UK: Data Protection & Privacy - Practical Tools for Changing your Working Environment - Will Imported Hybrid "Privacy" Survive the Common Law Jungle?

Last Updated: 25 February 2002
Article by Christopher Rees

Co-written by Emma Jay & Paul McCourt


"Civilisation is the progress towards a society of privacy. The savage’s noble existence is public, ruled by the laws of his tribe. Civilisation is the process of setting men free from men".

You do not have to agree entirely with this idea to see that it contains a vital ingredient of truth. Totalitarianism and oppressive theocratic regimes have always depended on the complete absence of privacy amongst their citizens, so fostering an intolerance of minorities and independent thinkers. Democratic societies, by contrast, foster a respect for privacy as a basic human right. Establishing the correct balance between that right of privacy with the equally important democratic right of freedom of expression (which is also now part of English law as a result of the Human Rights Act) is the role of the judges in the coming years as this area of law develops.

Against this background this paper will look at the main legislation in this area, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) Regulations 2000, the Data Protection Act 1998 and the Human Rights Act 2000, and the extent to which the implementation of these, together with recent developments in case law could suggest that there is now a common law right of privacy that will be upheld by the courts. We will then look at the Human Rights Act in the particular context of Data Protection issues and then finally what steps a prudent employer or data controller should take when monitoring employees or collecting personal data.

Much information is collected from internet users in a manner which is invisible to us as data subjects. The internet user is sometimes not aware of the fact that his personal data has been collected and further processed and might be used for purposes that are unknown to him. For example, software is available that can monitor traffic patterns, content preferences and payload information and then send this back to the ISP.

Each of us now sends the same volume of e-mails in a day that we would have sent in an entire year at the beginning of the 1990s1. The average worker now spends just under an hour a day managing e-mails and a third of all e-mails are not related to work or to the company. A survey by Websense of 800 employees across Europe showed that 41% of staff use the Internet for private purposes for more than 3 hours a week. With this backdrop employers are increasingly feeling the need to monitor their employees’ online habits. But this must be balanced against the employees’ right to respect for their private and family life, their home and their correspondence as enshrined in the European Convention on Human Rights (the ‘ECHR’).

Privacy issues do not just apply to computer use however. It has recently been claimed by various privacy groups that set-top boxes, the devices that allow for interactive TV and which have been touted as a possible replacement for both the PC and analogue television, allow cable and satellite companies to gather and sell huge amounts of data. Each night, via its modem, the set-top box can report back to the company every programme watched and every online purchase made during the day. In recent months a number of cable and satellite companies and hardware manufacturers have added fuel to the privacy debate by securing patents relating to interactive TV data retention.

Regulation of Investigatory Powers Act 2000 (‘RIPA’) and the Telecommunications (Lawful Business Practice) Regulations 2000 (the ‘Regulations’)

RIPA came into force on 2 October 2000. It replaced the Interception of Communications Act 1985 and is wider in scope, extending the regime governing the interception of communications to both public and private telecommunications networks. It brings together all of the relevant legislation on interception into one statute and seeks to adapt those measures to reflect current communication methods, such as email. The RIPA also ensures that the UK’s interception regime is compliant with the Telecommunications Data Protection Directive.

The RIPA covers both public and private telecommunication systems. Any private network not attached to a public system will not be covered, however, most employers’ systems are connected to a public system in order to permit e-mails to be sent to or received from external sources.

Under the RIPA, it is an offence intentionally and without lawful authority to intercept communications without either the express or implied consent of both the sender and the recipient. The offence applies equally to interceptions taking place over public and private networks. The RIPA does, however, provide a "defence" in that an interception is treated as authorised if the interceptor has consent or reasonably believes that both parties gave consent to such interception.

Anti-Terrorism, Crime and Security Act 2001

This Act was brought in hurriedly after the events of September 11th. The Act strengthens the interception and disclosure aspects of RIPA. It provides for the introduction of a "voluntary" code requiring all communications service providers (including ISPs, postal and telephone service providers) to retain the communications data of all subscribers for up to 12 months. Communications data includes email and internet traffic data. Failure to comply with the code will not lead to any criminal or civil liability. However the act provides that the Secretary of State can introduce a compulsory code, although the code would require Parliament’s approval.

