Is it permissible to monitor the online activities of your employees?
Inappropriate use of e-mail and the internet by employees has led to a number of leading South African companies suffering public embarrassment as e-mails containing pornography, racial slurs and sexual harassment have been widely featured in the national media. The recently enacted Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 ("the Act") looks set to offer employers a lawful method to exercise some degree of control over employee and third party use and abuse of employers' telecommunications systems.
How do employers deal with unauthorised or inappropriate use of company computer and telecommunications facilities and the many risks such use creates? It is becoming increasingly evident that, in addition to loss of productivity and reputation, employers may face legal liability on a number of fronts for the online actions of their employees and other users of their telecommunications systems.
While many of these risks can be effectively managed through technological solutions and the drafting and implementation of suitable electronic communication and security policies, the ability of employers to ascertain the actual use of their networks is fundamental to their ability to control such use and manage the legal and other risks that arise.
The question of whether and to what extent it may be legally permissible for employers to monitor the use of e-mail and the Internet has, until now, been unclear, although there have been indications that the labour courts will allow employers some latitude, especially given the ease with which, for example, e-mail may cause substantial damage to an organisation.
Greater certainty has, however, been engendered by the signing into law of the Act by President Mbeki in the last days of 2002. It is expected that the commencement date of the Act will be published in the Government Gazette shortly.
A brief guide to the Act
The central feature of the Interception Act, intended to replace the Interception and Monitoring Act of 1992, is the prohibition of the intentional interception of communications contained in Chapter 2:
"Subject to this Act, no person may intentionally intercept or attempt to intercept, or authorise or procure any other person to intercept or attempt to intercept, at any place in the Republic, any communication in the course of its occurrence or transmission."
This gives effect to section 14 of the Bill of Rights found in the South Africa Constitution, which grants the right to privacy in, inter alia, the following terms:
"Everyone has the right to privacy, which includes the right not to have -
(d) the privacy of their communications infringed."
The Constitutional Court has recognised, however, that the right to privacy is not absolute, and that the workplace is one of the areas in which the right may be limited. In Bernstein v Becker (1996) the Court held that "..privacy is acknowledged in the truly personal realm, but as a person moves into communal relations and activities such as business and social interaction, the scope of personal space shrinks accordingly."
The Act acknowledges this and lists the permissible exceptions to the prohibition, in effect outlining the circumstances under which the interception and monitoring of communications will be allowable under the law. One of these, set out in section 6 of the Act, relates to the "[I]nterception of indirect communication in connection with the carrying on of a business".
The workplace exception
Section 6, insofar as it allows an exception to the general prohibition, contains a number of requirements which must be satisfied before an employer may lawfully intercept any indirect communication
(a) by means of which a transaction is entered into in the course of that business; or
(b) which otherwise relates to that business; or
(c) which takes place in the course of the carrying on of that business.
The section deals exclusively with "indirect communications", defined as the transfer of information, including a message or any part of a message, that is transmitted in whole or in part by means of a postal service or a telecommunication system.
Only by or with the consent of the system controller
The first requirement is that interception may only be effected by the system controller (i.e. the employer or a person duly authorised by them) or with his or her express or implied consent.
For specific purposes
The second requirement relates to the purposes for which such interception may take place. The Act states that indirect communications may only be intercepted for monitoring or keeping a record of indirect communications-
(a) in order to establish the existence of facts; or
(b) for purposes of investigating or detecting the unauthorised use of
that telecommunication system; or
(c) where that is undertaken in order to secure, or as an inherent part of,
the effective operation of the system.
Employers may also monitor indirect communications made to a confidential voice-telephony counselling or support service which is free of charge and which is operated in such a way that users remain anonymous.
It appears evident that the purposes contemplated by the Act are broad enough to largely meet the reasonable requirements of employers in controlling their computer systems and managing the risk attaching to them.
On a business-related telecommunications system
The telecommunication system concerned must be provided for use wholly or partly in connection with the business of the employer.
With consent or prior informing of users
This final requirement attempts to strike a balance between the legitimate expectation of privacy held by users and the rights of the employer to control the use of resources which it provides.
The Act makes it clear that any employer who wishes to intercept indirect communications in the workplace is obliged to either:
(a) obtain the permission, explicit or implied, of the persons who use that telecommunications system; or,
(b) take all reasonable steps to give advance warning to a person who intends using the system that any indirect communications transmitted on the system may be intercepted and monitored.
While the passing into law of the Act will bring a far greater degree of legal certainty to an area that is crucial to the efficient operation of many organisations, employers will need to review their employment and communications policies to ensure compliance with the provisions of the Act.
In doing so employers need to strike a balance between their business imperatives, risk management and the need to grant a reasonable degree of privacy to employees and other users of their telecommunications systems so as not to create employee discontent. They also need to be aware of the scope of application of their monitoring activities, i.e. do these cover all users - contractors, business partners, family members of employees and the like - and will interception and monitoring apply only to fixed computer resources or also to mobile equipment such as laptops and cell phones?
We suggest that these issues be looked at as a matter of urgency. The law applicable to electronic communications and transactions is developing at a rapid pace and the potential for employer liability for a range of legal issues - particularly in the area of labour law where employees have easy access to the CCMA - should be proactively addressed.
Copies of the Act are available from the Government Printer at R5.00 a copy. Simply ask for Act 70 of 2002.
06 Feb 2003
This article is intended to provide general guidance and does not constitute professional advice relating to specific instances. Should you wish to place any reliance on the information presented in this article we strongly advise that you consult your legal advisor or the Electronic Law Consultancy - email@example.com