Lawful Business Practice Regulations - Response To Consultation
Introduction
Legislative Overview
Outline of the Original Proposals
Key Issues Raised in the Consultation
Outline of the Final Regulations
Conclusion
Further Information
Annex A: The Lawful Business Practice Regulations (available on the HMSO website here)
Annex B: Regulatory Impact
Assessment
Annex C: Notes for Business
Introduction
1. From 1 August to 15 September 2000, the DTI conducted a public consultation exercise on draft Lawful Business Practice Regulations to be made under the Regulation of Investigatory Powers (RIP) Act 2000. The RIP Act establishes a basic principle that communications may not be intercepted without consent. The purpose of the Regulations is to make an exception to this rule and to allow businesses to intercept communications without consent for certain legitimate purposes.
2. As part of the consultation exercise, the DTI published a Consultation Paper which described the legislative background to the Regulations and invited comments on its proposals. The Department also conducted extensive informal discussions with key representative organisations such as the Confederation of British Industry and British Chambers of Commerce. It received over 80 consultation responses from businesses, charities, representative organisations, and private individuals.
3. The Government is grateful for the efforts that consultees have made to comment in detail on its proposals. In what follows, we set out the main issues raised during the consultation and the steps we have taken to address respondents' concerns. We provide the final text of the Regulations and a set of Notes for Business explaining the new rules. The Regulations were made on 2 October and will come into force on 24 October 2000.
Legislative Overview
4. The Regulation of Investigatory Powers (RIP) Act establishes a new legal framework to govern the interception of communications. The Act reflects the changes which have taken place in the communications industry over the last 15 years.
5. The Act also ensures that the UK's interception regime is compliant with the Telecoms data Protection Directive. The Directive requires Member States to protect the confidentiality of communications made by means of public telecoms systems and specifically prohibits activities such as recording or tapping by others than users. It is worth noting that the European Commission has published proposals for a revised Telecoms Data Protection Directive which will be negotiated in 2001. (See Further Information and the original consultation document for additional background information.)
6. The Act establishes offences of unlawful interception on a public or a private telecoms system and a tort of unlawful interception on a private system by the operator of that system. However, the Act authorises interception in cases where the interceptor has reasonable grounds to believe that both the sender and the intended recipient have consented. And Section 4(2) of the Act allows the Secretary of State to make Lawful Business Practice Regulations authorising businesses to intercept on their own systems without consent for certain purposes.
7. In the past, businesses and others operating private telecoms systems were at liberty to intercept communications on their own systems. One of the effects of the RIP Act is that, in future, businesses which intercept on their own systems will need to be sure that their actions are legally authorised. If they intercept unlawfully, the sender or recipient of the communication may be able to obtain an injunction or sue for damages. All interceptions are authorised if there are reasonable grounds to believe in consent. The Lawful Business Practice Regulations will authorise businesses to intercept without consent for certain purposes.
Outline of the Original Proposals
8. The Consultation Paper provided a first draft of the Lawful Business Practice Regulations and invited interested parties to comment on its proposals.
9. The draft Regulations would have authorised businesses, including public authorities, to intercept communications without consent for the purposes of establishing the existence of facts, detecting crime and detecting the unauthorised use of their telecoms systems. They would have authorised charitable bodies to monitor calls to confidential counselling helplines. And they would have authorised public authorities to intercept communications on their or (where invited) others' private systems in the interests of national security.
10. In all of these cases, the draft regulations required the interceptor either to make all reasonable efforts to inform all parties to the communication that interceptions might take place or, otherwise, to have reasonable grounds to believe that the parties to the communication were already aware that interceptions might take place.
Key Issues Raised in the Consultation
11. As mentioned above, the Government received more than 80 consultation responses from businesses, charities, individuals and representative organisations. The majority of responses represented business interests and focused on the need to facilitate legitimate business activities. Others represented the interests of employees and consumers. This section outlines the key issues raised in the consultation exercise and the steps we have taken to address consultees' concerns.
Interceptions for operational purposes
12. A number of businesses have suggested that the draft Regulations might not allow them to make essential interceptions to ensure the operation of their telecoms systems. Businesses need to monitor communications to protect their systems against viruses and other threats. They also need to make routine interceptions for operational purposes such as backing up and forwarding emails to the correct destination.
13. We understand that businesses need to intercept communications for a variety of purposes relating to the operation of their systems. We have expanded the regulations to make clear that businesses are allowed to record or monitor communications without consent in order to secure, or as an inherent part of, the effective operation of their telecoms systems. This will make clear that businesses are able to intercept to protect against viruses, to route traffic and for other similar purposes.
Routine access to business communications
14. A number of consultees have suggested that the RIP Act and the Regulations may not provide business with sufficient authority to gain access to their own communications. Businesses need to check voicemail systems and email accounts in order to access communications during the absence of staff. It would be unreasonable and impracticable to require businesses to gain the consent of senders and recipients of communications before doing so.
15. We understand that businesses need to have access to their own communications. We have expanded the Regulations to authorise businesses to monitor communications without consent in order to determine whether they are relevant to the business. This will achieve a balance between giving businesses free access to their own communications and protecting the privacy of non-business communications where these are permitted.
