Carsten Reisinger - stock.adobe.
On 24 October, rules came in for the company interception of telephone calls, faxes and emails. Ignorance of the rules can make businesses criminally liable for monitoring their employees’ emails or faxes.
The Computer Weekly/Harvey Nash Big Question survey showed a worrying large percentage of IT staff – almost 70% – do not understand the rules. It is important that IT managers and directors make sure all staff are aware of the new rules.
They will not just affect traffic on the internet, but also material going to or coming from the internet via a local area network (Lan). Employees using the Lan for personal emails or faxes will have the right to sue if the communication is opened without their agreement or knowledge.
IT professionals need to get to grips with these rules fast so they can put in place changes that will avoid their companies infringing the law.
So, why the new rules?
The rules are the result of the Regulation of Investigatory Powers (RIP) Act 2000. It is designed to clarify who is allowed to intercept or record communications, either as part of criminal investigations or otherwise. It creates the general presumption that communications should not be intercepted.
Breach of the RIP Act will not only lead to an employer (or even possibly its directors) being guilty of a criminal offence, but will also expose the employer to a civil action for damages from employees or anyone sending email or faxes into a company.
The terms of the RIP Act cover not only communications on a public network, but also on a private voice or data network on their way to, or received from, a public service. The rules will, therefore, also apply to external emails or faxes on a business Lan.
The Lawful Business Practice rules set out the exceptions to this rule for businesses that need to monitor what is being sent or received on their communications systems. This means that interception and monitoring of emails will still be allowed, provided the rules are followed. However, this does not mean that the current practice in your company is within the rules.
The rules say that businesses will be allowed to intercept a communication in the course of its transmission for the purpose of monitoring or keeping a record of business communications on its systems for the following reasons:
- To investigate any unauthorised use of its telecoms or email system
- To provide evidence of sales orders, invoices or other business communications
- To make sure employees comply with professional practices and procedures, often necessary in financial services
- To ensure standards are being met, such as the best practice among sales professionals
- To ensure IT systems are working properly.
Businesses will also be able to monitor (but not copy) communications on their systems to check whether they are business communications.
However, the person intercepting (ie the employer) must have made all reasonable efforts to inform every person receiving or sending the communication that it will or may be intercepted. This includes people outside your organisation, so a statement of e-mail monitoring policy should be added to all outgoing messages.
Are you complying?
Decide your policy for email and other communication monitoring now, as you must explain them to your employees. The deadline for this was 24 October so if this has not been done, it should be a top priority, otherwise you could be in breach of the law.
Your policy will need to cover the following:
- What systems are in place for copying and/or diverting communications
- Whether staff should use business equipment for personal or private communications at all (Internet email services, such as Hotmail, can help keep personal email off the office system)
- Clear statements as to policies on approval of outgoing correspondence or disclosure of incoming material.
The policy should be included in any office manual or staff handbook as a matter of course, and your employee terms and conditions should be modified to add a clause permitting the employer to intercept, monitor and retain any communications addressed to, or sent by, the employee using business email addresses or fax machines.
The RIP Act and the rules could cause problems for employers who do nothing to deal with the issues. Complying with best practice and taking the simple, practical steps outlined above will greatly reduce this risk.
Read more on IT risk management
Civil liberties groups to challenge bulk surveillance and intelligence sharing in Strasbourg
GCHQ mass surveillance regime was in breach of human rights law, European court rules
Fixing the future of Fax - more important than you might have thought?
How can we secure enterprise email at home and abroad?