Data Protection & Privacy - Practical Tools for Changing your Working Environment - Will Imported Hybrid 'Privacy' Survive the Common Law Jungle?

Author:Mr Christopher Rees
Profession:Herbert Smith

Co-written by Emma Jay & Paul McCourt


"Civilisation is the progress towards a society of privacy. The savage's noble existence is public, ruled by the laws of his tribe. Civilisation is the process of setting men free from men".

You do not have to agree entirely with this idea to see that it contains a vital ingredient of truth. Totalitarianism and oppressive theocratic regimes have always depended on the complete absence of privacy amongst their citizens, so fostering an intolerance of minorities and independent thinkers. Democratic societies, by contrast, foster a respect for privacy as a basic human right. Establishing the correct balance between that right of privacy with the equally important democratic right of freedom of expression (which is also now part of English law as a result of the Human Rights Act) is the role of the judges in the coming years as this area of law develops.

Against this background this paper will look at the main legislation in this area, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) Regulations 2000, the Data Protection Act 1998 and the Human Rights Act 2000, and the extent to which the implementation of these, together with recent developments in case law could suggest that there is now a common law right of privacy that will be upheld by the courts. We will then look at the Human Rights Act in the particular context of Data Protection issues and then finally what steps a prudent employer or data controller should take when monitoring employees or collecting personal data.

Much information is collected from internet users in a manner which is invisible to us as data subjects. The internet user is sometimes not aware of the fact that his personal data has been collected and further processed and might be used for purposes that are unknown to him. For example, software is available that can monitor traffic patterns, content preferences and payload information and then send this back to the ISP.

Each of us now sends the same volume of e-mails in a day that we would have sent in an entire year at the beginning of the 1990s1. The average worker now spends just under an hour a day managing e-mails and a third of all e-mails are not related to work or to the company. A survey by Websense of 800 employees across Europe showed that 41% of staff use the Internet for private purposes for more than 3 hours a week. With this backdrop employers are increasingly feeling the need to monitor their employees' online habits. But this must be balanced against the employees' right to respect for their private and family life, their home and their correspondence as enshrined in the European Convention on Human Rights (the 'ECHR').

Privacy issues do not just apply to computer use however. It has recently been claimed by various privacy groups that set-top boxes, the devices that allow for interactive TV and which have been touted as a possible replacement for both the PC and analogue television, allow cable and satellite companies to gather and sell huge amounts of data. Each night, via its modem, the set-top box can report back to the company every programme watched and every online purchase made during the day. In recent months a number of cable and satellite companies and hardware manufacturers have added fuel to the privacy debate by securing patents relating to interactive TV data retention.

Regulation of Investigatory Powers Act 2000 ('RIPA') and the Telecommunications (Lawful Business Practice) Regulations 2000 (the 'Regulations')

RIPA came into force on 2 October 2000. It replaced the Interception of Communications Act 1985 and is wider in scope, extending the regime governing the interception of communications to both public and private telecommunications networks. It brings together all of the relevant legislation on interception into one statute and seeks to adapt those measures to reflect current communication methods, such as email. The RIPA also ensures that the UK's interception regime is compliant with the Telecommunications Data Protection Directive.

The RIPA covers both public and private telecommunication systems. Any private network not attached to a public system will not be covered, however, most employers' systems are connected to a public system in order to permit e-mails to be sent to or received from external sources.

Under the RIPA, it is an offence intentionally and without lawful authority to intercept communications without either the express or implied consent of both the sender and the recipient. The offence applies equally to interceptions taking place over public and private networks. The RIPA does, however, provide a "defence" in that an interception is treated as authorised if the interceptor has consent or reasonably believes that both parties gave consent to such interception.

Anti-Terrorism, Crime and Security Act 2001

This Act was brought in hurriedly after the events of September 11th. The Act strengthens the interception and disclosure aspects of RIPA. It provides for the introduction of a "voluntary" code requiring all communications service providers (including ISPs, postal and telephone service providers) to retain the communications data of all subscribers for up to 12 months. Communications data includes email and internet traffic data. Failure to comply with the code will not lead to any criminal or civil liability. However the act provides that the Secretary of State can introduce a compulsory code, although the code would require Parliament's approval.

Data retention or disclosure to public authorities could give rise to liability for a communications service provider under the Data Protection Act. The Anti-Terrorism Act avoids this by providing that a communications service provider alleged to have retained or disclosed personal data illegally can rely on the national security or prevention of crime exceptions under the Data Protection Act.

The Telecommunications (Lawful Business Practice) Regulations 2000

The RIPA has been amended by the Regulations, which came into force on 24 October 2000. The Regulations allow the interception of certain types of business communications on private networks, which would otherwise be prohibited under the RIPA. To rely on this exception, there are a number of criteria that an interceptor would have to satisfy and interception could only be made for one or more of the specified purposes.

The criteria are as follows:-

The interception must take place on a telecommunication system used wholly or partly in connection with the business concerned.

The interception must be solely for the purpose of monitoring or recording messages that are relevant to the business.

All reasonable efforts must be made to inform all actual and potential users of the relevant telecommunications system that messages may be intercepted.

The third requirement does not necessitate that the interceptor has to obtain specific consent from users for particular interceptions or recordings, as consensual interception is not of itself prohibited under the RIPA. It is up to the interceptor to determine what may or may not amount to "reasonable efforts to alert".

The specified purposes are as follows:-

Monitoring or keeping a record of communications in order to:

establish facts

ensure compliance with applicable regulatory or self regulatory practices

demonstrate the standards that should be achieved relating to, for example, quality control and training.

prevent crime

investigate unauthorised use of telecommunications systems.

secure an effective system operation

determine whether they are business or personal communications.

In view of the Regulations, it is legitimate for an intercepting employer to monitor emails, for example, to protect a network from viruses or to ensure employees do not breach company rules or policies. Likewise, in relevant cases, businesses may intercept calls or emails for the purposes of quality control or staff training. The most important issue is the extent to which the Regulations allow monitoring and reading of emails or other communications marked as "private" for the purposes of ascertaining whether they are in fact business related. Where an employer has...

To continue reading