to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News - Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y		 We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX - BCS Security Forum
'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example
A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use
basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

Dechert - Telephone Monitoring: Dos and Don'ts

compliance and privacy

Current News Updates

Telephone Monitoring: Dos and Don'ts

Renzo Marchini, of Dechert LLPAn article by Renzo Marchini, Of Dechert LLP

It is widely (and incorrectly!) believed that it is unlawful in the UK in all circumstances to monitor and record telephone calls without drawing this to the attention of the parties to the call. There are in fact broad exceptions which are relevant to many businesses which do allow such activities without obtaining consent.

There are several reasons why businesses may wish to monitor or record telephone use for the purpose of its business. Often the rationale is quality control or even compliance by an employee with certain regulations, but the monitoring may also be useful for ensuring that employees are not calling friends in Australia at the businesses expense or otherwise using the system contrary to your policies. The law must however balance these goals against the need to protect employees as well as external persons from "snooping" and misuse of such data.

There are two principle legal areas of relevance; namely, the law on "interception" of communications stemming from the Regulation of Investigatory Powers Act 2000 ("RIPA") and the Data Protection Act 1998 ("DPA").

Regulation of Investigatory Powers Act 2000

RIPA puts constraints on when a person may make an "interception of a communication in the course of transmission". RIPA is wide in scope and, in particular, "interception" includes a "monitoring or interference" with a private telecommunications system which makes the communication available to someone other than the sender or recipient of the communication. Interestingly, this includes the opening of previously unopened emails, but for the purpose of this article, it includes listening in on and recording telephone calls.

Any interception would be, broadly, unlawful (in fact, criminal) unless the consent of both the sender and recipient is obtained, or alternatively the communication falls within an exception defined in the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the "Regulations"). Under the Regulations, the exceptions that are relevant to most businesses are where monitoring or recording communications are carried out:

  • to ascertain compliance with regulatory requirements, practices or procedures;
  • to ascertain or demonstrate employee standards;
  • for the purpose of preventing or detecting crime;
  • for the purpose of detecting unauthorised use of the telecommunications system; or
  • to ensure the effective operation of the system.

In addition, monitoring (but not recording) communications may be carried out without consent:

  • for the purpose of determining whether they are communications relevant to the business; or
  • to monitor communications to confidential anonymous counseling or support helplines.

In addition, in all cases where consent is not obtained, the interception must be of a communication relevant to the business.

This is all pretty wide, but there are two easy traps to fall into.

First, a business must not intercept private communications. Having said that what happens if what you thought was a business communication turns out to be private? It is easy to envisage a personal communication being inadvertently intercepted in the course of a permitted interception. Where this is the case there is no offence where the situation is unavoidable in the context of permitted monitoring. In other words, if in the course of the monitoring (or the playing back of a recording) it becomes apparent that the monitored communication is in fact private, the interception (or playing back) should cease.

Consistent with the situation under the data protection regime, below, an employer must have made all reasonable efforts to inform all employees that an interception of their telecommunications may take place.

Data Protection Act 1998

The recording of phone calls will also be governed by the DPA, as the information recorded will be "personal data" of an employee and (possibly) "personal data" of the external person (as the recording could be used to identify the caller). (Interestingly, merely listening in on calls does not raise a DPA issue, but making notes of what is discussed might.)

As such, the data protection principles set out in Schedule 1 of the DPA must be adhered to. In particular, all processing of personal data must be "fair". The one difficult issue here (which is why you often hear notices in relation to recorded calls) is that to be "fair" the following information must be provided to the individual, "so far as is practicable":

  • information regarding the identity of the "data controller" (broadly, the party 'processing' the data) and the purpose for which the information is being processed.
  • further information as is necessary, having regard to the specific circumstances in which data is processed, to enable the processing to be "fair".

Both the requirement that information only be provided "so far as is practicable" and the vague requirement to provide information which is "necessary" to be "fair" require an exercise of judgment and explains why some people do provide notices of recordings of calls.

Employees

The analysis above applies to employees as well as external persons, but for data applicable to employees in particular, the Information Commissioner has published a detailed Employment Practices Data Protection Code ("Code") which covers, amongst other things recording and monitoring of employee calls. Although the Code is not strictly binding, the Information Commissioner has been clear that enforcement of the Code will be based on breach of the DPA itself.

The Code sets out the core principles for monitoring of employee calls. Three key principles are:

  • Proportionality - an employer should be clear as to why the monitoring and recording is required and should determine whether the reason for it is legitimate. Against this reasoning, the employer should consider whether the action is as un-intrusive as possible. Employers should conduct an assessment of the impact of its monitoring in order to ensure the balance is appropriate.
  • The Provision of Information to Employees - in order to comply with the first data protection principle, full information about the monitoring or testing should be supplied to the employee. The Code is clear that this should take the form of a written policy document, which should be brought to the attention of the employee.
  • Technical / Security Measures - employers are required to safeguard against the unauthorised processing of data.

As often in data protection matters, this can be summarised as: do what you do only for good reason, do no more than is necessary for that reason, and keep data secure!

Summary

  • The privacy of private communications should be respected.
  • Where a telephone call is monitored and/or recorded according to a purpose specified in the Regulation, there is no need to tell external callers that calls will monitored / recorded. Where such calls are recorded the author suggests it is good practice to bring this to the caller's attention, in order that the data is processed in a manner that is "fair".
  • Employees should be informed about the way in which data relating to them, including the monitoring and recording of telephone calls, is dealt with, and the aims of processing such data should be legitimate.
  • Written policies on what an employee is and is not allowed to do with provided communications systems are always best practice.

Renzo Marchini
Solicitor
Dechert LLP
+44 (0)20 7184 7563
Renzo.marchini@dechert.com

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.