UK: Data Protection & Privacy - Practical Tools for Changing your Working Environment - Will Imported Hybrid "Privacy" Survive the Common Law Jungle?

Co-written by Emma Jay & Paul McCourt

"Civilisation is the progress towards a society of privacy. The savage’s noble existence is public, ruled by the laws of his tribe. Civilisation is the process of setting men free from men".

You do not have to agree entirely with this idea to see that it contains a vital ingredient of truth. Totalitarianism and oppressive theocratic regimes have always depended on the complete absence of privacy amongst their citizens, so fostering an intolerance of minorities and independent thinkers. Democratic societies, by contrast, foster a respect for privacy as a basic human right. Establishing the correct balance between that right of privacy with the equally important democratic right of freedom of expression (which is also now part of English law as a result of the Human Rights Act) is the role of the judges in the coming years as this area of law develops.

Against this background this paper will look at the main legislation in this area, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) Regulations 2000, the Data Protection Act 1998 and the Human Rights Act 2000, and the extent to which the implementation of these, together with recent developments in case law could suggest that there is now a common law right of privacy that will be upheld by the courts. We will then look at the Human Rights Act in the particular context of Data Protection issues and then finally what steps a prudent employer or data controller should take when monitoring employees or collecting personal data.

Much information is collected from internet users in a manner which is invisible to us as data subjects. The internet user is sometimes not aware of the fact that his personal data has been collected and further processed and might be used for purposes that are unknown to him. For example, software is available that can monitor traffic patterns, content preferences and payload information and then send this back to the ISP.

Each of us now sends the same volume of e-mails in a day that we would have sent in an entire year at the beginning of the 1990s¹. The average worker now spends just under an hour a day managing e-mails and a third of all e-mails are not related to work or to the company. A survey by Websense of 800 employees across Europe showed that 41% of staff use the Internet for private purposes for more than 3 hours a week. With this backdrop employers are increasingly feeling the need to monitor their employees’ online habits. But this must be balanced against the employees’ right to respect for their private and family life, their home and their correspondence as enshrined in the European Convention on Human Rights (the ‘ECHR’).

Privacy issues do not just apply to computer use however. It has recently been claimed by various privacy groups that set-top boxes, the devices that allow for interactive TV and which have been touted as a possible replacement for both the PC and analogue television, allow cable and satellite companies to gather and sell huge amounts of data. Each night, via its modem, the set-top box can report back to the company every programme watched and every online purchase made during the day. In recent months a number of cable and satellite companies and hardware manufacturers have added fuel to the privacy debate by securing patents relating to interactive TV data retention.

RIPA came into force on 2 October 2000. It replaced the Interception of Communications Act 1985 and is wider in scope, extending the regime governing the interception of communications to both public and private telecommunications networks. It brings together all of the relevant legislation on interception into one statute and seeks to adapt those measures to reflect current communication methods, such as email. The RIPA also ensures that the UK’s interception regime is compliant with the Telecommunications Data Protection Directive.

The RIPA covers both public and private telecommunication systems. Any private network not attached to a public system will not be covered, however, most employers’ systems are connected to a public system in order to permit e-mails to be sent to or received from external sources.

Under the RIPA, it is an offence intentionally and without lawful authority to intercept communications without either the express or implied consent of both the sender and the recipient. The offence applies equally to interceptions taking place over public and private networks. The RIPA does, however, provide a "defence" in that an interception is treated as authorised if the interceptor has consent or reasonably believes that both parties gave consent to such interception.

This Act was brought in hurriedly after the events of September 11^th. The Act strengthens the interception and disclosure aspects of RIPA. It provides for the introduction of a "voluntary" code requiring all communications service providers (including ISPs, postal and telephone service providers) to retain the communications data of all subscribers for up to 12 months. Communications data includes email and internet traffic data. Failure to comply with the code will not lead to any criminal or civil liability. However the act provides that the Secretary of State can introduce a compulsory code, although the code would require Parliament’s approval.

