The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 SI 2000/2699
Workers should be able to carry out their duties in a dignified manner, with respect for their autonomy and without fear of constant monitoring. The implied contract duty of mutual trust and confidence between employer and employee arguably requires this approach. However, new regulations covering workplace surveillance appear to give employers the right to monitor and record e-mails, telephone calls and internet interactions at work, almost without restriction and with no duty to consult or negotiate with trade unions or worker representatives.
This is an issue of particular concern given the advent and increasing use of forms of new communications technology and a labour market culture which has resulted in many people in the UK having to spend most of their waking hours at work. In these circumstances the boundaries between work and the rest of life are inevitably less distinct. Employers should be understanding about the need for a certain degree of privacy in order to help workers manage other aspects of their lives, which in turn impact on their work. In return, employers are likely to be rewarded with higher levels of worker productivity, morale and motivation.
This article outlines the new regulations, and their possible legality against the background of the Human Rights Act 1998 and relevant UK and European Union law.
The 'Interception of Communications' Regulations ('IC Regs') came into effect on 24 October 2000. They provide a statutory framework permitting employers to monitor and record certain types of communications in defined circumstances without the consent of the caller, sender or recipient.
The IC Regs are an exception to the general principle that it is unlawful for a person, without lawful authority, intentionally to intercept a communication in the course of its transmission by way of a public or private telecommunications system (Regulation of Investigatory Powers Act 2000 ('RIP Act') s.1). But intercepting communications is not unlawful if the interceptor reasonably believes that both parties to the communication consented to the interception.(s.3 RIP Act).
Lawful interceptions under the IC Regs
The IC Regs provide authorisation in so many circumstances that it is difficult to see how employer interceptions could ever fall foul of the provisions.
If employers have made all reasonable efforts to inform every person who may use their system that interception may take place, Reg 3 authorises employers to monitor or keep a record of communications on their telecommunications systems without consent for a wide variety of purposes which are loosely drafted. They include categories such as to establish the existence of facts relevant to the business, to ensure the effective operation of the system and to investigate or detect the unauthorised use of telecommunications systems.
The interception must be effected solely for the purpose of monitoring or recording communications relevant to the employer's business. However, this test is also very widely defined, to include any communication relating to the business. For example, the mere fact of an employee using the company e-mail system (whether for 'business' or 'personal' use) would seem to amount to communication relating to the business, if only in view of the personnel management issues that arise.
In addition, monitoring (but not recording) may be carried out without consent to determine whether or not the communications are relevant to the business.
Human rights implications
The right to privacy in Article 8 of the European Convention on Human Rights, as now applied through the Human Rights Act 1998 might be useful in challenging employer actions on workplace surveillance. Even where employees are informed about monitoring or have 'consented' this may still not be sufficient defence if there were in reality no opportunity to object or if the extent of the surveillance were out of all proportion to the reason for carrying it out (see Handyside v UK 1976 1 EHRR 737).
Where a policy on surveillance has been agreed through consultation and negotiation with a trade union, it is much less likely that any interception in accordance with that policy could be challenged, but the negotiation of a good policy could provide much needed protection for workers. There are obviously circumstances in which employers have a legitimate interest in intercepting communications which should not be objected to by the workforce, for example to check for viruses or where there is a suspicion that harassment has been occurring. Similarly, employers policies should include provisions to allow workers limited personal use of telephones, internet and e-mail, and guarantee no monitoring or recording unless the worker is unexpectedly unavailable for a long period or the employer has reasonable reason to believe that a worker has breached the policy or committed a criminal or serious disciplinary offence.
Data protection
Recorded information obtained through interception of communications is likely also to be covered by the Data Protection Act 1998, and processing of the information must comply with the Act. The rules on processing 'sensitive personal data' (which might include the record of a telephone call from or to a medical adviser) are particularly strict.
The Data Protection Commissioner has issued a draft Code of Practice on the use of personal data in employer/ employee relationships. The draft Code addresses personal information that may arise in a wide variety of situations, for example recruitment, employment records and employee monitoring.
The section of the draft Code on employee monitoring provides a more favourable framework for workers and unions than that established by the IC Regs. One of the recommendations is that trade unions should be consulted on proposed monitoring of employees. The draft Code also stresses the importance of not monitoring unless there is a problem that calls for monitoring, and that the methods used should be proportionate and not unduly intrusive into an individual's privacy. Compliance with the Code will be taken into account in the Data Protection Commissioner's decisions on issuing enforcement notices against employers under the Data Protection Act.
There may also be issues as to whether the RIP Act and the IC Regs comply with the relevant European Union Directives on telecommunications and data protection - Directives 95/46/EC and 97/66/EC. In particular, it is not clear whether the routine monitoring or inspection by businesses for purposes unrelated to the exercise of official authority over possible criminal offences or professional regulatory regimes complies with European law. In addition, Article 5(1) requires the consent of users as a general principle to authorise interceptions. In the UK law 'reasonable belief' by employers is sufficient and may not comply with Article 5(1), which arguably requires a stricter test.
It would mean, for example, that telephone calls from or to external sources could only be recorded if the external contact were warned in advance on each occasion and had explicitly given their consent.
Conclusion
The RIP Act and the IC Regs do not strike an appropriate balance between the interests of employers and workers. The TUC is recommending a better legal framework encouraging employers and unions to negotiate agreements on this issue. Regulations should only apply where there is no such agreement, and there should be an enforceable legal right for unions to be informed and consulted. A new Code of Practice on privacy and autonomy at work with statutory force, and of wider application than the draft Code on data protection, would also provide certainty and consistency for workers, unions and employers, as well as courts and tribunals applying relevant legislation.