Data retention or disclosure to public authorities could give rise to liability for a communications service provider under the Data Protection Act. The Anti-Terrorism Act avoids this by providing that a communications service provider alleged to have retained or disclosed personal data illegally can rely on the national security or prevention of crime exceptions under the Data Protection Act.

The Telecommunications (Lawful Business Practice) Regulations 2000

The RIPA has been amended by the Regulations, which came into force on 24 October 2000. The Regulations allow the interception of certain types of business communications on private networks, which would otherwise be prohibited under the RIPA. To rely on this exception, there are a number of criteria that an interceptor would have to satisfy and interception could only be made for one or more of the specified purposes.

The criteria are as follows:-

  • The interception must take place on a telecommunication system used wholly or partly in connection with the business concerned.
  • The interception must be solely for the purpose of monitoring or recording messages that are relevant to the business.
  • All reasonable efforts must be made to inform all actual and potential users of the relevant telecommunications system that messages may be intercepted.

The third requirement does not necessitate that the interceptor has to obtain specific consent from users for particular interceptions or recordings, as consensual interception is not of itself prohibited under the RIPA. It is up to the interceptor to determine what may or may not amount to "reasonable efforts to alert".

The specified purposes are as follows:-

Monitoring or keeping a record of communications in order to:

  1. establish facts
  2. ensure compliance with applicable regulatory or self regulatory practices
  3. demonstrate the standards that should be achieved relating to, for example, quality control and training.
  4. prevent crime
  5. investigate unauthorised use of telecommunications systems.
  6. secure an effective system operation
  7. determine whether they are business or personal communications.

In view of the Regulations, it is legitimate for an intercepting employer to monitor emails, for example, to protect a network from viruses or to ensure employees do not breach company rules or policies. Likewise, in relevant cases, businesses may intercept calls or emails for the purposes of quality control or staff training. The most important issue is the extent to which the Regulations allow monitoring and reading of emails or other communications marked as "private" for the purposes of ascertaining whether they are in fact business related. Where an employer has a concern over the activities of a particular individual, this may be exactly what needs to be done to identify a misdemeanour.

As can be seen from the above list the permitted grounds upon which interception can take place are so broad that the majority of companies should be able to bring any monitoring activities of its employees’ communications within one of the permitted grounds. For example, grounds (v) or (vi) could be used to determine whether an employee is acting in accordance with the company’s e-mail policy.

The Regulations have been widely criticised for their broad scope. Whilst the Regulations in isolation appear to give employers a relatively free hand as to the nature and extent of the monitoring an employer can undertake and provide a framework within which employers should be able to avoid incurring criminal or civil liability under the RIPA, there are two additional pieces of legislation which are relevant to an employer’s monitoring activities and which will have the effect of limiting the breadth of the "lawful authority" provisions contained in the Regulations: the Data Protection Act 1998 and the Human Rights Act 2000.

Data Protection Act 1998 (the ‘DPA’)

Looking first at the DPA, if businesses obtain personal data as a result of an authorised interception, they will need to ensure that any subsequent use or processing of that information complies with the principles of data protection laid out in the DPA. The DPA implemented the EU Directive on the protection of the individual with regard to the processing of personal data and states that data must be processed fairly. In determining fairness, regard must be had to the method by which the data was obtained. In order for the processing to be fair one of certain conditions must be met. These include the consent of the data subject or that the processing is necessary for the legitimate interests of the data controller without prejudice to the legitimate interests of the data subject.

The Information Commissioner has issued a draft Code of Practice entitled "The Use of Personal Data in Employer/Employee Relationships". This code of practice addresses a number of data protection issues arising under the DPA, including employer monitoring of employee communications. These guidelines do not have the force of law nor are they in a final form. The guidelines were first issued before the final form of the Regulations were available.