Data retention or disclosure to public authorities could give rise to liability for a communications service provider under the Data Protection Act. The Anti-Terrorism Act avoids this by providing that a communications service provider alleged to have retained or disclosed personal data illegally can rely on the national security or prevention of crime exceptions under the Data Protection Act.

The RIPA has been amended by the Regulations, which came into force on 24 October 2000. The Regulations allow the interception of certain types of business communications on private networks, which would otherwise be prohibited under the RIPA. To rely on this exception, there are a number of criteria that an interceptor would have to satisfy and interception could only be made for one or more of the specified purposes.

The criteria are as follows:-

• The interception must take place on a telecommunication system used wholly or partly in connection with the business concerned.
• The interception must be solely for the purpose of monitoring or recording messages that are relevant to the business.
• All reasonable efforts must be made to inform all actual and potential users of the relevant telecommunications system that messages may be intercepted.

The third requirement does not necessitate that the interceptor has to obtain specific consent from users for particular interceptions or recordings, as consensual interception is not of itself prohibited under the RIPA. It is up to the interceptor to determine what may or may not amount to "reasonable efforts to alert".

The specified purposes are as follows:-

Monitoring or keeping a record of communications in order to:

1. establish facts
2. ensure compliance with applicable regulatory or self regulatory practices
3. demonstrate the standards that should be achieved relating to, for example, quality control and training.
4. prevent crime
5. investigate unauthorised use of telecommunications systems.
6. secure an effective system operation
7. determine whether they are business or personal communications.

In view of the Regulations, it is legitimate for an intercepting employer to monitor emails, for example, to protect a network from viruses or to ensure employees do not breach company rules or policies. Likewise, in relevant cases, businesses may intercept calls or emails for the purposes of quality control or staff training. The most important issue is the extent to which the Regulations allow monitoring and reading of emails or other communications marked as "private" for the purposes of ascertaining whether they are in fact business related. Where an employer has a concern over the activities of a particular individual, this may be exactly what needs to be done to identify a misdemeanour.

As can be seen from the above list the permitted grounds upon which interception can take place are so broad that the majority of companies should be able to bring any monitoring activities of its employees’ communications within one of the permitted grounds. For example, grounds (v) or (vi) could be used to determine whether an employee is acting in accordance with the company’s e-mail policy.

The Regulations have been widely criticised for their broad scope. Whilst the Regulations in isolation appear to give employers a relatively free hand as to the nature and extent of the monitoring an employer can undertake and provide a framework within which employers should be able to avoid incurring criminal or civil liability under the RIPA, there are two additional pieces of legislation which are relevant to an employer’s monitoring activities and which will have the effect of limiting the breadth of the "lawful authority" provisions contained in the Regulations: the Data Protection Act 1998 and the Human Rights Act 2000.

Looking first at the DPA, if businesses obtain personal data as a result of an authorised interception, they will need to ensure that any subsequent use or processing of that information complies with the principles of data protection laid out in the DPA. The DPA implemented the EU Directive on the protection of the individual with regard to the processing of personal data and states that data must be processed fairly. In determining fairness, regard must be had to the method by which the data was obtained. In order for the processing to be fair one of certain conditions must be met. These include the consent of the data subject or that the processing is necessary for the legitimate interests of the data controller without prejudice to the legitimate interests of the data subject.

The Information Commissioner has issued a draft Code of Practice entitled "The Use of Personal Data in Employer/Employee Relationships". This code of practice addresses a number of data protection issues arising under the DPA, including employer monitoring of employee communications. These guidelines do not have the force of law nor are they in a final form. The guidelines were first issued before the final form of the Regulations were available.

The guidance to employers set out in the draft Code adopts a more restrictive approach than the Regulations and highlights the importance of proportionality in carrying out any monitoring and surveillance of employees’ communications. The Code provides that not only should employees have the right not to have information about their private lives widely known but that an employee should also be able to expect "a degree of trust from his/her employer, and be given reasonable freedom to determine his/her own actions without being constantly watched or asked to explain".

