contents
- About the Supplementary Guidance
- Managing Data Protection:
Supplementary Guidance - Part 1: Recruitment & Selection: Supplementary Guidance
- Part 2: Employment Records:
Supplementary Guidance - Part 3: Monitoring at Work:
Supplementary Guidance - Part 4: Information About Workers' Health: Supplementary Guidance
- Conditions for Processing Sensitive Data
- Frequently Asked Questions
- Useful Addresses
Lawful business practice regulations
This section provides guidance to employers who wish to monitor electronic communications (e.g.
telephone calls, fax transmissions, e-mails, internet access) on how they can meet the requirements of the Regulation of Investigatory Powers Act 2000 (RIPA) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBP Regulations.). The RIPA and LBP Regulations cover a complex series of situations, of which monitoring in the workplace is only one. This guidance is designed to assist businesses, including public authorities, when they act as employers, but not in other situations. It is intended to cover all the main points but is necessarily simplified. It is not a complete statement of the law but employers following it are unlikely to find themselves on the wrong side of the law.
Under RIPA it is against the law for a business to intercept an electronic communication on its, or anyone else’s, system. There are some exceptions. Most of the exceptions contained in RIPA itself are unlikely to apply to the monitoring of communications by employers, for example where an interception is authorised under a warrant. The RIPA exceptions that may be relevant are:
- where the interception takes place with consent
- where the interception is connected with the operation of the communications service itself.
In addition to the exceptions in RIPA itself, the Lawful Business Practice Regulations set out further
exceptions where, in connection with the carrying on of a business, an interception will not contravene RIPA. These exceptions will be particularly relevant to employers. They set out the circumstances in which a business is authorised to carry out an interception for the purpose of running its business.The regulations are designed to meet the legitimate needs of businesses to manage their information systems, making use of the capabilities of modern communications technology, but in a way that is consistent with high standards of privacy. It must be remembered though that they are not exemptions from the Data Protection Act.
An interception of communications that does not come within the exceptions in the LBP Regulations or
in RIPA itself is against the law. It is irrelevant whether or not the monitoring associated with the interception would satisfy the other provisions of this Code. On the other hand, if the interception does come within the exceptions, the monitoring cannot proceed regardless. The collection, storage, and use of personal information that is involved in the monitoring must still satisfy Data Protection requirements.
This diagram may assist employers in checking whether the requirements of RIPA and the LBP Regulations are met. Explanatory notes follow.
Explanatory notes
1. Is there an interception?
Interception takes place if the contents of a communication are made available, during the course of its transmission, to someone other than the sender or intended recipient. Depending on the nature of the communication the intended recipient may be simply a business or a specific individual. Examples where interception may take place include a supervisor listening in to calls, a business opening e-mails stored on a server before they have been opened by the intended recipient, and an automated system that opens e-mails and/or their attachments to check them for viruses. Examples that do not involve interception include a business accessing a stored collection of e-mails that have been received and opened or deleted by the intended recipient, and a business accessing a stored collection of sent e-mails.
2. Have senders and recipients both given consent?
Interception is allowed if the business has reasonable grounds for believing that both the sender and
recipient have consented to the interception. Interception is also allowed in certain other circumstances without the consent of the sender or recipient. However, if a business is to rely on consent in order to legitimise an interception, there must be some action from which consent can be inferred, for example, the caller saying “yes” when asked or proceeding with a telephone call after hearing a message saying that calls are recorded. Consent must be freely given. Businesses might choose to rely on consent to cover the interception of telephone calls or internal e-mails but it is hard to see how consent can readily be obtained from external senders of e-mail.
3. Is the interception connected with the operation of the communications system itself?
Interception without consent is allowed if:
- it is undertaken by or on behalf of a business that provides a telecommunications service, and
- it takes place for purposes connected with the provision or operation of that service.
Providing a telecommunications service means providing access to and facilities for making use of an
electronic communications system. Employers will often be providers of a telecommunications service in respect of their own networks. They might rely on this provision where, for example, incoming e-mails are intercepted by the IT department in order to divert them so as not to block up an e-mail gateway.
4. Is the interception only for monitoring business-related communications?
Interception without consent is not allowed by a business unless the interception is solely for monitoring (or recording) communications which:-
- involve the business entering into transactions, or
- relate in another way to the business, or
- take place in some other way in the course of carrying on the business.
These categories cover most business communications but they do not include personal communications by workers unless they relate to the business. Interception will not be allowed if it is carried out wholly or partly to gain access to the contents of personal communications sent to or by workers that do notrelate to the business. This does not prevent interception which is carried out only to gain access to the contents of business communications but which may incidentally and unavoidably involve some access to other communications on the system.
5. Is the interception to decide whether a communication is a business related one?
Interception without consent is allowed if it is to monitor, but not record, communications to check
whether they:-
- involve the business entering into transactions
- relate in another way to the business
For example, an employer may open e-mails in an absent worker’s in-box if this is necessary to see
whether there are business communications that need to be dealt with in the worker’s absence.
However, the employer should not open e-mails that in their unopened state appear not to relate to the business, e.g. e-mails that are marked ‘personal’ in the header, unless there are convincing grounds on which to believe they are in fact business related.
6. Is a confidential telephone counselling or support service involved?
Interception without consent is allowed if it is to monitor, but not record, communications to a confidential, free, telephone counselling or support service operated in such a way that users can remain anonymous. This is to enable help-line workers to receive appropriate supervision and support.
7. Is the interception for an authorised business purpose?
Interception without consent is allowed if it is part of monitoring (or recording) business communications for one of the following purposes:
- To establish the existence of facts (e.g. to collect evidence of transactions such as those involved in telephone banking or to keep records of other communications where the specific facts are
important, such as being able to prove that a customer has been given certain advice). - To check that the business is complying with regulatory or self-regulatory procedures (e.g. to check that workers selling financial services are giving customers the “health warnings” required under financial services regulation).
- To check the standards that workers are achieving (e.g. to check the quality of e-mail responses sent by workers to customer enquiries).
- To show the standards workers ought to achieve (e.g. for staff training).
- To prevent or detect crime (e.g. to check that workers or others are not involved in defrauding
the business). - To investigate or detect unauthorised use of the telecommunications system (e.g. to ensure that
workers do not breach the employer’s rules on use of the system for business purposes, for example by sending confidential information by e-mail without using encryption if this is not allowed. Note that interception that is targeted at personal communications that do not relate to the business is not allowed regardless of whether the use of the system for such communications is authorised). - To ensure the security of the system and its effective operation (e.g. to check for viruses or other
threats to the system or to enable automated processes such as caching or load distribution).
8. Have all reasonable efforts been made to inform users of the interception?
The requirement of the LBP Regulations is to make reasonable efforts to inform users of the system that an interception may take place. Workers, including temporary or contract staff, will be users of the system but outside callers or senders of e-mail will not be. Where, as will usually be the case, interception involves the collection, storage or use of personal information, the requirements of the Data Protection Act to provide information to those whose data are processed will come into play. Information required under both the LBP Regulations and the Data Protection Act overlaps and can of course be provided at the same time.