The guidance to employers set out in the draft Code adopts a more restrictive approach than the Regulations and highlights the importance of proportionality in carrying out any monitoring and surveillance of employees’ communications. The Code provides that not only should employees have the right not to have information about their private lives widely known but that an employee should also be able to expect "a degree of trust from his/her employer, and be given reasonable freedom to determine his/her own actions without being constantly watched or asked to explain".

The draft Code makes it clear that covert monitoring can only be justified in very limited circumstances. For example, where informing employees of the monitoring would prevent the detection of crime, but the draft Code accepts that most employers will make some checks on the quantity and quality of work produced by employees. Standards of behaviour required of employees are not in general a data protection issue. Where data protection issues arise is in monitoring by an employer to ensure compliance with its rules by its employees.

In general the draft Code provides that monitoring should only take place after first establishing there is a problem that calls for monitoring. The first step should be only to monitor the fact and duration of a call or Internet access or to record e-mail traffic, rather than the content itself. Monitoring of content should only take place where there is a real business need and the methods used should be proportionate and not unduly invasive. For example, access to pornographic sites should be prohibited through technical means rather than monitoring. Employees should be notified of any monitoring taking place, as should third parties as far as possible.

On the subject of monitoring and the overlap with the RIPA, the draft Code currently recognises that monitoring of communications does not necessarily give rise to data protection issues. Data Protection issues only arise when the interception or monitoring actually gives access to or involves the use of personal data.

Where an employee has not given "consent" to the processing, the employer will need to show either that the processing is "necessary for the performance" of the employment contract or that it is "necessary for the purposes of legitimate interest" of the employer. The second ground cannot be used where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interest of the employee. The interpretation of these concepts is key and is yet to be determined by case law. In this connection it is important to bear in mind that the Code has no statutory effect. It is of "guidance" and "best practice" nature, rather than being the law of the land.

The Human Rights Act and the RIPA

Employers, when considering how to monitor the activities of its employees, must also have regard to the HRA and ensure that its monitoring activities do not fall foul of the HRA. The Human Rights Act came into force in the UK on 2 October 2000. The HRA brought into UK law the European Convention for the Protection of Human Rights and Fundamental Freedoms. One of these rights is the right to respect for private and family life, home and correspondence. The ECHR rights are not directly enforceable against private employers, but will still affect private employees indirectly in that courts and tribunals must interpret domestic legislation so as to be compatible with the Convention principles as far as possible.

Case law under the Convention has established that there can be a right to privacy for communications made by an employee from his or her work place where the employee has a reasonable expectation of privacy for those communications. As the HRA has only been in force a relatively short time, it remains to be seen exactly how the English courts and tribunals will determine whether a "reasonable expectation of privacy" exists. It is arguable that it should be possible to negate any "reasonable expectation of privacy" by making it clear to employees that their communications, whether private or business related, may be monitored.

The avowed intention of the RIPA is to ensure that compliance with its terms will ensure compliance with the HRA, including the right to respect for privacy and it should be noted that it is conceivable that the English concept of privacy will be developed to include a right to make private communications at work. Oftel (the UK regulator for the telecommunications industry) has issued guidelines for compliance with the HRA suggesting that employers must provide employees with some way of making private telephone calls at work without being monitored. This is usually accomplished by employers having separate payphone facilities for employees on the premises. I think it unlikely that an English court would hold that an employee is entitled to a parallel right to send private emails, at least where the employee has some means of unmonitored personal communication such as the company payphone, or their own private mobile telephone.

How the Courts will interpret the RIPA or the Regulations in the light of the HRA remains to be seen. It is uncertain whether the right to privacy granted under the ECHR can properly be negated by warning employees (as is required by the Regulations for a lawful interception) that their communications may be intercepted and are therefore not private, or whether there may be some overriding right to be able to make private communications in the workplace.

How has the Human Rights Act (Article 8) impacted on Data Protection Issues?

