Workers must be made aware of the nature, extent and purposes of any monitoring. One of the code's seven good practice recommendations is devoted to e-communications (which includes telephone (including mobile), fax, email and voicemail communications and internet access). Key practical points to note include the following:
- Employers should "establish, document and communicate" a policy on e-communications to ensure workers are made aware of the policy. Existing policies should be reviewed to ensure they reflect data protection requirements -- the new Code makes it clear that a simple warning that "emails may be monitored" may not be sufficient; and
- Employees should be made aware (and reminded regularly) of the policy on monitoring and of their own role in data protection compliance, and the possible consequences of breaching the Data Protection Act 1998 ("the Act");
- Limiting e-communications monitoring to that necessary to protect against security breaches, e.g. viruses (and using automated monitoring systems where possible);
- Informing workers of retention periods for emails and Internet usage, and checking that they are aware of them;
- Encouraging workers and their correspondents to identify personal emails as such and using recorded messages to make external callers aware of potential monitoring;
- Confining email monitoring to traffic data (addresses and headings) except where access to the content of the email is essential; and
- Monitoring Web activity on an aggregated (e.g. departmental ) basis where possible.