It’s easy for a business to claim total ownership of communications in a company with a blanket monitoring policy applied across the board, but are you allowed to? Over the years, I’ve seen dozens of clauses claiming the right to monitor everything – hell, I’ve even been on the receiving end of such monitoring – the fact is, it’s probably not as legal as you think it is, and you probably believe you have more rights than you do as an employer!
Which regulations apply?
In South Africa, you may be quick to call out POPIA when it comes to monitoring, however, you should rather be casting your eyes over to RICA. Sound familiar? It should! It applies every time you upgrade your cellphone. The Regulation of Interception of Communication and Provision of Communicate-Related Information Act 70 of 2002 (what a mouthful, let’s stick to RICA) comes into effect with monitoring, and regulates how you are able to do so. It’s not that you can’t monitor, it’s just that you have to do so responsibly. More on this after the jump.
In Europe, you have to contend with a number of regulations, depending on the jurisdiction you fall under. Different EU member states have different rules and regulations around monitoring and interception of communications. From an overarching perspective, you will need to contend with GDPR and it’s stipulations around purpose, legal basis for processing and more, and from a national perspective you’ll need to potentially consult works councils as well as comply with nuances of local employment regulation.
What constitutes monitoring?
This is an interesting one, as we are quick to jump to monitoring being the intentional viewing of someone’s emails. Of course, reading someone’s emails or messages is monitoring, there’s no doubt there. It does, however, extend beyond this though. Anti-virus scans are a form of automated monitoring. Data Leak Prevention (a’la Mimecast, Synaq etc) is a form of automated monitoring. Keyword scans are a form of monitoring. All of these factors need to be considered when it comes to implementing your policy on the subject.
Outside of email, monitoring your internet traffic for acceptable use is also monitoring, as is monitoring staff social media accounts. In short, any sort of interception of communications over a number of platforms can be considered “monitoring”.
How do you do so correctly?
Between RICA, POPIA, and GDPR, there are a number of ways to monitor communications responsibly and legally. First off, let’s get what I hope is the obvious one out the way, you cannot monitor someone’s personal, non-company e-mail address or social media accounts (unless their social media accounts are public, but that’s another post for another day). The GDPR has four principles for sound workplace monitoring policies, which would cover you in South Africa as well. These four principles are:
Necessity is being able to show that the monitoring you are performing is indeed necessary. Anti-virus and DLP are there to prevent data loss and protect the organisation, and can be argued to be necessary for operations. Similarly, one can put necessity in place for monitoring internal email accounts where necessary (important) and under certain circumstances. You cannot just read someone’s incoming and outgoing emails for no valid reason.
Legitimacy means you must have legal grounds for collecting and monitoring this information. You need to have complied with the law in terms of doing so. In most cases, you will need to provide proof of what your legitimate interest is in monitoring – and that this interest (such as protecting the business from data leaks) outweighs the individual rights to privacy. You will also need to provide proof of sufficient security and process in place to prevent misuse.
Proportionality is quite simply not constantly monitoring or going overboard in your control. In the EU, it has long been established that even in a business email account, there will be a small amount of unavoidable personal communications generated. You need to be limited in what you are monitoring and what you react upon. You can only use monitoring and intercepted communications for the issue that you are dealing with – it cannot be used for hunting for new issues.
Transparency is being clear to your employees that you are monitoring. You do not, in fact, want to rely on consent here, as consent can be revoked (and then you’re stuck). In the EU, you will be relying on “legitimate interest” or “contractual” means of processing, along with any local laws or works council registrations. In South Africa, you will be relying on RICA’s section 6, an exemption to consent when information is intercepted in the course of carrying out your business interests.
In order for any of the above to work, you must advertise the fact in your company policies and be clear about it. You need to incorporate these four principles into your wording and monitor in a fair and transparent manner. The exemption to RICA in SA and compliance with privacy regulations requires that you have notified your employees of the monitoring up front, if you haven’t, you’ll be up the creek without a paddle.
Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.