The acceptance of the right of the individual to a private domain as found in Article 8 of the ECHR is the basis of the DPA. The DPA is based on the European Convention on Human Rights through Treaty 108 (The Convention for the Protection of Individuals with regard to automatic processing of personal data, January 1981), the Data Protection Act 1994 and the EU directives on the protection of individuals with regard to the processing of personal data and the free movement of such data; and the processing of personal data and the protection of privacy in the telecommunications sector.2

Section 2 of the Human Rights Act states that a court or tribunal determining a question which has arisen in connection with a Convention right, must take into account any judgement, decision, declaration or advisory opinion of the European Court of Human Rights, any opinion of the Commission, and relevant decision of the Commission and any relevant decision of the Committee of Ministers. Section 3 of the Human Rights Act requires that so far as it is possible to do so, primary and secondary legislation must be read and given effect in a way which is compatible with Convention rights.

Under the DPA a specialist tribunal, the Data Protection Tribunal, deals with appeals against decisions of the Commissioner to issue enforcement, information and special information notices. Therefore, since the coming into force of the Human Rights Act, the tribunal is under an obligation to take account of the Convention when deciding cases.

A specific example of how the HRA has impacted on the DPA can be seen in the right of access to personal data (subject access) which is found in section 7 of the DPA. Section 7 provides that an individual is entitled to:

  1. be told if personal data about him are processed by or on behalf of the data controller;
  2. be told what kind of data are processed, the purposes of the processing and the recipients of the data;
  3. be told the sources of those data if this information is available;
  4. be supplied with the logic involved in automated decision making where it has constituted or is likely to constitute the sole basis for any decision significantly affecting him;
  5. have a copy of the information constituting the data.

Subject access is a core right under the data protection regime, and can trace its roots directly to Treaty 108 and the ECHR because of the decision in Gaskin v United Kingdom [1989]. However, case law on the issue has developed in a commercial rather than a human rights context. In the case of section 7(1)(d), the right to have access to information about automated decision-making processes, the individual is entitled:

where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his credit worthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him to be informed by the data controller of the logic involved in that decision taking.

There is no guidance given as to how to interpret this or as to what level of detail explaining the decision should be given. The relative rights of the parties will depend on the interpretation to this section given by the courts. In this context the right under Article 8 of the Convention to respect for private life would suggest a wide interpretation in favour of the individual where such an automated system has, or could potentially have, a significant effect on him. And furthermore, such information should be sufficiently detailed to allow this individual to analyse the decision making process. However, the rationale behind the decision need not be supplied if the information constitutes a ‘trade secret’ (section 8(5)), again this term is not defined although has been the subject of some case law. Thus the conflict arises where the level of information requested may be detailed enough for the data controller to refuse to explain the decision on the grounds that it is a trade secret.

The Convention will thus not simply affect whether there should be rights to hearings, but it will also impact the scope of the Act and the remedies.

Human Rights Act and Common Law Notions of Privacy

The HRA implements the European Convention on Human Rights ("ECHR") which provides that "everyone has the right to respect for his private and family life, his home and his correspondence." (Article 8). The ECHR is unusual, as a treaty, in that it creates rights and freedoms for individuals, which the signatory countries are obliged, by Article 1, to secure to everyone in their jurisdiction. Within the confines of the ECHR, however, those rights can only be asserted by the individual by complaint against his national government in the Strasbourg Court. The Human Rights Act lifts those rights out of the Strasbourg context by creating ‘Convention rights’ enforceable in domestic law.

It should be noted that claims based directly on the HRA are only possible for a limited group of employees - those employed by public authorities such as the civil service, Inland Revenue or the police. For employees in the private sector, a substantive claim which can stand alone is required. However, when the Courts interpret the relevant legislation relied upon by the Claimant, or indeed by the Defendant, under Section 2 of the HRA the Courts will have to have regard to the HRA and interpret the legislation in a manner consistent with the HRA.

The idea of privacy as a specific human right only became a recognised legal concept in the 20th Century. It first appeared at Article 12 of the Universal Declaration of Human Rights adopted by the General Assembly of the United Nations in 1948:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attack upon his honour and reputation.

Everyone has the right to the protection of the law against such interference or attacks."

It was also reflected in the Convention for the Protection of Human Rights and Fundamental Freedom of the Council of Europe at Article 8 on 4 November 1950:

Article 8:

    1. Everyone has the right to respect for his private and family life, his home and his correspondence.
    2. There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health, or morals, or for the protection of the rights and freedoms of others.

