Businesses may have reasons to monitor email, but they must protect employees' privacy.
The law on email monitoring can be confusing as there are several pieces of legislation to consider. The main ones are the Data Protection Act 1998, the Regulation of Investigatory Powers Act 2000 (RIPA) and the Human Rights Act 1998, all of which limit the extent to which one can intrude on the privacy of others.
Monitoring of email usually involves the interception of communications. RIPA makes it an offence to do this on a private telecommunications network, as well as a public one. It is a civil, rather than criminal, offence and allows those affected to claim compensation.
However, interception is lawful if done in accordance with the Telecommunications (Lawful Business)(Interception of Communications) Regulations 2000. The Regulations allow businesses to monitor for fundamental purposes such as preventing and detecting crime, and more mundane reasons such as "ascertaining the existence of facts". An intent to monitor communications that are not relevant to the business concerned or of systems that are only for private use will not be lawful.
The owner of the system must make reasonable efforts to inform all users of the monitoring. This should be covered in the acceptable use policy, but can also be done via splash screens or through email footers.
A copy of the Regulations can be obtained at www.opsi.gov.uk, and there is a useful explanatory note at the end of the document. The DTI has also published guidance.
The Data Protection Act is relevant because it governs the processing of personal data, and email monitoring falls into that category. The current legal position is that it covers information from which a living individual can be recognised, which is processed automatically (by computer), is personal data, where the information is focused on the individual, significantly biographical and capable of affecting privacy. While not every email will necessarily contain personal data, many will. Usually the organisation that controls the internal email system will be a data controller, who has an obligation to comply with the eight data protection principles in relation to the processing of personal data.
The main thing to take into account when monitoring is data protection principle one: all processing of personal data must be fair and lawful. What is fair is interpreted in the normal sense of the word. Generally you should ensure there are no surprises for those being monitored as to the nature of the monitoring. You must also comply with all the other relevant pieces of law. The ideal place to give details of the monitoring will, again, be in your acceptable use policy. Part III of the Information Commissioner's employment practices code deals with monitoring and is available at www.ico.gov.uk.
The Human Rights Act states that everyone has the right to a private life and the privacy of their correspondence. This is a qualified right, which means it can be infringed, provided that the action is sanctioned by law, necessary in a democratic society and proportionate given the harm that is protected against. For example, it is accepted that the threat posed by terrorists justifies monitoring of communications.
The Human Rights Act is directly enforceable against public bodies, but it affects private companies because the courts are required to make their decisions in line with the act. To comply with this, your organisation will need to assess and document the threats that it is trying to protect against by monitoring. If challenged, it will need to show that the monitoring is only sufficiently intrusive to secure that protection.
Generally the privacy of the sender of private emails should be respected. Employers can be robust in telling their staff that there can be no expectation of privacy if the business system is used for private email. However, if an e-mail is clearly private, the privacy of the individual should still be respected unless there are good reasons not to.
Tamzin Matthew is a partner in law firm Blake Lapthorn Tarlo Lyons, and specialises in IT law. She can be contacted at Tamzin.Matthew@bllaw.co.uk or on 01865 254262.