The DTI response to consultation on the LBPs may also be of assistance. In
particular paras 23-25 which say:
"A number of businesses have indicated that they currently intercept
communications in order to check for unauthorised use. Some businesses
monitor internet use to check that employees are not accessing offensive
material using the company's system. Some scan emails for indications of
harassment or abuse.
The final regulations, like the consultation draft, will authorise business
to intercept communications without consent in order to investigate or
detect unauthorised use of their telecoms systems. This will allow
businesses to check that staff are not using their equipment for
unauthorised purposes such as those described above.
The sure way to make it clear what is or is not authorised use would be to
circulate a notice to staff and/or to put notices on telephones and pcs
explaining what use of the business's telecoms system was authorised, what
use was unauthorised. Some uses, however, would be unauthorised even
without a notices, such as anything illegal (e.g. down-loading child
pornography) or in breach of an employee's duty (e.g. passing trade secrets
to a competitor)."
The full text is at
www.dti.gov.uk/cii/regulatory/telecommsregulations/lawful_business_practice_
response.shtml
regards
Su
-----Original Message-----
From: Tommy Kennedy [mailto:[log in to unmask]]
Sent: Thursday, February 21, 2002 12:28 PM
To: [log in to unmask]
Subject: Re: email monitoring
thanks for that Andrew.
I think you may have helped get to the root of my confusion.
My current understanding is that the Telecommunications (Lawful
Business Practice)(Interception of Communications) Regulations 2000
only covers business communications.
So for a system that allowed personal use:
Business emails would be covered by these regulations.
But personal email would not.
Is this interpretation incorrect ?
If yes perhaps this explains why I am seeing a problem where others don't.
many thanks again.
Tommy.
>>> Andrew Charlesworth <[log in to unmask]> 02/21/02 10:52am >>>
I would refer you more precisely to the section of the Telecommunications
(Lawful
Business Practice)(Interception of Communications) Regulations 2000 that
states that interception is acceptable:
- to investigate or *detect* unauthorised use of telecommunication systems
To clarify my early e-mail, my institution's current interception policy is
that we will not intercept e-mail unless we have reason to believe that our
e-mail policy is being breached (often due to a complaint, or unusual
amounts of traffic). This is, in part, due to a certain discomfort at the
idea of wholesale monitoring of e-mail in a University environment, and in
part a pragmatic acceptance that given the amount of e-mail, and the number
of technical staff, it would be virtually impossible to carry out
meaningful wholesale monitoring.
This is, however, a policy decision. It also allows us to have procedures
in place to ensure that monitoring, should it occur, is subject to a clear
process with University oversight. This, in theory, helps protects our
users from unauthorised monitoring by computer services staff, and provides
our computer services staff with clear procedures that protect them, in the
event that senior University staff request that a person's e-mail be
monitored.
The Regulations clearly have to permit more extensive measures if one is to
*detect* unauthorised use. If we read 'unauthorised' to mean not just the
scenario where there is sending of personal e-mail when only business
e-mail is allowed, but also the scenario where the sending of personal
e-mail is authorised, but the sending of certain types of personal e-mail
is not, then the above section would permit the routine content monitoring
of personal email, if your institution has the time, resources and
inclination to do so. I would note that this interpretation does differ
from that of the OIC draft code of practice which *recommended* that
employers should only monitor communications where a need for interception
had been identified.
I would tend to counsel against routine monitoring, not because the law
does not in principle allow it, but because it is harder to provide the
protection against abuse of monitoring powers that a more limited system,
with checks and balances, would tend to provide. If one looks at the
rationale for the RIPA - the fact that the UK was, in the Malone case and
the Allison case, chastised by the ECHR, not for the act of interception,
but for the lack of a legal framework, with appropriate protection for the
rights and freedoms of individuals, within which it could take place - it
would seem logical that routine monitoring would be permissible, if there
is appropriate protection for the rights and freedoms of individuals (for
example, a clear and oft repeated statement that their e-mail may/will be
monitored, and an internal publicised mechanism for dealing with breaches
by users and by interceptors).
The difficulty is, that the wider the monitoring, the more problematic its
justification becomes, and the more difficult it is to ensure adequate
oversight - a "who watches the watchers" issue.
--On Thursday, February 21, 2002 09:12 +0000 Tommy Kennedy
<[log in to unmask]> wrote:
> thanks to all who wrote.
>
> I'm slightly confused by some of the replies.
> So a more specific question to summarise and hopefully clarify.
>
> Hypothetical Email Policy
> A policy allows personal use.
> It states that personal use is not private and may be monitored.
> It further states that personal email may only be sent if these terms are
> accepted.
>
> Under this policy:
> All Email traffic could be monitored.
> Personal Email could be content checked where there was evidence of
> "wrong doing". But routine content monitoring of personal email still has
> no legal basis. It is not covered by the Telecommunications (Lawful
> Business Practice) (Interception of Communications) Regulations 2000.
> Therefore unless both parties (and potentially any 3rd parties named in
> the email) have consented this would be illegal.
>
> any comments on the validity of this statement ?
>
> thanks again,
> Tommy Kennedy
> South Ayrshire Council.
Andrew Charlesworth
Senior Lecturer in IT Law
University of Hull Law School
Cottingham Road
Hull HU6 7RX
United Kingdom
Voice: +44 1482 466387 Fax: +44 1482 466388
E-Mail: [log in to unmask]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
=====================================================================
This email is confidential and may also be privileged. If you are not the intended recipient please notify us immediately by telephoning +44 (20) 7330 3000 and requesting the IT Helpdesk. You should not copy it or use it for any purpose nor disclose its contents to any other person.
Allen & Overy
One New Change
London
EC4M 9QQ
Tel:+44 (20) 7330 3000
Fax: +44 (20) 7330 9999
General Email: [log in to unmask]
www: http://www.allenovery.com
Allen & Overy is a solicitors' partnership. A list of the names of partners and their professional qualifications is open to inspection at the above office. The partners are either solicitors or registered foreign lawyers.
IMPORTANT NOTICE:
This is a legal communication not a financial communication. Neither this nor any other communication from this firm is intended to be, or should be construed as, an invitation or inducement (direct or indirect) to any person to engage in investment activity. The following information is provided in accordance with the Solicitors' Financial Services (Conduct of Business) Rules 2001. The provision of our legal services may relate to investments. We are not authorised by the Financial Services Authority, but we are regulated by the Law Society and we can undertake certain activities in relation to investments which are limited in scope and incidental to our legal services or which may reasonably be regarded as a necessary part of our legal services. If for any reason we are unable to resolve a problem between us and a client, our client may utilise the complaints and redress scheme operated by the Law Society.
=====================================================================
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|