Firms monitoring staff 'must get their policies right'

In a 'White Paper' for web security firm SurfControl, lawyers from Hammonds said employers that failed to put the necessary policies in place were "at risk of a myriad of different claims, both civil and criminal."

Earlier this month a public sector employee won a case in the European Court of Human Rights after her personal internet usage, emails and telephone calls were monitored at work.

The claimant took up her case against the Government, as the college she worked for was publicly funded. She claimed the monitoring activity breached her right to privacy under human rights legislation.

The Court said she had been given no warning that her calls would be liable to monitoring, "therefore she had a reasonable expectation as to the privacy of calls made from her work telephone." It added that the "same expectation should apply in relation to... e-mail and internet usage."

Relevant legislation

Sue Nickson, partner and head of employment law at Hammonds, pointed out that at the same time the Human Rights Act came into force the Regulation of Investigatory Powers Act 2000 (RIPA) updated the legislation governing the interception and monitoring of communications.

RIPA provided for both civil and criminal liability and made it unlawful to intentionally intercept communications over a public or private telecommunications system without lawful authority.

"A defence would only be available if it was reasonably believed that both parties to the communication consented to the interception," explained Ms Nickson.

In the White Paper, she went on to say that further regulations - the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 - gave employers the right to carry out monitoring without employees giving their "express consent", in a number of different circumstances.

These circumstances included recording evidence of business transactions, ensuring compliance with regulatory or self-regulatory guidelines and maintaining the effective operation of the employer's systems.

Monitoring standards of training and service, preventing or detecting criminal activity and preventing the unauthorised use of the computer/telephone system, were also permissible reasons.

"Nonetheless, the regulations provided that it would be necessary for an employer to take reasonable

steps to inform employees that their communications might be intercepted," added Ms Nickson.

Got an AUP?

Guidance from the Information Commissioner concerning data protection legislation had also made it clear that employers needed to exercise care in circumstances where they might intrude unnecessarily on their employee's privacy.

As a result, Hammonds said there was a "clear and absolute need" for employers to have an Acceptable Use

Policy (AUP) in place concerning the use of electronic communications systems, and that the AUP be made known to all employees.

As well as stating what monitoring, if any, will take place, the AUP should also cover issues such as when it is permissible for staff to use the telephone, email and internet, as well as setting out acceptable online behaviour and privacy rules.