Caught in the Act

Bart Simpson and Kermit the Frog performing a sex act may not tickle everyone's funny bone, but Royal and SunAlliance had a serious sense of humour failure after the cartoon characters were caught committing lewd behaviour in the Liverpool office's e-mail system. In January, ten members of staff were sacked from the insurance company and up to 80 others were disciplined for circulating the e-mail, following the introduction of the Regulation of Investigatory Powers (RIP) Act in October 2000, which effectively gives employers the right to monitor employees' online activities.

This Act is one of a raft of measures facing employers and facilities managers alike, which address the monitoring, storage and destruction of information. They include:

• The RIP Act
• Data Protection Act 1998 (see box, page 22)
• Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
• European Convention of Human Rights (ECHR) 1998.

However, although they are all concerned with privacy and information, some aspects of these laws overlap and even conflict. And, as these measures are relatively new, there have been few test cases, so the issue has become a minefield for all those involved with processing data.

The Data Protection Act has received the most publicity, especially when comedian Mark Thomas used it to gain access to Whitehall e-mails in which a civil servant was mining for damaging information about him.

But this is only one aspect of the personal data saga. Introduced last July, the RIP Act allows employers to read staff e-mails – but only with their consent. Then, in October, Department of Trade and Industry guidelines gave employers the right to monitor e-mails without asking first. However, this may be in conflict with the Human Rights Act 1998, which safeguards the right to privacy of correspondence.

It also may clash with the Code of Practice on the Use of Personal Data in Employer/Employee Relationships, which was issued in response to the Data Protection Act. This guidance recommends that employers must gain the consent of employees if they want access to e-mails and other electronic communication. The consultation period for this guidance ended on 5 January 2001; the final draft is due in the summer.

The final draft is expected to be an amalgamation of all of the Acts, but until then facilities managers will have to be on their guard over three issues: the use of CCTV and correct storage of tapes; surveillance of e-mails and other office communications; safe disposal of data so that the Data Protection Act is not contravened.

CCTV usage
Perhaps the most worrying issue for facilities managers is the question of CCTV surveillance. The Data Protection Act states that there must be a clear indication of the purpose of the surveillance – crime detection and prevention, for instance – as well as information on who is operating the system, such as a third-party security consultancy. The sign must be of a readable size – an A4 sign may not be adequate for the driver of an articulated lorry, for example.

Clear signage may seem a simple requirement, yet managers should be vigilant. Specifically labelled cameras must only be used for that purpose, as Chris Brogan, managing director of Security International and a qualified lawyer, explains. 'If a CCTV in a car park is used for "crime prevention and detection", and the security guard sees the car park attendant canoodling with someone in the corner, the guard cannot take the tape to the HR department saying the car park attendant was neglecting his duties. This is because the footage from the camera can only be used if a crime has been filmed, and as far as I'm aware, canoodling is not a crime.'

However, possibly the most contentious aspect of this law is that subjects must be informed they are being monitored, or, in Brogan's example, filmed.

Brogan poses a theoretical problem with this. 'Suppose you have a beef with your former company, which you feel has dismissed you unfairly,' he says. 'You walk down the n street past its building and, as you are a former employee, you know there is a camera mounted on the wall aimed at the pavement. You don't want the company to know your whereabouts, so you walk into the road – just as a bus is passing – and are injured. There may be a case against the company that you have suffered a civil tort as a result of the camera, as you were injured while trying to avoid it.'

Under the Data Protection Act, if you can identify an individual from particular information, it is considered personal data and, as such, falls within the Act's codes of practice. However, as Brogan explains, defining when information can be considered personal data is far from simple.

'If I were to give you a car make and number plate, you would be unable to identify an individual from that. However, if I were to tell someone at my squash club on a Friday night the same number plate, there would be at least five people who would realise that the number plate was mine. Therefore, this number plate has become personal data, as information about an individual can be gleaned from it.'

Brogan also recalls a topic discussed at a data protection debate group. 'We spent three weeks debating whether students should have the right to see the comments their exam markers had made on their papers,' he explains. 'In the end, we decided that they should see the remarks, as they would be regarded as personal data.'

The final draft of the guidance for the Data Protection Act is expected in the summer, and until then lawyers will debate its idiosyncrasies. Facilities managers must be prepared for its possible consequences. As Brogan says, 'This Act is extremely complex. It is a potential minefield and I would not like to be the first person to test it in court.'

Office communication surveillance
Surveillance of office communications is a contentious issue, with facilities managers often ending up in the hot seat. Snooping is unpopular and a 'Big Brother' feeling can seriously undermine staff morale.

However, employers are entitled to monitor communications if the monitoring can be justified – although proving this justification is crucial. It is also important that the employer informs the employee that the monitoring is taking place. This clause is a result of the case brought in 1997 against the UK government by Alison Halford, the former assistant chief constable of Merseyside. She successfully challenged the Interception of Communications Act (IOC) 1985 in the European Court of Human Rights after the tapping of her work phone by her police force. In doing so, she won a ruling that employees 'have legitimate expectation of privacy' for telephone calls made from the workplace.

The Act was soon replaced by the RIP Act, which states that any interception needs the consent of the sender and recipient. Without this, any interception is a criminal offence, punishable by a fine and up to two years in prison.

Employers who routinely monitor staff for performance or assessment reasons were faced with the prospect of these employees refusing to give consent. Ministers responded to this by bringing in regulations under the Act known as the Lawful Business Act. This allows for the monitoring of communications without consent in circumstances such as inappropriate e-mails or long private phone calls.

Information destruction
The introduction of the Data Protection Act means that a company may face a court case, as well as having its reputation ruined, if its data is not processed or destroyed safely.

There have been several data disposal disasters that highlight the gravity of this issue. In March 1998, Punch magazine embarked on some undercover work that included a random check on rubbish bags outside 14 banks. In doing so, it uncovered information on more than 5,000 customers, which would have made the banks liable to court proceedings under the Data Protection Act.

According to figures from the British Security Industry Association (BSIA), more than 150,000 tonnes of waste paper are destroyed by the leading information destruction companies, but this is only a small percentage of the overall amount of confidential waste generated by business.

Failure to dispose of data safely created an embarrassing situation for Deutsche Bank in 1999, when its old computers – supposedly stripped of data – were obtained and reconstituted, revealing share dealings by high-profile customers such as Sir Paul McCartney.

The Data Protection Act stipulates that a company's data controller must choose a data processor that provides sufficient guarantees of security measures, including destruction of data carried out under contract and evidenced in writing. Both the client and the company that carries out the disposal are liable for any breaches of the Act.

Penalties for non-compliance could include up to a £5,000 fine and a criminal record for company directors and/or the company data controller. The Information Commissioner even has the authority to shut the business down.