The Investigatory Powers (Interception by Businesses etc. for Monitoring and Record-keeping purposes) Regulations 2018 (Regulations) came into force on 8 March 2018. The Regulations make it lawful in certain circumstances for an employer or an individual instructed by the employer, to intercept communications that are made via the employers private telecommunication systems without an individual’s consent.
In summary, the circumstances in which employers are able to intercept communications made through their internet servers, landlines, voicemail and other private telecommunication systems are.
Monitoring and record-keeping is necessary to:
- Establish the existence of facts relevant to the business;
- Ascertain compliance with regulatory or self-regulatory practices and rules;
- Ascertain or demonstrate standards which ought to be achieved by persons using the system;
- Protect national security;
- Prevent or detect crime;
- Investigate or detect the unauthorised use of the system;
- Ensure the effective operation of the system.
Monitoring of communications (but not record-keeping) is needed to determine whether communications are relevant to the carrying on of the employer’s business activities.
An employer wants to monitor communications made by its employee’s to a free and confidential counselling or support service which the employee had the option to access anonymously.
In addition to the above, the employer’s interception of the communication will only be lawful if:
- it is solely for the purpose of either monitoring or keeping a record (or both) of communications relevant to the carrying on of the employer’s business activities, and
- the telecommunication system is provided for use wholly or partly in connection with those business activities, and
- the employer has made all reasonable efforts to inform every person who may use the telecommunication system that their communications may be intercepted, and
- in the event that any interception is made to protect national security it must be made on behalf of a person who is authorised to apply for issue of a warrant in those circumstances.
The Regulations are very similar in nature to the predecessor legislation (The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000) which it has now replaced. Although the regulations potentially permit employers to intercept any speech, music, sounds, visual images or data of any description taking place on their workplace communications systems, employers should use these rights with caution, as the intercepted communication may include personal data.
From 25 May 2018 any intercepted communications which contains personal data must also be processed in accordance with the General Data Protection Regulation. Given the momentum behind the GDPR in relation to protection of personal privacy and the increased penalties associated with breaches of privacy, employers should ensure that all their monitoring, interception policies and mechanisms are reviewed and updated to ensure that they are compatible with the GDPR.
You're on our blog and updates site, which is hosted by Law Hub, a digital hub powered by the lawyers at Markel Law, bringing you real law, made easy.
Find out more about Markel Law Hub here.
"... the Regulations ... makes it a criminal offence to intercept communications in the absence of lawful authority. It also makes it clear that lawful authority includes interception by businesses or other bodies where it is a legitimate practice... for example, call centres recording telephone calls for training purposes, companies scanning their computer networks to detect cyber-attacks or businesses ensuring that their systems are not being used for unauthorised purposes. These regulations simply ensure that companies can undertake these important routine activities without falling foul of the offence of unlawful interception."