The draft Code makes it clear that covert monitoring can only be justified in very limited circumstances. For example, where informing employees of the monitoring would prevent the detection of crime, but the draft Code accepts that most employers will make some checks on the quantity and quality of work produced by employees. Standards of behaviour required of employees are not in general a data protection issue. Where data protection issues arise is in monitoring by an employer to ensure compliance with its rules by its employees.

In general the draft Code provides that monitoring should only take place after first establishing there is a problem that calls for monitoring. The first step should be only to monitor the fact and duration of a call or Internet access or to record e-mail traffic, rather than the content itself. Monitoring of content should only take place where there is a real business need and the methods used should be proportionate and not unduly invasive. For example, access to pornographic sites should be prohibited through technical means rather than monitoring. Employees should be notified of any monitoring taking place, as should third parties as far as possible.

On the subject of monitoring and the overlap with the RIPA, the draft Code currently recognises that monitoring of communications does not necessarily give rise to data protection issues. Data Protection issues only arise when the interception or monitoring actually gives access to or involves the use of personal data.

Where an employee has not given "consent" to the processing, the employer will need to show either that the processing is "necessary for the performance" of the employment contract or that it is "necessary for the purposes of legitimate interest" of the employer. The second ground cannot be used where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interest of the employee. The interpretation of these concepts is key and is yet to be determined by case law. In this connection it is important to bear in mind that the Code has no statutory effect. It is of "guidance" and "best practice" nature, rather than being the law of the land.

Employers, when considering how to monitor the activities of its employees, must also have regard to the HRA and ensure that its monitoring activities do not fall foul of the HRA. The Human Rights Act came into force in the UK on 2 October 2000. The HRA brought into UK law the European Convention for the Protection of Human Rights and Fundamental Freedoms. One of these rights is the right to respect for private and family life, home and correspondence. The ECHR rights are not directly enforceable against private employers, but will still affect private employees indirectly in that courts and tribunals must interpret domestic legislation so as to be compatible with the Convention principles as far as possible.

Case law under the Convention has established that there can be a right to privacy for communications made by an employee from his or her work place where the employee has a reasonable expectation of privacy for those communications. As the HRA has only been in force a relatively short time, it remains to be seen exactly how the English courts and tribunals will determine whether a "reasonable expectation of privacy" exists. It is arguable that it should be possible to negate any "reasonable expectation of privacy" by making it clear to employees that their communications, whether private or business related, may be monitored.

The avowed intention of the RIPA is to ensure that compliance with its terms will ensure compliance with the HRA, including the right to respect for privacy and it should be noted that it is conceivable that the English concept of privacy will be developed to include a right to make private communications at work. Oftel (the UK regulator for the telecommunications industry) has issued guidelines for compliance with the HRA suggesting that employers must provide employees with some way of making private telephone calls at work without being monitored. This is usually accomplished by employers having separate payphone facilities for employees on the premises. I think it unlikely that an English court would hold that an employee is entitled to a parallel right to send private emails, at least where the employee has some means of unmonitored personal communication such as the company payphone, or their own private mobile telephone.

How the Courts will interpret the RIPA or the Regulations in the light of the HRA remains to be seen. It is uncertain whether the right to privacy granted under the ECHR can properly be negated by warning employees (as is required by the Regulations for a lawful interception) that their communications may be intercepted and are therefore not private, or whether there may be some overriding right to be able to make private communications in the workplace.