The media were concerned that Article 8 of the ECHR might prompt the courts to create a right of privacy. To meet their concerns about press freedom, Parliament introduced Section 12 of the Human Rights Act which directs the courts to have particular regard to the right to freedom of expression, and not to grant any interim relief to restrain publication unless satisfied that the applicant is ‘likely to establish that publication should not be allowed’ (Section 12(3)). Furthermore, where journalistic material is concerned, Section 12(4) requires the court to have regard to ‘any relevant privacy code’. The meaning and effect of Section 12 together with Articles 8 and 10 of the ECHR was the subject of debate in the courts in 3 high profile cases reported during 2001.

The first case was Douglas v "Hello!" It concerned the well-known, popular, and American actor Michael Douglas and his equally well-known, even more popular and Welsh actress wife Catherine Zeta Jones. They got married in the way Hollywood stars do in the Plaza Hotel in New York. Their marriage was an intensely "private" one, in the sense that all 250 of their friends and relations who were invited to the bash were informed on their invitation that the couple did not want any photographs of this intimate, moving, and no doubt deeply religious ceremony. Indeed so concerned were they about their privacy that they sold the exclusive world-wide rights to publish pictures of the event to that paragon of modest understatement, "OK!" magazine. "OK!" was of course intending to make considerable commercial capital out of these pictures by trumpeting them as a "World Exclusive" thereby stealing both honour and glory from their deadliest circulation rival in what might be termed the lower end of the dentists’ waiting room market, "Hello!"magazine.

What "OK!" reckoned without was the rat-like cunning of "Hello!", who succeeded in spoiling their scoop by inveigling a famous Hollywood paparazzo into the happy throng and emerging with 7 pictures of the celebrations which they proposed to publish 3 days before "OK!" were ready to do so. "OK!" sought an injunction restraining publication, and were granted one by both Mr Justice Buckley on 20th November, and by Mr Justice Hunt on 21st November 2000. On appeal, a 2 man appeal court was unable to reach agreement and a 3 man appeal court was convened on 22nd November to hear the matter. This background is important in realising that the judgment which emerged from the court a month later was of far more significance than the mere decision to discharge the injunction which they gave on 23rd November. Neither the peculiar absence of merit on the facts presented on the case, nor the extreme speed at which the litigation was conducted could dull the lustre of the silk purse which the Court of Appeal fashioned in their respective judgements. There was no snail in the ginger beer bottle, and none of Lord Atkin’s resonant prose, but it is clear that the Court decided, in giving their unanimous judgement, to lay down the foundations for the law of privacy every bit as much as the House of Lords did for the law of negligence in their famous Donoghue v Stevenson judgement in 1932.

It would take too long for present purposes to elaborate the 40 pages of the judgment. What is more important to note is the way in which the 3 judges worked together to produce an interlocking judgment that covers not only the facts of the case and their reasons for their decision but also to look in detail at the history of the developing of the law of confidence from Prince Albert v Strange in 1849, through Duchess of Argyll v Duke of Argyll in 1967, Coco v A.N.Clark in 1969, Attorney General v Guardian Newspapers in 1990 leading up to Kaye v Robertson in 1991, and beyond in the recent cases of Shelley Filus v Rex Features (1994), Barrymore v News Group Newspapers and Creation Records v News Group Newspapers in 1997. In reviewing all this authority, Brooke LJ came to the conclusion that there were sufficient grounds within it for the claimants to establish their claim for breach of confidence at trial. Brooke LJ then proceeded to look at the effect of the passing into English Law of the European Convention for the Protection of Human Rights. After a review of the cases brought on the convention right of privacy before the European Court of Human Rights Brooke’ LJ’s conclusion based on the judgement in Earl Spencer v UK was that the European Court was relying on the English judges to develop English law so that it gives "appropriate recognition to article 8(i) rights"

Lord Justice Sedley proceeded to elaborate that very development in a passage in his judgement which he headed "Is there today a right of privacy in English law?" I recommend everyone who is interested in this field to read the whole of this passage, and I would defy anyone to come to a conclusion other than that the learned Lord Justice believes his question should be answered in the affirmative.

