The laws which govern the way we store and use information - any sort of information - are becoming more and more of a minefield. Legislation changes almost as rapidly as communication technology. As a result it's becoming increasingly difficult for businesses and their staff to be sure of staying within the law.
Every efficient secretary stores information electronically. Contacts, diaries, presentations, brochures, etc. are all more easily consulted and updated on line. They are also more easily shared - which is where the problem starts
Four laws
Four pieces of legislation mainly affect how businesses handle information and who may see it. The aims of each are briefly: the Data Protection Act (DPA) to protect privacy; the Freedom of Information Act (FIA) to provide individuals with a right of access to recorded information held by public sector bodies; the Regulation of Investigatory Powers Act (RIPA) to provide a framework for the lawful interception of communications, whether by phone or email; the Lawful Business Practice Regulations (LBPR) (a statutory instrument stating regulations drawn up by the Secretary of State) to authorise certain interceptions of electronic communications which would otherwise be prohibited by RIPA.
Although each piece of legislation has a slightly different remit they overlap in many areas, which are where things start growing confusing. The different laws frequently seem to have been drawn up in isolation and often contradict each other.
RIPA states that businesses are not entitled to intercept electronic communications without the consent of both the sender and receiver. LBPR, however, allows businesses to intercept communications without the consent of staff in order to, for example, record evidence of transactions, prevent or detect crime, safeguard against unauthorised use or check that the telecoms system is working properly. RIPA, on the other hand, does permit communications to be lawfully intercepted to prevent an IT system being overloaded or stop a virus being passed on. If businesses take advantage of LBPR to monitor staff emails then they run the risk of contravening one of the eight data protection principles central to the DPA (see deskdemon.com/pages/uk/services/dataprotection). Throw in Human Rights legislation and things get even more complicated. (And don't even mention outsourcing!)
An important distinction is often overlooked however between business and personal use, even on the same system. The legislation indicates that personal data is legally less accessible than business data. Put very simply, the FIA upholds the eight principles stated in the DPA and neither RIPA nor LBPR authorises the interception of personal communications without the consent of both parties.
Organisations may monitor transmissions to ascertain whether the communication is business or personal but should not open emails or record telephone conversations which are obviously nothing to do with their business (unless to detect or prevent a crime). The personal use of a company's email, internet or telephone system is subject to the policy of that company, but assuming personal use to be allowed, an employee who indicates in the subject box of their emails that the message is personal should be reasonably sure of it not being opened.
Certain business information is also considered legally exempt from disclosure, although not necessarily from monitoring; for example, the FIA exempts information being publicly available which constitutes a trade secret or which 'would be likely to prejudice the commercial interests of any person.'
Make it a policy!
Lawyers advise that one of the best ways of staying within the law is for companies to draft a comprehensive policy specifying how employees are permitted to use electronic communications systems and what will happen if they break the rules. Conditions of employment could include automatic consent to the monitoring of business emails. Individuals seem best able to stay on the right side of the law by informing anyone they contact that electronic communication may be monitored or recorded. Declaring that monitoring is possible does not necessarily imply that staff have consented but merely that they know. Such a declaration would comply with RIBA and LBPR and also conform to the DPA code of practice (available from informationcommissioner.gov.uk).
Ensuring that outside contacts know that there is a possibility that communications will be monitored might involve including a standard sentence in every electronic document and email or as part of every recorded message. People might be deemed to agree to being monitored by the simple fact of their contacting your organisation. Even so, it would be very difficult practically to ensure that everyone outside your firm had consented to or even knew of monitoring possibilities. In any case, monitoring could only apply to business communications and not personal ones.
The rules governing electronic communication in business are now so complex that even lawyers are unsure what line to take on some of them. For those involved with e-business, staying within the law and knowing that you are doing so is becoming increasingly difficult. If we are at least alert to the fact that Big Brother may indeed be watching us then we may be able to safeguard ourselves against laws which are both draconian and muddled.