The acceptance of the right of the individual to a private domain as found in Article 8 of the ECHR is the basis of the DPA. The DPA is based on the European Convention on Human Rights through Treaty 108 (The Convention for the Protection of Individuals with regard to automatic processing of personal data, January 1981), the Data Protection Act 1994 and the EU directives on the protection of individuals with regard to the processing of personal data and the free movement of such data; and the processing of personal data and the protection of privacy in the telecommunications sector.²

Section 2 of the Human Rights Act states that a court or tribunal determining a question which has arisen in connection with a Convention right, must take into account any judgement, decision, declaration or advisory opinion of the European Court of Human Rights, any opinion of the Commission, and relevant decision of the Commission and any relevant decision of the Committee of Ministers. Section 3 of the Human Rights Act requires that so far as it is possible to do so, primary and secondary legislation must be read and given effect in a way which is compatible with Convention rights.

Under the DPA a specialist tribunal, the Data Protection Tribunal, deals with appeals against decisions of the Commissioner to issue enforcement, information and special information notices. Therefore, since the coming into force of the Human Rights Act, the tribunal is under an obligation to take account of the Convention when deciding cases.

A specific example of how the HRA has impacted on the DPA can be seen in the right of access to personal data (subject access) which is found in section 7 of the DPA. Section 7 provides that an individual is entitled to:

1. be told if personal data about him are processed by or on behalf of the data controller;
2. be told what kind of data are processed, the purposes of the processing and the recipients of the data;
3. be told the sources of those data if this information is available;
4. be supplied with the logic involved in automated decision making where it has constituted or is likely to constitute the sole basis for any decision significantly affecting him;
5. have a copy of the information constituting the data.

Subject access is a core right under the data protection regime, and can trace its roots directly to Treaty 108 and the ECHR because of the decision in Gaskin v United Kingdom [1989]. However, case law on the issue has developed in a commercial rather than a human rights context. In the case of section 7(1)(d), the right to have access to information about automated decision-making processes, the individual is entitled:

There is no guidance given as to how to interpret this or as to what level of detail explaining the decision should be given. The relative rights of the parties will depend on the interpretation to this section given by the courts. In this context the right under Article 8 of the Convention to respect for private life would suggest a wide interpretation in favour of the individual where such an automated system has, or could potentially have, a significant effect on him. And furthermore, such information should be sufficiently detailed to allow this individual to analyse the decision making process. However, the rationale behind the decision need not be supplied if the information constitutes a ‘trade secret’ (section 8(5)), again this term is not defined although has been the subject of some case law. Thus the conflict arises where the level of information requested may be detailed enough for the data controller to refuse to explain the decision on the grounds that it is a trade secret.

The Convention will thus not simply affect whether there should be rights to hearings, but it will also impact the scope of the Act and the remedies.

The HRA implements the European Convention on Human Rights ("ECHR") which provides that "everyone has the right to respect for his private and family life, his home and his correspondence." (Article 8). The ECHR is unusual, as a treaty, in that it creates rights and freedoms for individuals, which the signatory countries are obliged, by Article 1, to secure to everyone in their jurisdiction. Within the confines of the ECHR, however, those rights can only be asserted by the individual by complaint against his national government in the Strasbourg Court. The Human Rights Act lifts those rights out of the Strasbourg context by creating ‘Convention rights’ enforceable in domestic law.

It should be noted that claims based directly on the HRA are only possible for a limited group of employees - those employed by public authorities such as the civil service, Inland Revenue or the police. For employees in the private sector, a substantive claim which can stand alone is required. However, when the Courts interpret the relevant legislation relied upon by the Claimant, or indeed by the Defendant, under Section 2 of the HRA the Courts will have to have regard to the HRA and interpret the legislation in a manner consistent with the HRA.

The idea of privacy as a specific human right only became a recognised legal concept in the 20^th Century. It first appeared at Article 12 of the Universal Declaration of Human Rights adopted by the General Assembly of the United Nations in 1948:

It was also reflected in the Convention for the Protection of Human Rights and Fundamental Freedom of the Council of Europe at Article 8 on 4 November 1950:

Article 8:

1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health, or morals, or for the protection of the rights and freedoms of others.

