Thanks to its speed, accessibility and ease of use, email is an essential part of both our business and personal lives. But as the IT departments charged with managing a company’s email deal with increasing volumes of traffic, spam levels and virus-infected mail, they also encounter a minefield of legal traps and regulatory pitfalls when they monitor employees’ emails.
Many firms use tools to help them identify spam emails, stop viruses or flag-up inappropriate or illegal use, which is a sensible option because of the implications of not doing so. However it is essential that, at the same time, the individual’s right to privacy is protected to avoid falling foul of the law.
Over the years, various UK laws and regulations have been written that address the topic of email monitoring, but unfortunately they overlap and contradict each other. There are regulations to protect individuals and their right to privacy with regards to electronic communications and information; however these are often inconsistent with those designed to help employers or law enforcement agencies.
In 2000, the UK government passed the controversial Regulation of Investigatory Powers Act (RIPA) which clarifies how and why organisations can monitor individuals’ emails, and protects employees’ rights. It outlines that businesses must state if emails are going to be monitored, and the reason behind it, but accepts that companies do have the right to capture information under certain circumstances.
However, RIPA’s declaration that companies have the right to collect information contradicts elements of the Human Rights Act (HRA), which is focused on an individual’s right to privacy. To make things even more complex, the Data Protection Act (DPA) safeguards the rights of individuals regarding information relating to them.
The different acts are designed with different goals in mind, resulting in most businesses not knowing which way to turn. For members of the board this can be a real problem. Not only are they responsible for the company’s adherence to the law, but the financial penalties for non-adherence can be significant.
Despite the bewildering array of laws and regulations which are all open to their own legal interpretation, the 2000 Lawful Business Practices Regulations (LBPR) are designed to explain exactly what companies need to do to ensure they comply with the acts mentioned previously.
As if it isn’t confusing enough making sense of UK legislation, it gets much more complicated for international organisations. In circumstances where data is shared or transferred between different countries, businesses need to understand and comply with a myriad of regulations to ensure they are legal in each country.
European laws are similar to the UK’s regarding monitoring and privacy, but the different countries apply those laws in different ways. In America, there isn’t an equivalent to the DPA and businesses are much less restricted in their activities regarding privacy, so many US companies working into Europe have had problems bringing their IT systems to the minimum standard required by the EU.
The EU has defined a ‘model contract’ that companies who operate in Europe are expected to complete for cases where personal data is exported from the protected EU area to countries that don’t maintain equivalent protection – the US in particular.
As if the legalities of emails and monitoring weren’t complex enough, last year more stringent anti-spam laws were introduced to protect companies and end users.
In the EU, all member countries are required to implement anti-spam legislation, although so far only 30 percent have done so, primarily due to the complexity of implementing this type of law effectively.
The problems of spam are compounded by the fact that the vast majority of spammers are operating illegally anyway. These spammers use every trick in the book to remain anonymous so even where the laws exist, they have very little impact on actual spam levels.
Despite the complexities involved, it is still essential that firms monitor employees’ emails, if only to see if any email is carrying abuse, or illegal or proprietary information. This is why a broader response to email control and management is required, while at the same time ensuring adherence to the necessary legal and regulatory controls.
Effective email management that primarily filters out spam is becoming increasingly popular because it can reduce companies’ email traffic by 80 percent. The cost in man-hours if all spam reaches the end user, who then has to read and delete it all, is immense and must not be overlooked. Corporate mail systems are designed to help the business, but the proportion of legitimate business mail crossing the servers is diminishing rapidly, which is clearly unacceptable.
Responsibility lands with the board to protect the company from financial or legal penalties of not complying with regulations, but trying to implement a solution that meets all the different laws can be difficult. We would normally turn to the law for guidance and clarification, but in this case the complexity of the situation is caused by the very laws themselves.
Ken Watt is Consultancy Director for INSL