2.5 Lawful Business Practice Regulations
Under UK law, employers have certain rights to monitor communications made by their employees.
They are authorised to do so under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 SI 2000/2699 (sometimes abbreviated to IC Regs). Monitoring can take many forms including recording telephone calls, storing telephone numbers, email addresses and website addresses, storage of email and the inspection of any email attachments.
The regulations exist so that employers can ensure that their networks are used in a manner that does not bring the company into disrepute (such as sending offensive emails would), be used for illegal activities (such as transmitting copyright materials without licence), or to check that company resources are not used for personal reasons.
Companies may also have to monitor their networks to meet legal regulation – such as in the case of financial organisations where ‘health warnings’ must be offered to customers – and in extreme cases, monitoring may take place in support of national security.
The IC Regs are an exception to the general understanding that it is unlawful to intercept any communications unless an individual or organisation is specifically authorised to do so. This is codified in RIPA – see Investigatory Powers Act 2016 (https://www.legislation.gov.uk/ ukpga/ 2016/ 25/ section/ 1/ enacted [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] and https://www.gov.uk/ government/ collections/ ripa-codes). The IC Regs allow interception to be made under specific conditions, but only if both parties in the communications consent to it happening. Such consent may be a necessary condition of employment, or it might be an additional agreement between an employer and their employees.
Monitoring of employees is an activity that must be done with care since it has the potential to erode trust between management and workers as well as being intrusive. Employers must abide by legislation including the Human Rights Act and the Data Protection Act to ensure that interceptions take place in a proportionate manner that any intercepted data is used for the correct purposes and that personal information is stored and processed appropriately.
Next you can complete an activity to check what you’ve learned about cyber security and the law.