The media were concerned that Article 8 of the ECHR might prompt the courts to create a right of privacy. To meet their concerns about press freedom, Parliament introduced Section 12 of the Human Rights Act which directs the courts to have particular regard to the right to freedom of expression, and not to grant any interim relief to restrain publication unless satisfied that the applicant is ‘likely to establish that publication should not be allowed’ (Section 12(3)). Furthermore, where journalistic material is concerned, Section 12(4) requires the court to have regard to ‘any relevant privacy code’. The meaning and effect of Section 12 together with Articles 8 and 10 of the ECHR was the subject of debate in the courts in 3 high profile cases reported during 2001.

The first case was Douglas v "Hello!" It concerned the well-known, popular, and American actor Michael Douglas and his equally well-known, even more popular and Welsh actress wife Catherine Zeta Jones. They got married in the way Hollywood stars do in the Plaza Hotel in New York. Their marriage was an intensely "private" one, in the sense that all 250 of their friends and relations who were invited to the bash were informed on their invitation that the couple did not want any photographs of this intimate, moving, and no doubt deeply religious ceremony. Indeed so concerned were they about their privacy that they sold the exclusive world-wide rights to publish pictures of the event to that paragon of modest understatement, "OK!" magazine. "OK!" was of course intending to make considerable commercial capital out of these pictures by trumpeting them as a "World Exclusive" thereby stealing both honour and glory from their deadliest circulation rival in what might be termed the lower end of the dentists’ waiting room market, "Hello!"magazine.

What "OK!" reckoned without was the rat-like cunning of "Hello!", who succeeded in spoiling their scoop by inveigling a famous Hollywood paparazzo into the happy throng and emerging with 7 pictures of the celebrations which they proposed to publish 3 days before "OK!" were ready to do so. "OK!" sought an injunction restraining publication, and were granted one by both Mr Justice Buckley on 20^th November, and by Mr Justice Hunt on 21^st November 2000. On appeal, a 2 man appeal court was unable to reach agreement and a 3 man appeal court was convened on 22^nd November to hear the matter. This background is important in realising that the judgment which emerged from the court a month later was of far more significance than the mere decision to discharge the injunction which they gave on 23^rd November. Neither the peculiar absence of merit on the facts presented on the case, nor the extreme speed at which the litigation was conducted could dull the lustre of the silk purse which the Court of Appeal fashioned in their respective judgements. There was no snail in the ginger beer bottle, and none of Lord Atkin’s resonant prose, but it is clear that the Court decided, in giving their unanimous judgement, to lay down the foundations for the law of privacy every bit as much as the House of Lords did for the law of negligence in their famous Donoghue v Stevenson judgement in 1932.

It would take too long for present purposes to elaborate the 40 pages of the judgment. What is more important to note is the way in which the 3 judges worked together to produce an interlocking judgment that covers not only the facts of the case and their reasons for their decision but also to look in detail at the history of the developing of the law of confidence from Prince Albert v Strange in 1849, through Duchess of Argyll v Duke of Argyll in 1967, Coco v A.N.Clark in 1969, Attorney General v Guardian Newspapers in 1990 leading up to Kaye v Robertson in 1991, and beyond in the recent cases of Shelley Filus v Rex Features (1994), Barrymore v News Group Newspapers and Creation Records v News Group Newspapers in 1997. In reviewing all this authority, Brooke LJ came to the conclusion that there were sufficient grounds within it for the claimants to establish their claim for breach of confidence at trial. Brooke LJ then proceeded to look at the effect of the passing into English Law of the European Convention for the Protection of Human Rights. After a review of the cases brought on the convention right of privacy before the European Court of Human Rights Brooke’ LJ’s conclusion based on the judgement in Earl Spencer v UK was that the European Court was relying on the English judges to develop English law so that it gives "appropriate recognition to article 8(i) rights"

Lord Justice Sedley proceeded to elaborate that very development in a passage in his judgement which he headed "Is there today a right of privacy in English law?" I recommend everyone who is interested in this field to read the whole of this passage, and I would defy anyone to come to a conclusion other than that the learned Lord Justice believes his question should be answered in the affirmative.

