

  • To ensure effective operation of system.

    In effect, this means businesses can intercept systems to protect against viruses or simply route traffic, such as backing up or forwarding e-mails. However, businesses can monitor, but not record, communications to:

  • Check whether or not communications are relevant to business. This covers circumstances where an employee might be absent, allowing voicemail systems and e-mail accounts to be checked.

  • Monitor calls to confidential counselling helplines run free of charge.

  • Monitoring for any purpose such as marketing or market research is illegal without consent. If an employer makes "reasonable efforts" to inform employees of monitoring and employees tacitly accept this - then consent will be implied.

    Website privacy

    Website operators with a privacy policies posted on their sites assuring customers that personal data will remain confidential, may want to rethink the wording, following the outcome of a US case concerning the online toy seller, Toysmart.

    On becoming insolvent, Toysmart sought to sell its customer database. A narrowly worded privacy policy that did not allow for customer information to be disclosed as part of insolvency proceedings, prevented it from doing this. The court therefore ruled that each of Toysmart's customers had to give their permission for the sale of the database to go ahead.

    Online companies may, therefore, wish to follow Amazon's example, where customers are now told that information about them could be considered as part of company asset "in the unlikely event that amazon.com is acquired".

    Distance selling methods

    E-tailers may be forced to review their website, their advertising methods and ordering procedures following the introduction of the Distance Selling Regulations on 31 October 2000.

    These govern all contracts (financial services excepted) where seller and consumer do not have face-to-face contact.

    Online sellers are now required to supply the following information:

  • The name of the company

  • A description of goods and services

  • The price, including taxes

  • Arrangements for payment

  • Delivery costs

  • Arrangements for delivery (within 30 days of the order unless the contract specifies otherwise)

  • The right to cancel the order

  • If the customer has paid up front, the seller's address and how long the price remains valid. All of the above must be confirmed in writing

    E-tailers should also note that a consumer has the right to cancel an order within seven days starting with the day they were delivered

    If the consumer decides to invoke this right, then the seller must refund the money within 30 days of receiving written notice of this from the consumer.

    Elsa Booth-West is editor of Electronic Business Law (EBL), an independent newsletter providing reviews, analysis and practical information on the legal issues of e-commerce and communications. EBL is published monthly and is available online to subscribers. For sample copies and subscription information for EBL contact Fawzia Ittoo (020 7354 6747) or e-mail [email protected]

  • Read more on IT risk management