Companies are committing an offence if they monitor staff e-mail without taking steps to get their consent, according to new guidance.
In its guidance to data controllers, the British Standards Institute explains how the 1998 Data Protection Act, which came into force at the beginning of this month, protects employees from the covert monitoring of e-mail.
It explains how e-mail policies can be created to allow e-mail monitoring while staying with the law.
But businesses must monitor e-mail if they want to avoid costly cases of defamation and infringement of race and sex laws, according to Liz Fitzsimons, an associate specialising in e-commerce law with law firm Eversheds.
"If you do not have monitoring, you don't know what employees will do," she said. "However, if you are going to monitor e-mail, you must be careful not to fall foul of the Data Protection Act, particularly if e-mail is recorded and attributed to individuals."
The first principle of the Act means that e-mail policies outlining how traffic will be monitored must be "clearly stated and openly available", said David Trower, strategic policy officer with the Data Protection Commissioner's office. Data Protection Commissioner Elizabeth France first published a report on e-mail surveillance last May.
For businesses to be confident they comply with the Act while carrying out surveillance, they must ensure that staff using e-mail know company policy on its usage, via a memo or e-mail. The policy should also be written into contracts of employment, Fitzsimons said. If the policy is hidden in a company handbook, firms may be contravening the Act.
Business can conduct covert e-mail surveillance of e-mail under section 29 of the Act, providing the data controller has reason to suspect a criminal offence is being committed, said Trower, who helped put together the BSI guidance.
This could include cases of fraud, theft, sexual and racial harassment, though not those involving defamation.