He first made the point that the common law and equity grow by slow and uneven degrees, developing reactively both to cases that need deciding and by the perceived needs of legal policy. He gave the modern law of negligence as an exemplar of the way this process works. He then said that the law of confidence has demonstrated many instances of reactivity to decided cases, but had shown little of the legal policy-making kind. Judges had hitherto felt unable to articulate their measures as a discrete law of privacy. He went on to say, employing an unconscious pun that indicated how tightly these 2 areas of law were interwoven in his thinking: "we have reached a point at which it can be said with confidence (sic) that the law recognises and will appropriately protect a right of personal privacy".

He gave 2 reasons for this assertion. First, equity and the common law are today in a position to respond to what he termed "an increasingly invasive social environment" by affirming that everybody "has a right to some personal space". This has echoes of the "right to be let alone" which Warren and Brandeis identified as the core of the right of privacy when it was being developed in the United States some hundred years ago. Sedley L.J.’s second reason for supporting the proposition that English law now recognises such a right is that the Human Rights Act 1998 requires the English courts to give appropriate effect to the right to respect for private and family life set out in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

The reason why Sedley L J found there was a need to articulate the development of the law in the new right of privacy in Douglas was that it was possible that the photographer who had taken the pictures of the wedding was an intruder with whom no relationship of trust had been established. If he had been a guest or an employee at the hotel, then the law of confidence would, as Brooke LJ had found, give all the remedies that the claimant needed.

The rest of Sedley LJ’s judgment is a summary of not just the decided English cases but also a range of extra-judicial writings on the subject of privacy rights, both within the UK and abroad, resulting in his view that the claimants had "a right of privacy which English law will today recognise, and where appropriate, protect". And he concluded: "what a concept of privacy does.... is accord recognition to the fact that the law has to protect not only those people whose trust has been abused but those who simply find themselves subjected to an unwanted intrusion into their personal lives. The law no longer needs to construct an artificial relationship of confidentiality between intruder and victim: it can recognise privacy itself as a legal principle drawn from the fundamental value of personal autonomy".

Keene LJ, in giving his concurring judgment said that whether the resulting liability is described as breach of confidence or breach of a right to privacy may be little more than deciding what label is to be attached to the cause of action, but he went on to say that he saw merit in recognising that the original concept of breach of confidence has developed into "something different" from the commercial and employment relationships with which confidentiality is mainly concerned.

Furthermore, Keene LJ went on to give the gentlest of restatements of a previous decision of the Court: "It seems unlikely that Kaye v Robertson, which held that there was no actionable right of privacy in English law, would be decided in the same way on that aspect today". In this understated and cautious way did these 3 judges manage to combine in a masterstroke of judicial revisionism. They were at one in endorsing the concept of a right of privacy in English common law, and looking forward with enthusiasm to its further development by the judges. To say that this demonstrates the genius of the common law is to overstate the matter. What the learned Lord Justices were doing was reversing a view declared unanimously by a previous Court of Appeal, (one of whose members is Lord Bingham is now one of the senior judges in the House of Lords and would very likely have sat on any hearing of an appeal from the Douglas decision) so what certainly demonstrates both is both English law’s flexibility and its subtlety.

This issue of conflicts within the Human Rights Act, especially with regard to privacy, was also considered before Lady Justice Butler-Sloss in Venables & Thompson v News Group Newspapers & Ors in April 2001 where Douglas was affirmed and followed. In this case the balance was between press freedom, privacy and the right to life and to protection from harm. The murderers of James Bulger sought to prevent publication of their identity or whereabouts when they were released on licence. The claimants argued that publication of the information created a real risk of revenge and vigilante attacks.

Lady Justice Butler-Sloss accepted that she had to apply Article 10 directly to the case. But as a public authority the court also had a positive obligation to protect the claimants’ right to life, to protection from ill treatment and their right to respect for their private life against which the media’s freedom of expression had to be balanced.