Interceptions for quality control purposes
16. The consultation paper specifically asked respondents to comment on interceptions for quality control purposes. A large number of respondents suggested that businesses ought to be able to monitor calls for these purposes. A variety of businesses regularly monitor calls for a range of customer relations management purposes, for example, staff-training and quality control. The operators of call centres, in particular, monitor calls as an essential method of maintaining service standards.
17. Consultation responses made clear that call centres would need to overhaul their procedures if they were required to gain consent for this type of interception. The majority of call centres monitor calls on a random basis. Their current equipment and procedures would not allow them to stop monitoring if a customer refused consent. One major operator suggested that the costs of implementing procedures to gain consent would be over £800,000 per annum.
18. In the light of these arguments, the Government has come to the conclusion that it would not be in the interests of businesses or consumers to require consent before monitoring for quality control. We have expanded the scope of the Regulations to allow businesses to intercept without consent in order to ascertain or demonstrate the standards which ought to be achieved by persons using their systems. This will allow businesses to continue monitoring as at present for purposes such as staff training which are of benefit for consumers.
Interceptions for other purposes such as marketing and market research
19. A small number of consultation respondents suggested that businesses ought to be able to intercept communications without consent for purposes such as marketing or market research. However, the Government would be reluctant to authorise businesses to intercept without consent for purposes which were neither strictly essential nor necessarily in the interests of consumers. It is our understanding that in most cases, such functions could be performed using stored data without the need for interception. (These activities would probably fall within the scope of the Data Protection Act 1998). We also believe that Regulations that authorised these interceptions might be in inconsistent with the Telecoms Data Protection Directive. For these reasons, we have decided not to widen the scope of the Regulations to allow interceptions without consent for other purposes such as marketing or market research.
Monitoring calls to welfare helplines
20. Certain charities currently monitor communications on their helplines in order to provide counselling staff with adequate protection. Helpline calls can sometimes be distressing and monitoring offers a practical way to support staff. For these reasons, the consultation draft proposed to allow charities to monitor (but not record) communications to counselling and support helplines providing that these services were offered free of charge and on a confidential basis.
21. A number of businesses have explained that they also run confidential, welfare helplines and that they also need to monitor calls in order to protect helpline staff. These businesses include television and radio broadcasting companies and trades unions.
22. The Government accepts that businesses, like charities, have a legitimate need to monitor calls to their counselling helplines in order to protect staff. We have therefore modified the Regulations to allow any business to monitor, without consent, communications to counselling or support helplines. The Regulations specify that monitoring is only authorised if the helpline is provided free of charge and on a confidential basis. This will safeguard the confidentiality of conversations despite the fact that monitoring may take place.
Monitoring for unauthorised use
23. A number of businesses have indicated that they currently intercept communications in order to check for unauthorised use. Some businesses monitor internet use to check that employees are not accessing offensive material using the company's system. Some scan emails for indications of harassment or abuse.
24. The final regulations, like the consultation draft, will authorise businesses to intercept communications without consent in order to investigate or detect unauthorised use of their telecoms systems. This will allow businesses to check that staff are not using their equipment for inappropriate purposes such as those described above.
25. The sure way to make it clear what is or is not authorised use would be to circulate a notice to staff and/or to put notices on telephones and PCs explaining what use of the business's telecoms system was authorised, what use was unauthorised. Some uses, however, would be unauthorised even without a notice, such as anything illegal (eg, down-loading child pornography) or in breach of an employee's duty (eg, passing trade secrets to a competitor).
The requirement to inform correspondents of interceptions
26. The draft regulations required businesses to make "all reasonable efforts" to inform all parties to communications that interceptions might take place or, otherwise, to have "reasonable grounds to believe" that the parties to communications were already aware that interceptions might take place. The large majority of respondents commented on the costs and practical difficulties that this provision might impose.
27. Businesses have not expressed concern about having to inform their own staff that interceptions may take place. A large number of businesses do so already. Where this is not current procedure, businesses could use a variety of methods to inform staff that call recording or monitoring might take place. Our discussions with business groups indicate that this could be done without significant difficulty or cost.
28. However, businesses are worried about the additional costs of informing third parties that interceptions may take place. They could do this by means of recorded messages at the start of telephone calls or by means of notices in publicity literature. But in both cases, the financial burden of reorganising procedures might be considerable.
29. Businesses have also suggested that in some cases it would be inappropriate or impracticable to inform correspondents of interceptions. Certain organisations, for example record calls to their switchboards in order to provide evidence of bomb threats. In case like this, they suggest that it would be inappropriate to inform callers that recording takes place.
30. The Government is anxious to make clear and workable regulations and to avoid placing unreasonable burdens on business. We accept that, in many cases, a requirement to inform outside correspondents of interceptions would place an excessive burden on business. For that reason, we have removed the requirement to inform all parties to communications of interceptions.
31. However, we have retained a requirement for businesses to "make all reasonable efforts" to inform the users of their own telecoms systems that interceptions might take place. This will ensure that, in accordance with current best practice, businesses inform employees of that communications may be monitored or recorded.
