The law relating to this subject is contained in the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (TICR).
Additionally, the Data Protection Registrar has published a code of best practice in a booklet entitled The employment practices data protection code: part 3: monitoring at work that gives practical advice on monitoring Internet and e-mail use at work.
The TICR may authorise an interception of work email. If email is intercepted, then monitoring is covered by the Regulation of Investigatory Powers Act 2000 (RIPA). Any sort of monitoring also constitutes processing of personal data under the Data Protection Act (DPA).
Your contracts of employment should include provision for irrevocable consent by your employees to process their personal data.
Interpretation of the law
The code published by the Data Protection Registrar is intended to help you to comply with the DPA and to encourage you to adopt good practice. The code is not law, but if you comply with it, you can be reasonably sure that you are following the law. In any question of legal compliance, the code is likely to be taken as the model procedure. We therefore recommend that you read it and comply.
The code aims to strike a balance between the legitimate expectations of workers that personal information about them will be handled properly, and the legitimate interests of employers in deciding how best, within the law, to run their own businesses.
It covers such issues as the obtaining of information about workers, the retention of records, access to records and disclosure of them. Not every aspect of the code will be relevant to every organisation - this will vary according to size and the nature of its business. Some of the issues addressed may arise only rarely - particularly for small businesses.
Areas covered by the code pertinent to Internet usage and email communications include:
randomly opening individual workers' e-mails or listening to their voice-mails to look for evidence of malpractice
using automated checking software to collect information about workers, for example to find out whether particular workers are sending or receiving inappropriate e-mails
examining logs of websites visited to check that individual workers are not downloading pornography
keeping recordings of telephone calls made to or from a call centre, either to listen to as part of workers training, or to simply to have a record to refer to in the event of a customer complaint about a worker
systematically checking logs of telephone numbers called to detect use of premium-rate lines
videoing workers outside the workplace, to collect evidence that they are not in fact sick
obtaining information through credit reference agencies to check that workers are not in financial difficulties
How to monitor an employee appropriately
The recommended approach is that the employer should make an impact assessment, which will result in a document setting out the scope and effects of the monitoring carried out. The assessment will reveal how far the actual monitoring is necessary and what safeguards, warning to staff and records might be appropriate.
The only practical way to ensure compliance is to appoint a suitable person to the role of monitoring officer with responsibility for both compliance with the code and employee understanding of the monitoring being undertaken. The bottom line is that monitoring must be reasonably necessary, and wherever possible, transparent.
The difficulty with email monitoring is that most employees receive private messages to their business mailbox. The business is entitled without question to access communications sent and received in the course of business. It may not be entitled to intercept, read or copy messages, which are not business, related, even if sent to a business mailbox.
This puts the business managers in a difficult situation. It may be virtually impossible to monitor business messages without inadvertently monitoring private messages.
Furthermore, since the mail boxes of most of us are half full each day of spam proposals, it may well be quite impractical to set out a policy that provides the complete privacy to employee messages that the code apparently requires.
Our advice is briefly:
read the code and ignore areas that do not apply to your particular organisation
make notes of where you can and where you cannot apply the code
put the same person in charge of compliance as deals with undertaking the monitoring
formulate an assessment, and keep it in hard copy; diarise to update it in 12 months time
so far as possible, without prejudice to the business, publicise the code to your staff
if you say you collect information for one purpose, do not use it for another
it is better to have a generous system, harshly policed than a harsh system that is badly enforced
Remember, the code is not intended to prevent you from monitoring, but to suggest how you should do so while respecting the rights of individual employee
Further information and useful documents
You can read further about how to introduce an employee policy on Internet and email usage.
If your employment contracts do not give you the irrevocable consent of your employees to process their personal data under the Data Protection Act, then we advise that you update them. Net Lawman provides a number of template employee contracts.