She rejected the submission that she should create a free-standing cause of action called breach of privacy. However, building on the comments in Douglas case she took the view that a duty of confidence could arise in equity independently of a transaction or relationship between the parties. Such an obligation could exist where confidential information comes to the knowledge of the media in cases where they know it to be confidential. The information sought to be protected could be regarded as confidential. Furthermore, the information covered not only that which currently exists, but also information which does not yet exist, such as their future appearance and new identities. The confidentiality was based simply on the quality of the information, not the nature of any relationship. Applying the principle of proportionality, it would only be appropriate to grant injunctions where it could be convincingly demonstrated that it was strictly necessary. The deciding factor in granting the injunction was that there was a risk to the claimants’ right to life and right to protection from inhuman or degrading treatment.

The next case (A v B plc and another) decided in September 2001, was the most mysterious, concerning as it did an unnamed footballer and a Sunday newspaper. For present purposes all we need to do is to note that the judge, Mr Justice Jack, expressly recognised that the law relating to breach of confidence was in a state of growth. Furthermore, Sedley LJ’s views in Douglas were approved by the judge, in holding that the footballer was entitled to exercise a right of privacy in relation to his extra-marital cavortings.

In the final case (Adeniji v London Borough of Newham), a 10 year old disabled child mistakenly believed she was HIV-positive after a local authority used her photograph in a leaflet promoting an AIDs awareness campaign. The photograph was taken without her consent or that of her parents. In the High Court the child was paid £55,000 in damages and legal costs. The case was decided primarily on data protection grounds but seems to allow room for a privacy interpretation as it limits the uses to which a photograph taken without consent can be put.

What Steps Should the Prudent Gardener now be Taking?

In the light of all these legal developments, what steps is it sensible for businesses, and employers, in particular, to take?

The first is to recognise that this area of the law is in a state of great flux. Monitoring developments, particularly in the courts and from the Information Commissioner is more than usually necessary. You should ensure that someone in your organisation is deputed to follow the subject and report developments to you to in a timely way. In practice this can be accomplished by plugging in to the newsflash services offered by many of the leading law firms, mine amongst them. If you want details of how you can obtain on-line delivery of the Herbert Smith Data Privacy bulletins and newsflashes, please let me have your card and I will be pleased to add you to the subscription list.

Monitoring of e-mail and other communications on private networks, which had so far remained relatively free from regulatory intrusion, is now prey to a large amount of legislation. An employer’s policy needs to have regard to the increasing amount of legislation in this area and to achieve a balance between conflicting interests. Whilst the Regulations permit an employer to monitor employee communications for a number of broad ranging purposes, curbs on the employer’s activities exist in both the HRA and the DPA. The precise nature and extent of these limitations has not yet been clearly defined.

Employers should adopt, implement and publicise a coherent policy in relation to the practices which they deem appropriate for their organisation. The policy should make clear what is (and what is not) considered to be an authorised use of the network and when interception of communication may take place. Where monitoring is to take place the employer should seek to obtain all necessary consents to the extent possible beforehand. Employees should be given reasonable notice of the monitoring activities which are taking place as it is arguable that it should be possible to negate any "reasonable expectation of privacy" by making it clear to employees that their communications, whether private or business related, may be monitored.

However, while it is sensible to ensure that the employee consent to monitoring contained in the e-mail policy and employment contract is as wide as possible, care should still be taken when an employer actually wishes to implement monitoring. Prudent employers will ensure that monitoring is only carried out if it is the only reasonable means of carrying out a legitimate business need and is proportionate to that need. A watchful eye should be kept on developments in the Information Commissioner’s draft code and in the courts generally. This is not just a hot area; it is a simmering volcano. Further judicial eruption on privacy can be predicted in the near future. With confidence, as the Court of Appeal might say.

"© Herbert Smith 2002

For more information on this or other Herbert Smith publications, please email us."