Monitoring Internet and e-mail in the workplace

Article reference: UK-IA-EMP39
Last updated: December 2020 | 5 min read

The law relating to this subject is contained in the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (TICR). 

Additionally, the Data Protection Registrar has published a code of best practice in a booklet entitled The employment practices data protection code: part 3: monitoring at work that gives practical advice on monitoring Internet and e-mail use at work.

The TICR may authorise an interception of work email. If email is intercepted, then monitoring is covered by the Regulation of Investigatory Powers Act 2000 (RIPA). Any sort of monitoring also constitutes processing of personal data under the Data Protection Act (DPA).

Your contracts of employment should include provision for irrevocable consent by your employees to process their personal data.

Interpretation of the law

The code published by the Data Protection Registrar is intended to help you to comply with the DPA and to encourage you to adopt good practice. The code is not law, but if you comply with it, you can be reasonably sure that you are following the law. In any question of legal compliance, the code is likely to be taken as the model procedure. We therefore recommend that you read it and comply.

The code aims to strike a balance between the legitimate expectations of workers that personal information about them will be handled properly, and the legitimate interests of employers in deciding how best, within the law, to run their own businesses.

It covers such issues as the obtaining of information about workers, the retention of records, access to records and disclosure of them. Not every aspect of the code will be relevant to every organisation - this will vary according to size and the nature of its business. Some of the issues addressed may arise only rarely - particularly for small businesses.

Areas covered by the code pertinent to Internet usage and email communications include:

  • randomly opening individual workers' e-mails or listening to their voice-mails to look for evidence of malpractice

  • using automated checking software to collect information about workers, for example to find out whether particular workers are sending or receiving inappropriate e-mails

  • examining logs of websites visited to check that individual workers are not downloading pornography

  • keeping recordings of telephone calls made to or from a call centre, either to listen to as part of workers training, or to simply to have a record to refer to in the event of a customer complaint about a worker

  • systematically checking logs of telephone numbers called to detect use of premium-rate lines

  • videoing workers outside the workplace, to collect evidence that they are not in fact sick

  • obtaining information through credit reference agencies to check that workers are not in financial difficulties

How to monitor an employee appropriately

The recommended approach is that the employer should make an impact assessment, which will result in a document setting out the scope and effects of the monitoring carried out. The assessment will reveal how far the actual monitoring is necessary and what safeguards, warning to staff and records might be appropriate.

The only practical way to ensure compliance is to appoint a suitable person to the role of monitoring officer with responsibility for both compliance with the code and employee understanding of the monitoring being undertaken. The bottom line is that monitoring must be reasonably necessary, and wherever possible, transparent.

The difficulty with email monitoring is that most employees receive private messages to their business mailbox. The business is entitled without question to access communications sent and received in the course of business. It may not be entitled to intercept, read or copy messages, which are not business, related, even if sent to a business mailbox.

This puts the business managers in a difficult situation. It may be virtually impossible to monitor business messages without inadvertently monitoring private messages.

Furthermore, since the mail boxes of most of us are half full each day of spam proposals, it may well be quite impractical to set out a policy that provides the complete privacy to employee messages that the code apparently requires.

Our advice is briefly:

  • read the code and ignore areas that do not apply to your particular organisation

  • make notes of where you can and where you cannot apply the code

  • put the same person in charge of compliance as deals with undertaking the monitoring

  • formulate an assessment, and keep it in hard copy; diarise to update it in 12 months time

  • so far as possible, without prejudice to the business, publicise the code to your staff

  • if you say you collect information for one purpose, do not use it for another

  • it is better to have a generous system, harshly policed than a harsh system that is badly enforced

Remember, the code is not intended to prevent you from monitoring, but to suggest how you should do so while respecting the rights of individual employee

Further information and useful documents

You can read further about how to introduce an employee policy on Internet and email usage.

If your employment contracts do not give you the irrevocable consent of your employees to process their personal data under the Data Protection Act, then we advise that you update them. Net Lawman provides a number of template employee contracts.

© 2000 - 2024 Net Lawman Limited.
All rights reserved