Hanging on the telephone

Not for the first time of late, Metropolitan Police Commissioner Sir Ian Blair hit the national media headlines after secretly recording a telephone conversation with a senior minister from Parliament. It later emerged that the embattled police chief had taped a ten-minute call to the Attorney General, Lord Goldsmith, without the latter's knowledge and/or consent. Sir Ian was then forced into admitting that he'd also secretly recorded calls with senior officials from the Independent Police Complaints Commission.

Dame Shirley Porter's son, John Porter, was also caught up in an unsavoury incident involving monitoring when his e-mails were intercepted by the disgruntled founder of Redbus Interhouse (Porter having been the chairman at the time). The matter ended up in the Court of Appeal, and the defendants - Clifford Stanford and George Liddell, of whom more anon - were found guilty of unlawfully intercepting e-mail correspondence.

Both were handed prison sentences and some hefty fines for good measure.

Such ‘scandals' raise important questions about the use of monitoring by those in both the private and public sectors at a time when it is becoming increasingly common for businesses to monitor telephone and e-mail usage, as well as Internet traffic. For security managers, these stories highlight the potential implications of unlawful monitoring, serving as a stark warning to any organisation that monitors the communications of both its employees and clients.

Security professionals will not be surprised to learn that the legal rulings relating to the monitoring of telephone calls and e-mails are notoriously convoluted. Despite the advent of legislation to simplify matters - legislation aimed squarely at bringing the law into line with new technologies - the laws remain largely impenetrable to the lay person.

The fundamentals, however, are contained within the Human Rights Act, the Regulation of Investigatory Powers Act and the Data Protection Act.

The Human Rights Act 1998

The starting point with any issue of interception or monitoring of communications is the Human Rights Act 1998 and, more specifically, Article 8 (which guarantees respect for individuals' private and family life, their home and their correspondence).

Public authorities cannot lawfully interfere with these rights unless it's justifiable to do so either in the interests of national security, public safety, the well-being of the economy, the prevention of disorder or crime, the protection of health or morals or the protection of the rights and freedoms of others.

It is tempting to assume that the references to ‘private life' and ‘correspondence' in Article 8 apply only to situations outside of the workplace. That said, it's abundantly clear that they are not limited in this way at all.

In the case of Halford versus the United Kingdom, the European Court of Human Rights (ECHR) dismissed the UK Government's claim that surveillance at work did not interfere with peoples' private lives. It decided that Ms Halford's rights under Article 8 had been breached when her employer - the Merseyside Constabulary - intercepted private telephone conversations on her office line. Bear in mind that the calls were being made from business premises, during office hours and using the Merseyside Constabulary's dedicated telephone system.

Although the facts of this particular case necessarily mean that the judgement has a somewhat limited application - Ms Halford was then assistant chief constable with sole use of her own office, and one of her two telephones had been specifically designated for her private use - the important principle lies in the fact that the Courts decided Ms Halford had a "reasonable expectation of privacy" when making telephone calls at work.

The implication of Article 8 (backed up by the decisions of the ECHR) is that monitoring or surveillance of any kind by public bodies will normally breach an individual's right to privacy, even if that monitoring takes place at work. This means that, unless individuals have been informed in advance about monitoring - and consented to it - they'll be in an ideal position to claim that their Article 8 rights have indeed been infringed.

What about the private sector?

The Data Protection Act 1998 imposes similar rules on companies by regulating the ‘processing' of ‘personal data'. The former includes the collection of information, while ‘data' can include electronic or automated data in addition to manual records.

An individual who is the subject of information is the ‘data subject', with the individual or organisation collecting that information referred to as the ‘data controller'.

Under the Data Protection Act, all processing must, of course, be carried out in accordance with eight Data Protection ‘principles'. The most important of these is the first principle, which requires that all processing has to be "fair and lawful". This means that the data subject has either consented to the processing, or that at least one of the other ‘fair processing conditions' detailed by the Act does apply.

A further layer of rules applies to what is known as "sensitive personal data", which includes information about data subjects' health, political opinions or perhaps their sex life. Finally, there is also an Employment Practices (Data Protection) Code published by the Information Commissioner - otherwise known as the UK's Data Protection ‘Watchdog'. No less than 25% of that Code is solely dedicated to the issue of monitoring at work.

Generally speaking, workplace surveillance and the monitoring of telephone calls and/or e-mails will breach the first Data Protection principle unless members of staff have consented, or the surveillance is deemed necessary to prevent crime. Alternatively, it may be justified by realising specific, well-defined benefits to the employer and others.

