Eduardo Ustaran discusses the setting up of an organisation-wide data protection compliance programme, and provides practical recommendations for businesses.

Eduardo Ustaran discusses the setting up of an organisation-wide data protection compliance programme, and provides practical recommendations for businesses wishing to monitor their employees' use of communications lawfully.

Virtually all UK businesses rely on collecting, storing and using information about their employees, current and potential customers, and suppliers and business partners. Under the Data Protection Act 1998, such processing of personal data is subject to data protection obligations.

"The final deadline for full compliance with the Act is 24 October 2001. It is a complex process, which requires a comprehensive and consistent management approach. Ensuring that you address it properly means adopting an organisation-wide data protection compliance programme. Typically, this involves first assessing your data processing practices and then implementing the measures needed to comply with the legislation.

You need to assess the scope of your data processing both to identify the relevant obligations affecting your business and to determine which steps you should take to meet those obligations. You should consider the following

  • whether your organisation is registered as a user of personal data with the Office of the Data Protection Commissioner
  • the instances where personal data about individuals is collected directly from those individuals and the instances where personal data about individuals is received from third parties
  • the purposes for which you use personal data, and the potential recipients of such data.
  • whether you already have any kind of data protection statement or privacy policy to inform individuals of the uses and disclosures made of their personal data
  • whether you seek consent from individuals to use their personal data
  • whether you have any procedures for ensuring that all personal data is accurate and up to date
  • whether there are any existing procedures to deal with requests by individuals to be supplied with information about the data held about them
  • whether your organisation gives individuals the opportunity to opt-out from marketing-related communications
  • what security measures you have to ensure the confidentiality of personal data
  • whether any third party processes personal data on behalf of your organisation
  • whether you share personal data with organisations outside the UK

    Once you have decided which aspects of the processing are relevant from a legal perspective, you can devise and implement a plan to achieve compliance. This plan should address all relevant obligations, including the following.

  • Notification (formerly "registration") - The obligation to register under the previous data protection regime has been replaced by a procedure that requires notifying the Office of the Data Protection Commissioner of the uses, subjects and type of personal data being processed, and of the kind of recipients of such data.
  • Fair processing condition - Under the new data protection regime, you can only process data if you meet one of a number of conditions.
  • Provision of information -All users of personal data must now have a data protection statement or privacy policy to inform the individuals to whom the data relates of the purposes for the it will be used, and of any other relevant details (such as potential recipients and whether individuals will be contacted for marketing purposes).
  • Data quality - The Act provides that personal data must be accurate, up to date and not kept for longer than needed for the purposes for which it was collected.
  • Individuals' rights - A number of rights allow individuals to exercise a certain degree of control over the way their data is used; users of the data must be prepared to honour those rights.
  • Security - You must take appropriate technical and organisational measures to prevent the unauthorised or unlawful processing or disclosure of data and accidental loss or damage.
  • International data transfers - You must not transfer personal data to countries or territories outside the EEA that do not provide an adequate level of data protection. However, you can override this prohibition by obtaining individuals' consent and adopting the "good practice approach" recommended by the Data Protection Commissioner.

    Managing employees' privacy
    UK businesses face a fresh management and regulatory dilemma. How do you ensure that employees meet your standards and rules while respecting their privacy and data protection rights? The UK government has attempted to provide guidance on the applicable regulatory framework. Due to the conflicting interests involved, such guidance has so far proved more controversial and confusing than helpful.

    The Human Rights Act 1998 (HRA) is relevant. This provides for the courts to directly apply the provisions of the European Convention on Human Rights. It only creates direct obligations to respect human rights on organisations or persons who are acting in a public capacity, but it has a wider impact. It requires courts, where possible, to construe past or future legislation in a way that is compatible with the Convention. So, in interpreting legislation such as the Act, the courts will look to Convention rights, such as the right to respect for private and family life, home and correspondence (Article 8) and freedom of expression (Article 10).

    Another main pillar in terms of the statutes governing this issue is the Regulation of Investigatory Powers Act 2000 (RIPA), which came into force on 24 October 2000. This establishes a basic and radical principle: communications must not be intercepted without consent. However, the RIPA gives the Secretary of State the power to make regulations authorising the legitimate interception of communications by businesses without consent for certain purposes.

    The Department of Trade and Industry has now adopted such regulations as the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. These authorise businesses to monitor or record employees' communications for specific purposes

  • to establish facts relevant to the business
  • to ascertain compliance with regulatory or selfregulatory practices or procedures
  • to ascertain or demonstrate standards which are or ought to be achieved by the employees
  • to prevent or detect crime
  • to investigate or detect the unauthorised use of the businesses' systems
  • to ensure the effective operation of those systems

    In addition, the Regulations authorise businesses to monitor (but not to record) employees' communications, to determine whether they are relevant to the business. However, before monitoring or recording employees' communications, you must make all reasonable efforts to inform employees that their communications maybe intercepted.

    The final source of government guidance is the Draft Code of Practice on the Use of Personal Data in Employer/Employee Relationships, published on 9 October 2000 by the Office of the Data Protection Commissioner. The Code sets out the official interpretation of the data protection obligations affecting employers and provides detailed guidance as to good data protection practice in this area.

    The different approaches adopted by the relevant governmental bodies have caused confusion. The main controversy has arisen as a result of the conflict between the wide scope of the purposes for which businesses are authorised to monitor employees' communications under the Regulations, and the restrictive circumstances under which monitoring can lawfully take place under the Code.

    Key principles
    A number of decisions in courts and employment tribunals have made it clear that monitoring communications will only be lawful where employees are made aware of it, and are told the reasons for, and the extent of, such monitoring. Unless you take these steps, employees maybe able to claim constructive dismissal by arguing that your surveillance systems are a breach of the implied term of trust and confidence.

    Despite the contradictions presented by the Regulations and the Code, it is possible to identify some common elements of consensus. The principles on which you should base any monitoring activity can be summarised as

  • reasonableness - You must be able to justify the reasons for the monitoring, and you must limit them strictly to the specific purposes set out in the Regulations
  • openness - Compliance with data protection law is about being open as to the uses and disclosures of personal information. Processing involving employees' communications falls within this.
  • proportionality - Any intrusion on an employee's privacy must be in proportion to the benefits of the monitoring to the employer

    Practical recommendations
    Draw up an internal code of practice, setting out the authorised and restricted uses of all of the means of communications available to employees (such as the telephone, e-mail and internet access) and make sure that all employees are at least aware of its content. Consider the possibility of inserting a clause requiring informed consent to the code of practice in all contracts of employment.

    Do not monitor communications unless there is a specific and legitimate business reason to do so, and that reason is set out in the code of practice.

    Carry out selective monitoring rather than continuous surveillance. Only undertake continuous surveillance if the selective monitoring shows an employee to be engaged in a prohibited activity.

    Ensure that those responsible for monitoring activities are fully aware of the limitations that apply to those activities, Put in place suitable measures to protect the confidentiality of any personal data collected through monitoring.

    You should implement these recommendations as part of your data protection compliance programme - which itself should be an ongoing process, requiring effective communication across your organisation.
    Eduardo Ustaran is a solicitor specialising in data protection issues in the computer, media and intellectual property group, Paisner & Co, Tel: 020 74271237, e-mail: .