The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
Provisions of the Regulation of Investigatory Powers Act 2000 ("the RIPA") which came into force on 2 and 24 October 20001 make it unlawful for an employer (or someone else with its express or implied consent) to intercept a communication in the course of its transmission by means of a private telecommunication system (see below under "Key definitions") unless:
References in this article to sections and regulations are to sections of the RIPA and regulations of the Regulations.
Key definitions
A "communication" includes "anything comprising speech, music, sounds, visual images or data of any description" (s.81(1)), and will be treated as being transmitted when it is being stored on the system in a way that enables the intended recipient to collect or otherwise have access to it3 (s.2(7)).
A "private telecommunication system" is any telecommunication system that is not a public telecommunication system but is attached to such a system (s.2(1)). It therefore includes an office network linked to a public telecommunication system by a private exchange, but not an entirely self-standing system such as a secure office intranet.
A person intercepts a communication in the course of its transmission by means of a private telecommunication system if he or she "so modifies or interferes with the system, or its operation ... as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication" (s.2(2) (a)). A modification4 of the system includes the attachment of any apparatus4 to, or other modification of or interference with, any part of it (s.2(6)(a)), and any contents of a communication will be treated as being made available while being transmitted where they are diverted or recorded, while being transmitted, so as to be available to a person subsequently (s.2(8)).
Authorised interceptions
The Regulations, which were made on 2October under s.4(2) and came into force on 24 October 2000, authorise an employer (or someone else with its express or implied consent) to monitor and record the contents of a communication in the course of its transmission by means of a telecommunication system whose operation or use it has a right to control, without the consent of the sender or intended recipient, for the following purposes:
An employer may also monitor, but not record, communications:
However, monitoring or recording a communication for any of the purposes listed above is not authorised unless:
Unauthorised interceptions
Employers that wish to monitor or record the contents of a communication for purposes outside the scope of the Regulations (such as marketing or market research) will need to have "reasonable grounds" to believe that they have the consent of both the sender and the intended recipient of the communication to the interception.
To ensure that they have such consent, employers could, for example, insert a provision into contracts of employment whereby employees agreed to their telephone calls and e-mails being monitored or recorded, and instruct the call operator to ask outside callers at the start of a call whether or not they consent to its being monitored or recorded (alternatively, a recorded message could be played to outside callers immediately their call is connected stating that it may be monitored or recorded unless they object).
The DTI believes that, as a minimum, employers would need to give outside callers a clear opportunity to refuse consent and to be able to continue with the call.
Civil liability
An employer (or someone with its express or implied consent) that unlawfully intercepts a telephone call or e-mail in the course of transmission on its own systems risks being sued by the maker or sender, or the recipient or intended recipient, of the call or e-mail, because the RIPA creates a tort of unlawful interception on a private telecommunication system by the operator of that system. The remedies are an injunction or damages.
EC Directive
The RIPA and the Regulations purport to implement article 5 of the EC Telecommunications Data Protection Directive (No.97/66) ("the Directive"), which exempts from its ban on the interception of communications without the consent of the users concerned "any legally authorised recording of communications in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication".
Right to privacy
The interception by a public authority of calls made to or from an employee's office telephone constitutes an interference with the exercise of the employee's right to respect for his or her "private life" and "correspondence", under Article 8 of the European Convention on Human Rights, if he or she had a reasonable expectation of privacy for such calls (Halford v United Kingdom9).
To what extent the RIPA and the Regulations are compatible with rights under Article 8 remains to be seen. However, the Home Office has speculated that simply warning employees that their telephone calls at work may be monitored or recorded may not, on its own, suffice to dispel their reasonable expectation of privacy. It is not reasonable to expect that they will never be contacted on a domestic matter in work time, or that they will never make personal calls from the office. It may be, therefore, that government departments and other obvious public authorities that monitor or record calls made from office telephones would be acting unlawfully (contrary to the Human Rights Act 1998) unless, in accordance with the guidance offered to them by the Home Office10, they provided reasonable access to payphones at work from which employees can make personal calls that will not be intercepted.
Data protection
An employer's interception of communications must comply with the RIPA and the Regulations and with the requirements of the Data Protection Act 1998 (see The Data Protection Act 1998). However, the former restrict access only to the contents of a communication. They do not address the collection and use of "traffic data" (within the meaning of s.2(9)) on a private network, for example, the information about telephone calls that would typically be produced by a call logger (s.2(5)). This is subject only to the requirements of the DPA.
Any interception that involves obtaining, recording or otherwise processing personal data by means of automated equipment (for example, recording telephone calls or filtering e-mails) must comply with the data protection principles set out in the DPA. So too must the holding or processing of the data after the interception has taken place.
The Data Protection Commissioner has published for public consultation a draft Code of Practice on the use of personal data in employer/employee relationships (see p.16 of this issue of IRLB), which covers an employer's monitoring or recording of employees' telephone calls, e-mails and internet access using some form of automated equipment. It was not possible for this draft Code to take account of the Regulations, because they had not been made at the time of writing the relevant section, but it is intended that the final version of the Code will do so.
Meanwhile, the draft Code conflicts with the Regulations in some respects. For example, it advises employers:
References
1 The Regulation of Investigatory Powers Act 2000 (Commencement No.1 and Transitional Provisions) Order 2000, SI 2000/2543 (C.71), available from the Stationery Office, price £1.50.
2 SI 2000/2699, available from the Stationery Office, price £1.75.
3 This means that an interception takes place, for example, where an e-mail message stored on a web-based service provider is accessed so that its contents are made available to someone other than the sender or intended recipient.
4 "Modification" includes alterations, additions and omissions, and "apparatus" includes any equipment, machinery or device and any wire or cable (s.81(1)).
5 This and other examples that appear in this article are taken from "Notes for business" prepared by the Department of Trade and Industry. These notes represent no more than the views of the DTI on the meaning of the RIPA and the Regulations. They are not exhaustive and have no legal force. They will not necessarily have any bearing on how the courts interpret the new legislation.
6 That is, practices and procedures (a) compliance with which is required or recommended by either the law of a state within the European Economic Area or any standard or code of practice published by or on behalf of a body established in such a state, or (b) which are otherwise applied to ensure compliance with anything so required or recommended (reg. 2(c)).
7 This limitation has the effect that authorised interceptions must take place on the employer's premises, or somewhere else under the control of either the employer or a person contracted to provide telephone services to the employer, and not during the transmission of the communication on a public network.
8 The people who use a system are, according to the DTI's "Notes for business", those who make direct use of it (that is, in the case of an employer's system, its employees). Someone who calls from outside, or who receives a call outside, using another system is not a user of the system on which the interception is made.
9 [1997] IRLR 471.
10 Circular HOC 15/1999 of 23 March 1999.