He first made the point that the common law and equity grow by slow and uneven degrees, developing reactively both to cases that need deciding and by the perceived needs of legal policy. He gave the modern law of negligence as an exemplar of the way this process works. He then said that the law of confidence has demonstrated many instances of reactivity to decided cases, but had shown little of the legal policy-making kind. Judges had hitherto felt unable to articulate their measures as a discrete law of privacy. He went on to say, employing an unconscious pun that indicated how tightly these 2 areas of law were interwoven in his thinking: "we have reached a point at which it can be said with confidence (sic) that the law recognises and will appropriately protect a right of personal privacy".

He gave 2 reasons for this assertion. First, equity and the common law are today in a position to respond to what he termed "an increasingly invasive social environment" by affirming that everybody "has a right to some personal space". This has echoes of the "right to be let alone" which Warren and Brandeis identified as the core of the right of privacy when it was being developed in the United States some hundred years ago. Sedley L.J.’s second reason for supporting the proposition that English law now recognises such a right is that the Human Rights Act 1998 requires the English courts to give appropriate effect to the right to respect for private and family life set out in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

The reason why Sedley L J found there was a need to articulate the development of the law in the new right of privacy in Douglas was that it was possible that the photographer who had taken the pictures of the wedding was an intruder with whom no relationship of trust had been established. If he had been a guest or an employee at the hotel, then the law of confidence would, as Brooke LJ had found, give all the remedies that the claimant needed.

The rest of Sedley LJ’s judgment is a summary of not just the decided English cases but also a range of extra-judicial writings on the subject of privacy rights, both within the UK and abroad, resulting in his view that the claimants had "a right of privacy which English law will today recognise, and where appropriate, protect". And he concluded: "what a concept of privacy does.... is accord recognition to the fact that the law has to protect not only those people whose trust has been abused but those who simply find themselves subjected to an unwanted intrusion into their personal lives. The law no longer needs to construct an artificial relationship of confidentiality between intruder and victim: it can recognise privacy itself as a legal principle drawn from the fundamental value of personal autonomy".

Keene LJ, in giving his concurring judgment said that whether the resulting liability is described as breach of confidence or breach of a right to privacy may be little more than deciding what label is to be attached to the cause of action, but he went on to say that he saw merit in recognising that the original concept of breach of confidence has developed into "something different" from the commercial and employment relationships with which confidentiality is mainly concerned.

Furthermore, Keene LJ went on to give the gentlest of restatements of a previous decision of the Court: "It seems unlikely that Kaye v Robertson, which held that there was no actionable right of privacy in English law, would be decided in the same way on that aspect today". In this understated and cautious way did these 3 judges manage to combine in a masterstroke of judicial revisionism. They were at one in endorsing the concept of a right of privacy in English common law, and looking forward with enthusiasm to its further development by the judges. To say that this demonstrates the genius of the common law is to overstate the matter. What the learned Lord Justices were doing was reversing a view declared unanimously by a previous Court of Appeal, (one of whose members is Lord Bingham is now one of the senior judges in the House of Lords and would very likely have sat on any hearing of an appeal from the Douglas decision) so what certainly demonstrates both is both English law’s flexibility and its subtlety.

This issue of conflicts within the Human Rights Act, especially with regard to privacy, was also considered before Lady Justice Butler-Sloss in Venables & Thompson v News Group Newspapers & Ors in April 2001 where Douglas was affirmed and followed. In this case the balance was between press freedom, privacy and the right to life and to protection from harm. The murderers of James Bulger sought to prevent publication of their identity or whereabouts when they were released on licence. The claimants argued that publication of the information created a real risk of revenge and vigilante attacks.

Lady Justice Butler-Sloss accepted that she had to apply Article 10 directly to the case. But as a public authority the court also had a positive obligation to protect the claimants’ right to life, to protection from ill treatment and their right to respect for their private life against which the media’s freedom of expression had to be balanced.

