When City pa Claire Swire wrote that now-infamous set of lusty e-mails to her ungallant law firm beau Bradley Chait – who then promptly circulated them to his mates – little did she know that these lurid tales would be sent around the world.
Given the uproar this case created, it’s probably true to say that, in future, Ms Swire will be rather more circumspect in her ‘e-dealings’. She is far less likely to have realised that her messages started an urban myth. A myth that will have done more to help security professionals promote e-mail monitoring than any number of conferences, seminars, courses and product launches.
Simply put, the whirlwind of forwarded e-mails has clearly demonstrated that, once a secret is ‘out’ on the Internet, it really is out. There is no knowing how many people will read it, in what countries and in what time. For companies specialising in the financial services sector or in IT, the defence industries, publishing and r&d this is a particularly important issue. For organisations like these a large amount of knowledge really does translate into power – or vast sums of money.
Griffin IT Management’s Colin Braziel, a senior member of the Security Consultants’ Association, comments: “It’s vital that these companies and corporations keep a close watch on all electronic communications being made by their employees. A secret that slips out here could cost millions there.” Sophisticated search engine technology has already been developed, of course, and is available for security managers to check e-mail traffic for certain ‘key’ words or phrases liable to be included in commercially-sensitive messages. Just how far, though, can the security manager go in monitoring e-mails? The practice could be called snooping, a word loaded with negative connotations. Given that the UK’s Human Rights Act 1998 contains a clause protecting peoples’ right to privacy, companies do have to watch their step.
The DTI’s Lawful Business Practice Regulations
By way of clarifying the issue, the Department of Trade and Industry issued the Lawful Business Practice Regulations. Intended to spell out practical guidelines on the matter, the regulations have been the subject of an outspoken attack by the British Chamber of Commerce, which labelled them “confused, ill-thought out and full of uncertainty”.
These fears are rooted in a belief that there are potential clashes between the regulations – passed by the Department of Trade and Industry under the Regulation of Investigatory Powers Act – the Data Protection Commissioner’s Code of Practice and the Human Rights Act.
This claim has been contested by Whitehall ‘insiders’ and Braziel, who insists that the key message is simple.
“As long as staff are kept informed of the fact that their e-mails could be monitored, there is a clear policy regarding what material e-mails might contain and an easily-understood disciplinary code in respect of what could happen if these rules are broken,” says Braziel, “then companies are in the clear.” An official from the Home Office told SMT: “Before the regulations on e-mail interception were developed it was a somewhat grey area. Simply, there was no policy in place. Now, though, employers have guidance documents to which they can refer and, as far as we are aware, they are quite happy with them.” Indeed, a glance at the regulations suggests that, far from restricting the right of employers to check e-mail correspondence, they give them the authority to do so. A Department of Trade and Industry official claims that the business regulations had been framed to prevent clashes between existing legislation and the Human Rights Act. They allow privacy rights to be infringed “wherever lawful business practice” is carried out.
The basic aim of the Lawful Business Practice Regulations is to set down, both explicitly and implicitly, those occasions when access to telephone calls and e-mails should be considered legal.
‘Allowable’ scenarios would include:
Monitoring policies out in the open
All that companies have to do is ensure that they inform their employees of their monitoring policies, clearly and well in advance of a new person being taken on. However, Colin Braziel suggests that companies – and, in particular, their security managers – must do more, regularly reminding staff that their e-mails could well be subjected to scrutiny.
Braziel’s message to managers is simple: “You should update yourself. It’s like everything else. A timely reminder. The purely educational side of the security equation.” Braziel firmly believes that the best way to educate is to cite a story from the national press – the Swire saga being a good case in point. After all, the consequences of failing to adopt an ‘open’ approach could be serious. Sacked employees could claim unfair dismissal at an industrial tribunal, stating that they had not been told of a monitoring policy.
In extremis, workers might sue a company under the terms of the Human Rights Act.
Review the Commissioner’s Code
Another piece of legislation that security managers will need to watch out for is the aforementioned Data Protection Commissioner’s draft Code of Practice.
Philip Jones, an adviser from the Data Protection Registrar, says: “It’s simply not the case that businesses should always be denied access to employee e-mails. There may well be circumstances when security or IT managers must access them. Financial transactions and suspected cases of harassment or bullying in the workplace are good examples.” Jones adds: “Employers should have a clear and sensible policy that must be concisely explained to employees such that they know what’s going on in a given firm.” That’s the main thrust of the Data Protection Commissioner’s Code. The Lawful Business Practice Regulations are no different from the Data Protection Act in that they do not require the consent of employees to have their e-mails intercepted. That said, it must be explained to individual employees that, under certain circumstances, it may be necessary to do so.
Government perspectives
The Government is clearly keen to ensure businesses are aware of the issues. Last year, it embarked on the GB pound 1 billion scheme ‘UK Online’. This includes an agenda for ‘e-Government’, and elaborates on concerns that safeguards must be built-in to Internet e-mail regulations as a way of protecting privacy.
Speaking at a debate in the House of Lords, Leader of the House Baroness Jay said: “Data sharing is key to modernising Government in the UK, facilitating the seamless electronic delivery of Government services, reducing fraud and encouraging e-commerce.” With this in mind, the Government’s Performance and Innovation Unit (ie the Cabinet Office’s very own ‘think tank’) has been tasked to draw up a report on the privacy and data sharing arena. The results, due for publication in the Spring, should make for an interesting read.
