thanks for that Andrew.
I think you may have helped get to the root of my confusion.
My current understanding is that the Telecommunications (Lawful
Business Practice)(Interception of Communications) Regulations 2000
only covers business communications.
So for a system that allowed personal use:
Business emails would be covered by these regulations.
But personal email would not.
Is this interpretation incorrect ?
If yes perhaps this explains why I am seeing a problem where others don't.
many thanks again.
Tommy.
>>> Andrew Charlesworth <[log in to unmask]> 02/21/02 10:52am >>>
I would refer you more precisely to the section of the Telecommunications (Lawful
Business Practice)(Interception of Communications) Regulations 2000 that
states that interception is acceptable:
- to investigate or *detect* unauthorised use of telecommunication systems
To clarify my early e-mail, my institution's current interception policy is
that we will not intercept e-mail unless we have reason to believe that our
e-mail policy is being breached (often due to a complaint, or unusual
amounts of traffic). This is, in part, due to a certain discomfort at the
idea of wholesale monitoring of e-mail in a University environment, and in
part a pragmatic acceptance that given the amount of e-mail, and the number
of technical staff, it would be virtually impossible to carry out
meaningful wholesale monitoring.
This is, however, a policy decision. It also allows us to have procedures
in place to ensure that monitoring, should it occur, is subject to a clear
process with University oversight. This, in theory, helps protects our
users from unauthorised monitoring by computer services staff, and provides
our computer services staff with clear procedures that protect them, in the
event that senior University staff request that a person's e-mail be
monitored.
The Regulations clearly have to permit more extensive measures if one is to
*detect* unauthorised use. If we read 'unauthorised' to mean not just the
scenario where there is sending of personal e-mail when only business
e-mail is allowed, but also the scenario where the sending of personal
e-mail is authorised, but the sending of certain types of personal e-mail
is not, then the above section would permit the routine content monitoring
of personal email, if your institution has the time, resources and
inclination to do so. I would note that this interpretation does differ
from that of the OIC draft code of practice which *recommended* that
employers should only monitor communications where a need for interception
had been identified.
I would tend to counsel against routine monitoring, not because the law
does not in principle allow it, but because it is harder to provide the
protection against abuse of monitoring powers that a more limited system,
with checks and balances, would tend to provide. If one looks at the
rationale for the RIPA - the fact that the UK was, in the Malone case and
the Allison case, chastised by the ECHR, not for the act of interception,
but for the lack of a legal framework, with appropriate protection for the
rights and freedoms of individuals, within which it could take place - it
would seem logical that routine monitoring would be permissible, if there
is appropriate protection for the rights and freedoms of individuals (for
example, a clear and oft repeated statement that their e-mail may/will be
monitored, and an internal publicised mechanism for dealing with breaches
by users and by interceptors).
The difficulty is, that the wider the monitoring, the more problematic its
justification becomes, and the more difficult it is to ensure adequate
oversight - a "who watches the watchers" issue.
--On Thursday, February 21, 2002 09:12 +0000 Tommy Kennedy
<[log in to unmask]> wrote:
> thanks to all who wrote.
>
> I'm slightly confused by some of the replies.
> So a more specific question to summarise and hopefully clarify.
>
> Hypothetical Email Policy
> A policy allows personal use.
> It states that personal use is not private and may be monitored.
> It further states that personal email may only be sent if these terms are
> accepted.
>
> Under this policy:
> All Email traffic could be monitored.
> Personal Email could be content checked where there was evidence of
> "wrong doing". But routine content monitoring of personal email still has
> no legal basis. It is not covered by the Telecommunications (Lawful
> Business Practice) (Interception of Communications) Regulations 2000.
> Therefore unless both parties (and potentially any 3rd parties named in
> the email) have consented this would be illegal.
>
> any comments on the validity of this statement ?
>
> thanks again,
> Tommy Kennedy
> South Ayrshire Council.
Andrew Charlesworth
Senior Lecturer in IT Law
University of Hull Law School
Cottingham Road
Hull HU6 7RX
United Kingdom
Voice: +44 1482 466387 Fax: +44 1482 466388
E-Mail: [log in to unmask]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|