Covert staff surveillance 'illegal'

Covert monitoring of staff email and Internet use is likely to be illegal in most cases, according to draft guidelines from the Information Commission

Firms that secretly monitor staff email and Internet use are likely to be breaking the law, according to the Information Commission.

In a draft of its guide on employee monitoring, The use of personal data in employer/employee relationships, the Commission says it is difficult to see how covert monitoring of performance can ever be justified. "Covert monitoring of behaviour can only be justified in very limited circumstances, such as where being open with employees would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders," says the Commission.

Furthermore, covert monitoring of staff is only likely to be legal if a specific criminal activity has been identified and covert monitoring has to be used to obtain evidence, but explaining this to the staff might make that difficult. In addition, employers must assess for how long the monitoring should last; it should not be indefinite.

Although many of the issues relate to the Data Protection Act, monitoring of communications is governed by the Regulation of Investigatory Powers Act, which makes it unlawful for employers and others to intercept communications in the course of their transmission on a private telecommunications system unless certain conditions are met. "The monitoring by an employer of the content of telephone calls, email messages and Internet access involving employees is potentially against the law," say the draft guidelines.

Interception is allowed where the parties to the call, email or other communication have both consented to the interception or where the interception is of communications taking place in the course of the carrying on of the employer's business.

However, the RIP Act only restricts access to the contents of a communication. It does not address the collection and use of traffic data on a private network, such as which Web sites have been visited and telephone numbers that have been called. Collection of such traffic data is governed by the Data Protection Act.

In general, companies should set out a clear policy for Web, telephone and Internet use, and inform staff of any monitoring, says the Commission. Where staff are informed, guidelines for monitoring email and Web usage follow roughly the same lines. For instance, companies should not monitor the content of email messages unless it is clear the business purpose for which the monitoring is undertaken cannot be achieved by the use of a record of email traffic.

Basically, companies should only consider the monitoring of content if neither a record of traffic nor a record of both traffic and the subject of emails achieves the business purpose. And wherever possible they should restrict the monitoring of emails sent to specific employees to messages the employee has received and chosen to retain rather than delete. Emails that are clearly personal should not be opened.

Similarly, says the Commission, when it comes to Internet access, any monitoring must again be a proportionate response to the risk faced by the employer. "Wherever possible it should be designed to prevent rather than to detect misuse." And if monitoring is justified on the basis of protecting the employer from criminal liability for acts such as downloading of pornography, say the guidelines, they will need some evidence that such activity is actually taking place.

The guidelines can be downloaded from the Information Commission's Web site.

For everything Internet-related, from the latest legal and policy-related news, to domain name updates, see ZDNet UK's Internet News Section.

Have your say instantly, and see what others have said. Go to the Telecoms forum.

Let the editors know what you think in the Mailroom.