Monitoring your employees' emails legally

This article first appeared in the Autumn 2003 issue of the OUT-LAW magazine. There is a chance that the law has changed, or the facts of this article have been superseded.

Employers are becoming increasingly frustrated at the amount of time employees spend on the internet or on personal emails. Naturally, they turn to monitoring. But is keeping tabs on your staff justified – or legal?

Employees need to know how to monitor lawfully for, if they breach data protection legislation, any evidence they gather may be inadmissible, defeating the point of collecting it.

The law in this area is primarily made up of the Regulation of Investigatory Powers Act 2000 ( RIPA ) and the Data Protection Act 1998 ( DPA ). But rather than looking at the sometimes complicated provisions of these Acts, employers should look at the Employment Practices Data Protection Code, specifically Part 3 which relates to monitoring at work. This has been issued by the Information Commissioner as a statement of good practice in complying with the law. It aims to balance the rights of workers against the needs of employers.

Businesses should look to the Code in working out how best to comply with the law. The DPA applies widely in a monitoring context and could cover monitoring emails, internet use and phone calls and specific covert investigations into improper activity. One of the key principles of the DPA is telling people what is happening with their information, and this is where a communications policy is a useful tool. Key advice from the Code is therefore to establish a policy and communicate it.

A communications policy can help with RIPA and DPA compliance but employers have a number of considerations, legal and practical, in arriving at a policy. For example, should they ban all personal email and internet use?

This solves the problem of having to distinguish between personal communications and business communications (intercepting the content of personal communications is not authorised by the Regulations) but may not be very popular with employees who often see email and internet as a perk of the job. An alternative is to offer employees use of a personal template so that it is always clear when an email is personal and the employer can ensure that it does not monitor the content of these.

Employees may have human rights concerns if all personal telephone use is banned, so employers must consider what is proportionate, e.g. allow reasonable use or provide payphones.

The Code also introduces the concept of an impact assessment where employers decide if and how to monitor by considering whether any adverse impact on individuals is justified by the benefits to the employer and others. The monitoring must be a proportionate response to the risks. An impact assessment involves identifying the purposes for the monitoring, the benefits it should deliver, any adverse impact, any alternatives to monitoring or monitoring in a particular way, the legal obligations involved and then deciding whether it is justified.

A minimalist approach to monitoring is favoured – for example, can the employer review traffic data and subject headings before content; can they adopt technical means of screening out unwanted emails or internet use rather than carry out live monitoring; can they carry out spot checks rather than continual monitoring?

The Code also emphasises that RIPA must still be complied with as well as the DPA . RIPA makes it unlawful to intentionally intercept communications in the course of transmission without lawful authority. Intercepting basically means making some or all of the content available, while being transmitted (which includes diverting or recording it to look at later), to a person other than the sender or intended recipient and will cover monitoring email use at a content level rather than at a traffic level.

One way of getting this lawful authority is to obtain the consent of both sender and recipient – this is impractical for most organisations that send and receive emails externally. The snappily titled Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 provide another means of lawful authority – that the monitoring is for one or more of the purposes specified in the Regulations and that the system controller has made all reasonable efforts to inform every person who may use the system that communications may be intercepted.

The list of purposes includes ascertaining compliance with regulatory or self-regulatory practices or procedures, detecting unauthorised use and preventing or detecting crime and it is likely that most organisations will be able to bring monitoring within one of these grounds.

The main problem is that the Regulations only apply to business communications and not to personal communications and the Code reinforces the point that if monitoring is of the content of non-business related communications then this is unlawful. Employers need to consider how they will comply in practice.

Once an employer is satisfied that he has lawful authority, he must make reasonable efforts to inform people about interception. This is where communications policies again come in, telling employees what may happen. Employers may also have to consider how they make reasonable efforts to inform third parties. Can they include this in their terms of business, on their email disclaimer notices, on their web sites?

As a basic checklist employers should develop a clear policy, communicate it to employees, create audit trails, enforce the policy and consider alternative technical means.

Enforcement of a policy is particularly important. An employment tribunal, for example, may not take kindly to evidence that an employee has been singled out for action when a blind eye has long been turned to particular activities. If there have been previous policies that haven't been enforced then employers should start again. Better to be safe than sorry.

For further information contact: louise.townsend@pinsentmasons.com