Your exclusive monthly e-magazine
November 2004 - Confidentiality and information security  
DeskDemon Express Logo
Features
In the News
Event Calendar
Fun Quiz
Who let the cat out of the bag? Is confidential information safe in your hands, or does it just slip through...? Roisin Woolnough challenges you to check your discretion levels.
Click for more...
The Archives!
Essential Contacts
Use our Essential Contacts page to get in touch with any product and service providers in this issue.
Click here...
SEND TO FRIEND
Friend's Email:

Your Name:

Your Email:

Message:





Keep on the right side of the law - assuming you can find it!
Four laws affect how we deal with storing and using information. But they appear to contradict each other! Spare a thought for Sara Goodwins, as she attempts to untangle the legal implications for us bewildered office workers
Gravel coming out of a Computer

The laws which govern the way we store and use information - any sort of information - are becoming more and more of a minefield. Legislation changes almost as rapidly as communication technology. As a result it's becoming increasingly difficult for businesses and their staff to be sure of staying within the law.

Every efficient secretary stores information electronically. Contacts, diaries, presentations, brochures, etc. are all more easily consulted and updated on line. They are also more easily shared - which is where the problem starts

Four laws
Four pieces of legislation mainly affect how businesses handle information and who may see it. The aims of each are briefly: the Data Protection Act (DPA) to protect privacy; the Freedom of Information Act (FIA) to provide individuals with a right of access to recorded information held by public sector bodies; the Regulation of Investigatory Powers Act (RIPA) to provide a framework for the lawful interception of communications, whether by phone or email; the Lawful Business Practice Regulations (LBPR) (a statutory instrument stating regulations drawn up by the Secretary of State) to authorise certain interceptions of electronic communications which would otherwise be prohibited by RIPA.

Although each piece of legislation has a slightly different remit they overlap in many areas, which are where things start growing confusing. The different laws frequently seem to have been drawn up in isolation and often contradict each other.

RIPA states that businesses are not entitled to intercept electronic communications without the consent of both the sender and receiver. LBPR, however, allows businesses to intercept communications without the consent of staff in order to, for example, record evidence of transactions, prevent or detect crime, safeguard against unauthorised use or check that the telecoms system is working properly. RIPA, on the other hand, does permit communications to be lawfully intercepted to prevent an IT system being overloaded or stop a virus being passed on. If businesses take advantage of LBPR to monitor staff emails then they run the risk of contravening one of the eight data protection principles central to the DPA (see deskdemon.com/pages/uk/services/dataprotection). Throw in Human Rights legislation and things get even more complicated. (And don't even mention outsourcing!)

An important distinction is often overlooked however between business and personal use, even on the same system. The legislation indicates that personal data is legally less accessible than business data. Put very simply, the FIA upholds the eight principles stated in the DPA and neither RIPA nor LBPR authorises the interception of personal communications without the consent of both parties.

Organisations may monitor transmissions to ascertain whether the communication is business or personal but should not open emails or record telephone conversations which are obviously nothing to do with their business (unless to detect or prevent a crime). The personal use of a company's email, internet or telephone system is subject to the policy of that company, but assuming personal use to be allowed, an employee who indicates in the subject box of their emails that the message is personal should be reasonably sure of it not being opened.

Certain business information is also considered legally exempt from disclosure, although not necessarily from monitoring; for example, the FIA exempts information being publicly available which constitutes a trade secret or which 'would be likely to prejudice the commercial interests of any person.'

Make it a policy!
Lawyers advise that one of the best ways of staying within the law is for companies to draft a comprehensive policy specifying how employees are permitted to use electronic communications systems and what will happen if they break the rules. Conditions of employment could include automatic consent to the monitoring of business emails. Individuals seem best able to stay on the right side of the law by informing anyone they contact that electronic communication may be monitored or recorded. Declaring that monitoring is possible does not necessarily imply that staff have consented but merely that they know. Such a declaration would comply with RIBA and LBPR and also conform to the DPA code of practice (available from informationcommissioner.gov.uk).

Ensuring that outside contacts know that there is a possibility that communications will be monitored might involve including a standard sentence in every electronic document and email or as part of every recorded message. People might be deemed to agree to being monitored by the simple fact of their contacting your organisation. Even so, it would be very difficult practically to ensure that everyone outside your firm had consented to or even knew of monitoring possibilities. In any case, monitoring could only apply to business communications and not personal ones.

The rules governing electronic communication in business are now so complex that even lawyers are unsure what line to take on some of them. For those involved with e-business, staying within the law and knowing that you are doing so is becoming increasingly difficult. If we are at least alert to the fact that Big Brother may indeed be watching us then we may be able to safeguard ourselves against laws which are both draconian and muddled.

Useful contacts

HMSO
www.legislation.hmso.gov.uk
www.hmso.gov.uk/acts

Department for Constitutional Affairs
www.dca.gov.uk

Information Commissioner
www.informationcommissioner.gov.uk

Scottish Information Commissioner
www.itspublicknowledge.info
A freelance writer for over twenty years, Sara Goodwins has researched and written about a multitude of different topics. She specialises in business and education and her features are regularly published internationally


DD News
News @ DeskDemon
Europcar - You rent lot more than a car
Click here for your Free Tickets to Times Creme
Interflora - Say it with flowers
Imperial College London
CCA Group Ltd
Dolphin Square Hotel
Comcab
Disclaimer:
You've received this email because you subscribed to DeskDemon Express, The exclusive monthly e-zine for Office Professionals. To Unsubscribe click here. You will then be sent an email to the address provided by you. Please open this email and confirm removal by clicking the link in the Email. Your Email will then be immediately unsubscribed from our Email list, and we apologize for any inconvenience. For other enquires about the DeskDemon newsletter, email us at newsletter@deskdemon.com.