HR Monitoring

Monitoring staff usage of technology is a contentious issue. There are many examples of legitimate cases for such action (e.g. the prevention of crime) but these should be balanced with concerns regarding the personal privacy of staff.

The following legislation must be considered if you intend to monitor staff e-mails:

• The Human Rights Act 1998

• The Data Protection Act 1998 (specifically the Data Protection Monitoring at Work section and Part 1 (Vetting & Personnel))

• The Regulation of Investigatory Powers Act 2000 (RIPA)

You should also consider the Telecommunications (Lawful Business Practice) (Interception of Communications) Regs 2000.

The Human Rights Act 1998

This Act outlines an individual's right to privacy in both private and family life, especially in relation to correspondence (including e-mails). Exceptions are made for:

• National security
• Public safety
• Prevention of crime
• Economic well-being of the country
• Protection of rights and freedom of others

The Data Protection Act 1998

This Act is concerned with 'personal data'. It sets out eight data protection principles regarding the treatment of personal information - please see our Data Protection  page for a summary of these principles. Practical advice and further information is also available from our Practical Data Protection  page and from the web site of the Information Commissioner's Office at www.ico.gov.uk.

The Regulation of Investigatory Powers Act 2000 (RIPA)

This Act came into force in October 2000. It contains legislation for the interception (i.e. monitoring) of communications, including recent technological advances such as the Internet. Five main areas are covered within RIPA:

• Interception
• Acquisition and use of data
• Surveillance
• Economic well-being of the country
• Disclosure of encrypted material

Fundamentally, it is an offence to intercept (intentionally) any communication in the course of transmission, without ensuring that monitoring activities comply with regulations made under RIPA, including the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, SI 2699.

For example, you must:

• Ensure that all reasonable efforts are made to inform every person who uses the system that communications may be intercepted (for example, incoming and outgoing telephone calls and e-mail messages).
• Notify staff and have a clear policy about what is and what is not acceptable use of e-mail and the Internet.

Given that the Data Protection Act is concerned with the protection of personal information and RIPA sets out regulations for monitoring communication, there is an apparent conflict between the two. The key is to achieve a balance - monitoring must be proportionate, relevant and only in place for a 'suitable' period of time.

The Information Commissioner has issued a Complete Guide to Notification which provides detailed guidance for those who are considering these issues.