Analysis: Does ID management invade workers' privacy?

Organisations are turning to ID management systems to ensure that only authorised personnel can access sensitive data. However, these systems are often criticised for invading employees' privacy. Stewart Baines explains what businesses deploying ID management need to know about privacy laws.

Do you think you should have to tell your boss you are nipping off to the loo? Should a 10 minute cigarette break be timed? These are the questions being raised in response to the prospect of staff ID cards featuring RFID tags which give employers the potential to monitor workers' whereabouts in their office buildings.

Some human rights groups are claiming this is an unjustifiable invasion of privacy. But just what is privacy and do we have a right to it at work?

Employers have always been accused of snooping on staff and they often do. They are obliged to check the quality and quantity of employees work, and ensure they are compliant with national and international law. Employers are responsible for the actions of their employees, even if the employee claims he was conducting personal business at work. However, individuals have more right to privacy than ever before. A legal minefield is emerging where to protect one set of laws, a company has to be very careful it is not breaking others.

Take this example involving the use of Skype. An employee is suspected of unauthorised behaviour such as selling customers account records to a third party. Under the Data Protection Act, the company is responsible for the security of the confidential client data it holds. If the company is proven to have known about a breach of these regulations, it can be prosecuted. So it needs to investigate the suspect and monitors his email, telephone and Skype conversations.

While monitoring email is as simple as reading a post card, decrypting encrypted Skype sessions is a grey area, one not adequately defined under the Regulation of Investigatory Powers Act (Ripa), which defines when and under what circumstances electronic communications can be monitored by the network owner or law enforcement agencies.

Under the Human Rights Act, the employee has certain rights such as the right to privacy over his or her personal domain. These rights are bolstered by privacy rights in the Data Protection Act which apply as much to employees as they do to customers.

Louise Townsend, a data protection lawyer at Pinsent Mason, says: "If you are going to be monitoring staff, there needs to be a justification for doing it, and you need to have taken reasonable efforts to inform employees that you may use it."

Privacy rights can be overcome, however, if the employer clearly informs the employee they will be monitored. In some cases it may be favourable to get the employee to agree to be monitored but in other cases it may be sufficient to simply inform staff. The intention in both cases is to nullify the term 'private' and consider any communication within work as non-private.

Townsend adds: "If, however, the employer does not inform the employees of the intent to monitor, the individual's privacy rights are largely preserved."

The Employment Code of Practice states that employees should be informed if they are being monitored; have a right to respect for their autonomy and privacy in the workplace; and have a right to expect a degree of trust from their employers. According to the out-law.com guide: "Any intrusion on this privacy and autonomy must be in proportion to the benefits of interception to a reasonable employer."

But what is justifiable? "Everyone is entitled to privacy in their private life," explains Simon Janes, formerly the detective in charge of operations at the Metropolitan Police computer crimes unit and now international operations director for Ibas, a computer forensics company. "The difficulty is in interpreting what is private and what is not. It all comes down to user expectations. If you notify them of what you intend to do, it's harder for them to argue it's private."

Janes admits: "As a security professional, we're always striving to find a balance between security and protecting personal privacy. But there is no way that we can provide security in a totally non-invasive way, it will always impact privacy."

In the way that callers to a contact centre are typically informed their calls may be recorded for training and quality purposes, employees should be informed their email, phone calls and internet activity may be monitored.

This could take the form of a communications policy that informs employees what to do and what not to do when using company communications - such as not using P2P music sharing applications. Such a policy can also notify employees their communications and internet activity may be monitored to ensure laws are not broken and that unauthorised activity - such as P2P - is not taking place.

But is publishing this information sufficient? Should companies also ensure staff have read and understood it? A 200-page communications policy drenched in legalese may not illuminate proper communications use but it may be all that is required to justify the monitoring of electronic communications.

Andrew Rigby, a lawyer with Addleshaw Goddard, says: "Employers could just publish a communications policy and expect people to read it but you would have a better defence if the policies are clear and simple and you have ensured all employees have read and understood them."

Without a communications policy, employees have a stronger right to privacy.

Most companies have email monitoring of some kind, either to catch spam or ensure inappropriate content is not sent to or from an employee.

If in the course of this monitoring, the employer discovers an email detailing a criminal or authorised behaviour, can the employer act when the employee has a right to privacy? It's another grey area, and one that in court, the employer may well win but it could be a lengthy and costly legal process. Better to tell employees how they're being monitored.

Monitoring dos and don'ts are largely defined in Ripa, which in some ways makes it harder for employers to monitor employees. Under Ripa, it is an offence to intercept any communication without lawful authority. Most private networks, either voice or data, connect to a public network such as the internet and the phone network, and so any company communication - even if between two employees - is governed by Ripa.

However, under certain circumstances, an employer can monitor communications - either for national security, preventing or detecting crime, ensuring compliance and for training. According to out-law.com, the Ripa regulations are "designed to strike a balance between the privacy of individuals and the need for businesses to get the maximum benefit from their investment in telecommunications technology". The latter part for instance includes the use of antivirus and anti-spam tools.

Sir Cliff Stanford, founder of Demon and Redbus, is one of the most famous to have fallen foul of Ripa. He was prosecuted under Ripa for intercepting email between Redbus' chairman John Porter and his mother, former leader of Westminster Council, Dame Shirley Porter.

At the appeal, Stanford sought to rely on a section of Ripa that gives a defence to a person who intercepts "a communication in the course of its transmission by means of a private telecommunication system" if either: he is a person with a right to control the operation or the use of the system; or he has the express or implied consent of such a person to make the interception.

The employee who intercepted the emails and passed them to Stanford, his boss, was an administrator who had access to usernames and passwords, and as such, according to Stanford, was a person with a right to control the operation. The judge argued that "right to control" did not simply mean that someone had a right to access or operate the system but was more specific - requiring a right to authorise or forbid that operation. Stanford and the employee were invading the privacy of Porter. Consequently, Stanford had to see out his punishment of a six month suspended sentence.

There are a number of laws impacting privacy at work: Ripa, Data Protection, Computer Misuse, Employment Code of Practice and, of course, the Human Rights Act. While it may appear they are contradictory, they are in fact co-ordinated.

But before deploying ID management systems, which often include staff monitoring, employers should always consult with their legal advisors on whether they have taken adequate steps to ensure privacy while also fulfilling their duties to protect secure and private data from misuse by employees and outsiders.

Employers which monitor employees - and let's face it, most do - must ensure the employee is fully aware of the potential for automated and non-automated surveillance. This may not prevent employees from committing crime and fraud at work or against the company but it will remove any form of defence if they are caught red-handed.