Embarrassing e-mail stories continue to make the news. They may make good copy, but for the businesses concerned they can be damaging and for the employees involved they can lead to dismissal or other disciplinary action. For example, this summer, Hewlett Packard suspended 150 employees and dismissed a number of others for inappropriate use of the company e-mail. The Ford Motor Company gave its 20,000 employees a two-week amnesty in which to delete offensive material from their computer; at the end of the amnesty period, any employee found to be in possession of offensive material would be dismissed.
As employers become increasingly concerned over inappropriate use of e-mail and the Web, attention focuses on the complex issues which arise when employers seek to monitor employee e-mail and other communications (including Web browsing).
Principal Legal Provisions
The law in this area has become complex. It seeks to strike a balance between an employee’s legitimate right to respect for his or her private life and an employer’s legitimate need to run its business. There are three main statutes: the Regulation of Investigatory Powers Act 2000 (RIPA), the Data Protection Act 1998 (DPA) and the Human Rights Act 1998 (HRA).
Section 1 of the RIPA provides that it is an offence for a person intentionally and without lawful authority to intercept, at any place in the
Most employers are concerned less with the offences under the RIPA than with the new tort of unlawful interception under s1(3). This provides a right of action to a sender or recipient, or intended recipient, of a communication (eg an employee) if without lawful authority the communication is ‘intercepted’ in the course of its transmission by, or with the consent of, the controller of the system (eg an employer). So far as business is concerned, the most likely way in which a communication may be intercepted with lawful authority is under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the LBPR). The LBPR authorise certain interceptions of communications which would otherwise be prohibited by the RIPA. Under the LBPR, interceptions are authorised for monitoring communications for a range of purposes such as ‘to establish the existence of facts, or to ascertain compliance with regulatory or self-regulatory practices or procedures’.
Even where an interception comes within the authority conferred by the LBPR, or within any of the other exceptions in the RIPA, you still need to consider compliance with the DPA and the implications of the HRA. Interception of communications will involve processing of personal data for the purposes of the DPA. Accordingly, the collection, storage and use of the personal data involved must, though lawful under the RIPA, satisfy the DPA. In the context of the DPA, the Information Commissioner has prepared ‘The Employment Practices Data Protection Code’. This is made up of four parts, one of which is concerned with ‘Monitoring at Work’. This part of the Code addresses monitoring of communications such as e-mail and fax, and also video and audio monitoring, covert monitoring and in-vehicle monitoring. It is not yet in final form, although the consultation period closed on
Interception
Not all monitoring is controlled by the RIPA. For example, interception of a communication which does not take place in the course of its transmission will not be subject to the Act. In this context, we need to look more closely at the RIPA’s definition of ‘interception’. Under s2(2), a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he takes steps to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication. Note, then, that interception involves making some or all of the contents of the communication available, while being transmitted, to a third party. So, for example, simply logging the number of calls made in a day or e-mail traffic would not be regarded as interception as it does not involve accessing the contents. Moreover, interception must take place whilst the communication is ‘in the course of’ transmission. What does this mean in relation to e-mail? The source of the definition in the RIPA is the now repealed Interception of Communications Act 1995, which was mainly concerned with telephone tapping. However, in the context of the RIPA, the language is somewhat awkward when one considers the nature of
e-mail, which may be received and held in inboxes – read or unread – for later access. To address this, s2(7) of the RIPA provides that a communication is being transmitted at times when the system ‘is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it’. An incoming e-mail that is sitting in a mailbox unopened would thus be regarded as ‘in the course of’ transmission because it is awaiting collection. But what about an e-mail that has been read, and yet continues to be stored or held in archive on the same system? If the contents of this
e-mail are then made available to a third party (such as the recipient’s employer), does the recipient of the e-mail still have a remedy under the RIPA?
On a strict construction of the sub-section, it seems arguable that an e-mail that has been opened and read by the recipient and then retained (or stored) in the recipient’s inbox for future reference is still in the course of transmission by virtue of s2(7) because the storage “enables the intended recipient. otherwise to have access to it.” The Home Office (who sponsored the Act) indicated that, once a communication had been read by the intended recipient, it is no longer ‘in the course of transmission’, even if it is stored in the same location before and after the recipient has read it. This view also seems to be supported by the Information Commissioner. The draft Code dealing with Monitoring at Work states that the tort of unlawful interception under the RIPA applies where an e-mail is accessed before it has been opened by the intended recipient, but does not apply to access to stored records of e-mails that have been received and opened. This seems puzzling. It implies that a person’s right to privacy in respect of a communication he or she has received is infringed where a third party has access to the contents before the recipient has read it, but is not infringed where a third party has access to the contents after the recipient has read it. In other words, the RIPA says you can’t open and read someone’s correspondence but, once the recipient has opened it, then you can. This dilemma is perhaps resolved when you consider that the Act is not primarily concerned with the protection of privacy, such issues being addressed in the DPA and HRA.
Any analysis of whether an unlawful interception takes place under the RIPA will require an analysis of the way that the relevant communication system operates. For example, a system controller (such as an ISP) may cease to hold the stored communication once it has been accessed (eg downloaded from an ISP to a personal computer). However, this will not usually be the case with corporate privatee-mail systems where read and unread e-mail may be stored for long periods.
This point was considered recently (July 2002) by the Lord Chief Justice, Lord Woolf, in an application for judicial review of a decision by His Honour Judge Deveaux dated 27 September 2001. The case concerned the telecommunications provider NTL Group Limited (NTL). The police were investigating a fraud and sought a special protection order under the Police and Criminal Evidence Act 1984 relating toe-mails held by NTL for certain individuals. NTL were concerned that, to comply with the police request, would involve them committing an offence under s1 of the RIPA. Although the point was not considered in any detail, the Court commented that s2(7) has the effect of extending the time of communication until the intended recipient has collected it. The implication is that, once the recipient has collected it, there can be no ‘interception’ under the RIPA. But, even if this is so, there will be ‘processing’ under the DPA.
Nigel Miller is a Commerce and Technology partner at City law firm Fox Williams. He is also Joint-Chair of the Society for Computers & Law. Nigel can be contacted at nmiller@foxwilliams.com.