Eduardo Ustaran discusses the setting up of an organisation-wide data protection compliance programme, and provides practical recommendations for businesses wishing to monitor their employees' use of communications lawfully.
Virtually all UK businesses rely on collecting, storing and using information about their employees, current and potential customers, and suppliers and business partners. Under the Data Protection Act 1998, such processing of personal data is subject to data protection obligations.
"The final deadline for full compliance with the Act is 24 October 2001. It is a complex process, which requires a comprehensive and consistent management approach. Ensuring that you address it properly means adopting an organisation-wide data protection compliance programme. Typically, this involves first assessing your data processing practices and then implementing the measures needed to comply with the legislation.
You need to assess the scope of your data processing both to identify the relevant obligations affecting your business and to determine which steps you should take to meet those obligations. You should consider the following
Once you have decided which aspects of the processing are relevant from a legal perspective, you can devise and implement a plan to achieve compliance. This plan should address all relevant obligations, including the following.
Managing employees' privacy
UK businesses face a fresh management and regulatory dilemma. How do you ensure that employees meet your standards and rules while respecting their privacy and data protection rights? The UK government has attempted to provide guidance on the applicable regulatory framework. Due to the conflicting interests involved, such guidance has so far proved more controversial and confusing than helpful.
The Human Rights Act 1998 (HRA) is relevant. This provides for the courts to directly apply the provisions of the European Convention on Human Rights. It only creates direct obligations to respect human rights on organisations or persons who are acting in a public capacity, but it has a wider impact. It requires courts, where possible, to construe past or future legislation in a way that is compatible with the Convention. So, in interpreting legislation such as the Act, the courts will look to Convention rights, such as the right to respect for private and family life, home and correspondence (Article 8) and freedom of expression (Article 10).
Another main pillar in terms of the statutes governing this issue is the Regulation of Investigatory Powers Act 2000 (RIPA), which came into force on 24 October 2000. This establishes a basic and radical principle: communications must not be intercepted without consent. However, the RIPA gives the Secretary of State the power to make regulations authorising the legitimate interception of communications by businesses without consent for certain purposes.
The Department of Trade and Industry has now adopted such regulations as the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. These authorise businesses to monitor or record employees' communications for specific purposes
In addition, the Regulations authorise businesses to monitor (but not to record) employees' communications, to determine whether they are relevant to the business. However, before monitoring or recording employees' communications, you must make all reasonable efforts to inform employees that their communications maybe intercepted.
The final source of government guidance is the Draft Code of Practice on the Use of Personal Data in Employer/Employee Relationships, published on 9 October 2000 by the Office of the Data Protection Commissioner. The Code sets out the official interpretation of the data protection obligations affecting employers and provides detailed guidance as to good data protection practice in this area.
The different approaches adopted by the relevant governmental bodies have caused confusion. The main controversy has arisen as a result of the conflict between the wide scope of the purposes for which businesses are authorised to monitor employees' communications under the Regulations, and the restrictive circumstances under which monitoring can lawfully take place under the Code.
A number of decisions in courts and employment tribunals have made it clear that monitoring communications will only be lawful where employees are made aware of it, and are told the reasons for, and the extent of, such monitoring. Unless you take these steps, employees maybe able to claim constructive dismissal by arguing that your surveillance systems are a breach of the implied term of trust and confidence.
Despite the contradictions presented by the Regulations and the Code, it is possible to identify some common elements of consensus. The principles on which you should base any monitoring activity can be summarised as
Draw up an internal code of practice, setting out the authorised and restricted uses of all of the means of communications available to employees (such as the telephone, e-mail and internet access) and make sure that all employees are at least aware of its content. Consider the possibility of inserting a clause requiring informed consent to the code of practice in all contracts of employment.
Do not monitor communications unless there is a specific and legitimate business reason to do so, and that reason is set out in the code of practice.
Carry out selective monitoring rather than continuous surveillance. Only undertake continuous surveillance if the selective monitoring shows an employee to be engaged in a prohibited activity.
Ensure that those responsible for monitoring activities are fully aware of the limitations that apply to those activities, Put in place suitable measures to protect the confidentiality of any personal data collected through monitoring.
You should implement these recommendations as part of your data protection compliance programme - which itself should be an ongoing process, requiring effective communication across your organisation.
Eduardo Ustaran is a solicitor specialising in data protection issues in the computer, media and intellectual property group, Paisner & Co, Tel: 020 74271237, e-mail: firstname.lastname@example.org .
- Asset Risks
- Best Practice
- Business Continuity
- Company Risk
- Corporate Social Responsibility
- Data Protection
- Data Theft
- IT Breakdown
- IT Breakdown
- Malicious Attacks
- Physical Damage
- Physical Secuirty
- Risk Assessment
- Risk Modelling
- Risk Type
- Supply Chain Risks
- Technological Risk