Authority to intercept

For public and private sector bodies alike, the Regulation of Investigatory Powers Act 2000 - commonly known as RIPA - provides a legal structure for allowing certain types of conduct which would otherwise be in breach of the Human Rights Act or the Data Protection Act.

Part I of RIPA specifically regulates the interception of any communication within the UK in the course of its transmission (unless the intercepting party has "lawful authority" to do so). The type of offence attaching to the interception will vary depending on how an interception is made.

It is a criminal offence to intercept communications on any public postal or telecoms system, and on any private exchange connected to a public network (for example, an office switchboard). This is intended to outlaw telephone tapping (or the technology-specific equivalent), and so will cover the interception or monitoring of communications made via mobile or satellite telephones, faxes, pagers, e-mails or the Internet.

Lawful authority can be obtained in the form of an interception warrant, but only in those instances where such a warrant is "proportionate" and "necessary".

It is also unlawful - but not a criminal offence - for the controller of a private network (typically an employer) to intercept communications without any lawful authority during the course of their transmission over that private network. An employer monitoring calls across its own network (or using a third party to monitor them, and giving consent for this to happen) is breaking the law unless it has "lawful authority" to do so.

The breach here is a civil offence rather than a criminal one. Handing the aggrieved party the right to sue, but not carrying the risk of a custodial sentence.

Lawful Business Practice rules

The criminal/civil distinction is an important one. The clause in RIPA which ring-fences monitoring on a private network from criminal sanction - Clause S.1(6) - has already been examined by the Court of Appeal.

There are various types of "lawful authority", the most obvious being the consent of both sender/caller and recipient. There are wide-ranging exceptions listed in the Lawful Business Practice Regulations which permit, for example, the recording of conversations for contractual and regulatory purposes, for establishing facts relevant to the business and for detecting unauthorised use of the system (provided users are informed of this!).

It's vitally important to ensure that all monitoring falls within the scope of the Regulations. The consequences of ‘getting it wrong' are very serious indeed.

In fact, the first prosecution for unlawful interception under RIPA passed through the Courts last September, culminating with a Court of Appeal Judgement published in February. The defendants - Clifford Stanford and private investigator George Liddell - pleaded guilty to unlawfully intercepting e-mails. Each was handed a six-month prison sentence suspended for two years. Stanford was also fined £20,000, and ordered to pay £7,000 costs. That's the overarching detail, but the most important aspect of this case can be seen in its analysis of the dividing line between civil and criminal liability.

The background to the case involved a Boardroom dispute at Redbus Interhouse, a company founded by Stanford but which he subsequently left following a dispute with its chairman, John Porter. Stanford then obtained information about Porter by means of a programme added to the Redbus corporate network that copied Porter's e-mails to a Hotmail account operated by Liddell.

Information obtained in this way included Porter's bank details and legally privileged documents, which the prosecution then alleged Stanford had intended to use to oust Porter from the Redbus Board in the hope of replacing him and then appointing his own team of individuals to run the company.

Stanford and Liddell were charged under Clause S.1(2) of RIPA. Stanford admitted the interception charge, but claimed that his actions were not criminal as the redirect programme on the Redbus network was installed by "a person with the right to control the operation or use of the system", thus bringing it within the exclusion from criminal liability contained in Clause S.1(6).

The individual with the alleged right to control the system was someone on the inside who had administrator rights to the network.

Assess before implementation

On examining the scope of Clause S.1(6), the Court decided that "control" meant "to permit or forbid access" to the system. For the purposes of claiming immunity from criminal penalty under Clause S.1(6), it was not enough that a person had administrator rights, by which they are able to insert a redirect function on that system. That did not constitute "control" within the meaning of Clause S.1(6).

The Court of Appeal agreed with this analysis, and went on to state that since the objective of the offence was to protect the privacy of private telecommunications, this would be undermined if anyone with the unrestricted ability to operate and use the system was exempted from criminal liability.

The Stanford and Liddell Case serves as an important reminder to all security managers that interception and monitoring of communications in the workplace may have serious consequences if not properly assessed prior to implementation. While ‘legitimate' monitoring - such as the recording of calls for quality control purposes or to record transactions - is permitted insofar as this will comply with the Lawful Business Practice Regulations, it is crucial that organisations and their in-house security professionals are clear about why they are monitoring and how that monitoring will be carried out. n