Workplace Practice
32. A small number of respondents have suggested that the Regulations should establish a legal framework for workers and management to discuss company practices relating interception.
33. The Government would certainly wish to encourage businesses to agree with employees on appropriate levels of recording or monitoring if they wish. The Regulations will certainly not inhibit or discourage such discussions.
34. However, the Government would not want to oblige businesses to engage in collective bargaining on interception. Businesses need to intercept for a variety of essential purposes such as ensuring the routine operation of their systems. We believe they should have a clear right to do this providing they inform their employees that interceptions may take place.
35. The Data Protection Commissioner is currently developing a Code of Practice on the Use of Personal Data in Employer/Employee Relationships. The Commissioner intends to publish a draft of the Code in October 2000 for consultation. The Code will address the impact of the data Protection Act 1998 on the monitoring by employers of telephone calls, emails and internet access involving their employees. The Commissioner has told us that she intends that the Code of Practice will take account of the Regulations and address their inter-relation with data protection requirements. The Government believes that the Data Protection Commissioner's Code will provide an excellent opportunity to develop best practice regarding monitoring of employees at work. We would urge interested parties to participate in the consultation.
A Proportionality Test
36. A small number of consultation responses suggested that the Regulations should include a proportionality test to govern the extent of businesses' interception activities. They argue that such a test would ensure that a business's interception activities were in proportion to the level of need for interception.
37. The Government is not convinced that this approach would lead to transparent or workable regulations. It would leave businesses and others unsure as to what interception activities were permitted. This would place businesses in a vulnerable legal position and might encourage some to relocate operations outside the UK.
38. The Data Protection Act 1998 applies a proportionality test to the obtaining and recording and processing of personal data. We believe that this Act is sufficient to ensure that businesses act in a proportionate manner when collecting and using personal information.
The Rights of Consumers
39. A small number of respondents suggested that the Regulations might result in an imbalance between the rights of business and the rights of consumers. They were concerned that the combined effect of the Regulations and the RIP Act would be to allow businesses to record their calls with customers, but to deny consumers the right to record their calls with businesses.
40. This is not the case. The Regulation of Investigatory Powers Act does not prohibit individuals from recording their own communications for their own use, because that does not fall within the meaning of "interception" in the Act. Consumers will be able to record their calls with business providing that the recording is for their own use. Nothing in the Act would prevent the consumer from choosing subsequently to disclose or make use of that record in the courts or dispute resolution proceedings.
Outline of the Final Regulations
41. The final regulations will authorise businesses ( in the widest sense of the word, which covers charities and other non-commercial bodies and expressly includes public authorities) to monitor or record all communications transmitted over their systems without consent for the following purposes:
- Establishing the existence of facts
- Ascertaining compliance with regulatory or self-regulatory practices or procedures
- Ascertaining or demonstrating standards which are achieved or ought to be achieved by persons using the system
- Preventing or detecting crime
- Investigating or detecting unauthorised use of the business's telecoms system
- Ensuring the effective operation of the system.
42. The Regulations will also authorise businesses to monitor (but not record) communications for the following purposes:
- Checking whether or not communications are relevant to the business
- Monitoring calls to confidential, counselling helplines run free of charge.
43. The Regulations will also authorise public authorities to monitor or record in the interests of national security.
44. In all of these cases, the Regulations require businesses to "make all reasonable efforts" to inform those people who use the organisation's telecoms systems that interceptions may take place.
Conclusion
45. The Government is confident that the Lawful Business Practice Regulations will allow business to conduct most important monitoring or recording activities without needing to restructure practices and without undergoing significant costs. The Regulations should offer business the greatest possible scope for maximising the advantages of new ways of working with phone, email and other electronic communications, consistent with a high degree of privacy for the users of communications services. As such, they will contribute to the Government's aim of making the UK the best place for e-commerce by encouraging modern markets and confident consumers.
46. The Lawful Business Practice Regulations and Section 1(3) of the Regulation of Investigatory Powers Act will come into force on 24 October 2000. The DTI intends to review the Regulations after twelve months from their entry into force or, if later, after the adoption of the revised Telecoms Data Protection Directive proposed to the EU Council by the EC Commission in July 2000.
Further Information
Annex A: The Lawful Business Practice Regulations (available on the HMSO website here)
Annex B: Regulatory Impact
Assessment
Annex C: Notes for Business
Other Useful Websites
The Regulation of Investigatory Powers Act(on the Stationery Office website)
Regulation of Investigatory Powers Act webpages (on the Home Office website)
Telecoms Data Protection Directive (97/66/EC) (on the European Commission's Information Society website)
Public Consultation Paper (closed Sept 2000)
Summary of Consultation Responses
Government Contact
For further information on the Lawful Business Practice Regulations contact:
Guy Russell
Department of Trade and Industry
Communications and Information Industries Directorate
151 Buckingham Palace Road
London SW1W 9SS
Tel: (020) 7215
1806
Fax: (020) 7215 4161
E-mail: guy.russell@dti.gsi.gov.uk
For further information on the Regulation of Investigatory Powers Act contact:
The Home Office
Queen Anne's Gate
London SW1H 9AT
|