She rejected the submission that she should create a free-standing cause of action called breach of privacy. However, building on the comments in Douglas case she took the view that a duty of confidence could arise in equity independently of a transaction or relationship between the parties. Such an obligation could exist where confidential information comes to the knowledge of the media in cases where they know it to be confidential. The information sought to be protected could be regarded as confidential. Furthermore, the information covered not only that which currently exists, but also information which does not yet exist, such as their future appearance and new identities. The confidentiality was based simply on the quality of the information, not the nature of any relationship. Applying the principle of proportionality, it would only be appropriate to grant injunctions where it could be convincingly demonstrated that it was strictly necessary. The deciding factor in granting the injunction was that there was a risk to the claimants’ right to life and right to protection from inhuman or degrading treatment.

The next case (A v B plc and another) decided in September 2001, was the most mysterious, concerning as it did an unnamed footballer and a Sunday newspaper. For present purposes all we need to do is to note that the judge, Mr Justice Jack, expressly recognised that the law relating to breach of confidence was in a state of growth. Furthermore, Sedley LJ’s views in Douglas were approved by the judge, in holding that the footballer was entitled to exercise a right of privacy in relation to his extra-marital cavortings.

In the final case (Adeniji v London Borough of Newham), a 10 year old disabled child mistakenly believed she was HIV-positive after a local authority used her photograph in a leaflet promoting an AIDs awareness campaign. The photograph was taken without her consent or that of her parents. In the High Court the child was paid £55,000 in damages and legal costs. The case was decided primarily on data protection grounds but seems to allow room for a privacy interpretation as it limits the uses to which a photograph taken without consent can be put.

What Steps Should the Prudent Gardener now be Taking?

In the light of all these legal developments, what steps is it sensible for businesses, and employers, in particular, to take?

The first is to recognise that this area of the law is in a state of great flux. Monitoring developments, particularly in the courts and from the Information Commissioner is more than usually necessary. You should ensure that someone in your organisation is deputed to follow the subject and report developments to you to in a timely way. In practice this can be accomplished by plugging in to the newsflash services offered by many of the leading law firms, mine amongst them. If you want details of how you can obtain on-line delivery of the Herbert Smith Data Privacy bulletins and newsflashes, please let me have your card and I will be pleased to add you to the subscription list.

Monitoring of e-mail and other communications on private networks, which had so far remained relatively free from regulatory intrusion, is now prey to a large amount of legislation. An employer’s policy needs to have regard to the increasing amount of legislation in this area and to achieve a balance between conflicting interests. Whilst the Regulations permit an employer to monitor employee communications for a number of broad ranging purposes, curbs on the employer’s activities exist in both the HRA and the DPA. The precise nature and extent of these limitations has not yet been clearly defined.

Employers should adopt, implement and publicise a coherent policy in relation to the practices which they deem appropriate for their organisation. The policy should make clear what is (and what is not) considered to be an authorised use of the network and when interception of communication may take place. Where monitoring is to take place the employer should seek to obtain all necessary consents to the extent possible beforehand. Employees should be given reasonable notice of the monitoring activities which are taking place as it is arguable that it should be possible to negate any "reasonable expectation of privacy" by making it clear to employees that their communications, whether private or business related, may be monitored.

However, while it is sensible to ensure that the employee consent to monitoring contained in the e-mail policy and employment contract is as wide as possible, care should still be taken when an employer actually wishes to implement monitoring. Prudent employers will ensure that monitoring is only carried out if it is the only reasonable means of carrying out a legitimate business need and is proportionate to that need. A watchful eye should be kept on developments in the Information Commissioner’s draft code and in the courts generally. This is not just a hot area; it is a simmering volcano. Further judicial eruption on privacy can be predicted in the near future. With confidence, as the Court of Appeal might say.

1 Source: Gartner Group

2 Directives 95/46/EC & 97/66/EC respectively

"© Herbert Smith 2002

The content of this article does not constitute legal advice and should not be relied on as such. Specific advice should be sought about your specific circumstances.

For more information on this or other Herbert Smith publications, please email us."

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.