LONDON (ZDNet UK)--The Code of Practice designed to remove confusion over new laws affecting how employers monitor company email and Internet use is being unnecessarily delayed, say lawyers.
At a conference on the subject in London yesterday, the Information Commissioner Elizabeth France was criticised for applying too onerous an interpretation of data protection principles.
The guidelines were originally due to be published this spring. In February, the publication date was delayed until the summer following suggestions that monitoring staff emails to prevent incidents such as infection from the Kournikova virus could contravene rights to privacy under the law.
In April, the publication date was further delayed, possibly until the end of the year. The problem revolves around conflicts between the Regulation of Investigatory Power Act, which allows unrestricted monitoring of emails, and the new Human Rights Act, which seeks to protect individual privacy.
But lawyers say the guidelines may just be getting too complicated. "A lot of the Code goes beyond normal interpretations of data protection principles," said Mark Ford, lawyer at city firm Clifford Chance. "I wouldn't count on the draft getting a lot less onerous before its final adoption."
Ford cited as an example a rule in the Code of Practice that would mean outside callers and email senders should be made aware of monitoring procedures.
This rule refers to Section 1(3) of the controversial RIPA, which addresses the lawful interception of communications by employers. The original draft of the Act required company directors to gain consent from users of their system and outsiders before monitoring electronic communications. In the consultation process it was decided that gaining consent from outsiders was too stringent an obligation to impose, and so this requirement was dropped.
However, in the draft Code of Practice the Commissioner, Elizabeth France, advises that outside callers and email senders should be made aware of interception procedures. The draft reads: "In assessing whether monitoring of content is justified take account of the privacy of those sending emails as well as the privacy and autonomy of those receiving them." France sides with the guidelines of Oftel's Telecoms Class Licences, which requires both parties to be informed. But other argue this is unnecessary: "The Commissioner goes beyond the strict outline of the law here," said Ford.
The Code also warns against the temptation for companies to store excessive amounts of electronic data on their employees. There is no UK legislation requiring private companies to keep traffic data or content data for any particular period of time, but clause 79 of RIPA states that directors could be prosecuted "where an offence under any provision of this Act other than a provision of Part III is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect."
The Commissioner has been criticised for stating that directors should not monitor emails deleted by the user, as well as for requesting "a means by which employees can effectively expunge from the system emails they send or receive".
"I think the Commissioner is on shaky ground by saying don't monitor emails that are deleted," said Ford. Law enforcement authorities have the right to request records of electronic communications for the purpose of settling legal disputes, but can only do so once legal proceedings have begun.
John Angel, head of online legal services at Clifford Chance, believes that the Code of Practice should contain data protection principles that will be interpreted in a British court of law, after wide consultation with the industry. "It is not a legally binding document, but is indicative of the Commissioner's interpretation of data protection law."