UK: E-Mail Confusion For Business

What do you get when government departments don’t understand technology and introduce contradictory legislation? The answer is the current confusion regarding e-mail.

Let’s start with the Data Protection Act 1998 (DPA.) This was introduced by the DTI to comply with a European Union directive regarding the processing of personal data. It impacts e-mail because personal data can be sent by e-mail raising security implications. In addition, e-mail automatically contains personal data by virtue of the address. This is because "personal data" is defined as any data that identifies an individual. As e-mail goes from A to B it is processed, within the meaning of the DPA by a number of ISP’s. Not only is the processing done without the active consent of the data subject but it is also done without the knowledge of the ISP. It is simply an automatic process. When the legislation was devised I doubt if anyone gave any thought to this.

Another issue surrounds employers. Can they monitor their employees’ e-mails? This amounts to processing data, in which case it will require the consent of the employee concerned. The codes of practice issued under the DPA and regulations issued under the Regulation of Investigatory Powers Act 2000 have only added to the confusion.

A key aim of the DPA is the protection of privacy. In this regard it is in step with the second piece of legislation, the Human Rights Act 1998 (HRA) introduced by the Lord Chancellor’s Department. This was introduced to introduce the European Convention of Human Rights into UK law. Amongst the convention Articles is a right to privacy. This has caused major concern for employers. Are they allowed to monitor e-mails within the workplace? Surely this is a breach of the right to privacy. Unfortunately no one thought this through when the legislation was introduced. Once again, legislation has come into force which has potentially unforeseen consequences due to a lack of understanding of technology.

At least the HRA and DPA have a common aim, to protect the privacy of the individual. Now enter the Home Office with the Regulation of Investigatory Powers Act 2000 appropriately known as RIP. It was passed into law with the intention of providing law enforcement agencies with powers to intercept and decrypt e-mails as part of criminal investigations. In so doing it drives a coach and horses through individual privacy. ISP’s are required to provide the means to enable private e-mails to be monitored. The RIP also contains provisions to force people to provide the key to encrypted e-mails to law enforcement agencies. This does not square with the right of privacy contained in the HRA. It is the view of many lawyers that the RIP conflicts with the HRA and may be challenged in the courts.

There are a number of problems. First those drafting legislation have not understood fully the impact of new technology on business. Second, government departments have failed to work together to produce a coordinated legislative approach. Third, none of the legislation has been tested in the courts. This means that there has been no opportunity for the courts to iron out some of the contradictions.

So how should businesses proceed? It is recommended that companies should introduce communications policies so that there are clear internal procedures regulating the use of e-mail and the Internet.

A company policy should make clear to employees that e-mail and Internet access are provided as business tools and that the employer reserves the right to access any messages. An e-mail sent by an employee will contain, at the very least, the employer’s e-mail address. It may also contain other business details. It is therefore reasonable to treat e-mails in the same way as business letters, which also have the company’s details on them and to which no right to privacy applies. It is unclear whether there is a right for an employee to send personal e-mails using the office system. There is a right to make some personal phone calls but the issue of e-mails is currently unclear. One possible route is to ban private e-mails using the office system but to allow employees to have a private hotmail or other web based e-mail address.

Until matters are clarified by the courts businesses can best protect themselves by demonstrating a common sense approach balancing the needs of employees and employers.