Avoiding trouble when monitoring staff or customers: lessons from Snowden

It is now a year since Edward Snowden leaked a flurry of classified documents from the vaults of the US National Security Agency.

His leaking of highly classified material revealed previously unknown details of a global surveillance apparatus which was being operated by the NSA and many of its partners, such as the UK's GCHQ.

During this period, the leaks have been fuelling an unprecedented debate in much of the developed world on mass surveillance by governments and the line to be drawn between security and the citizen's right to privacy.

What does this mean for businesses?

So what can businesses and individuals learn from this debacle? After all, most businesses monitor their staff or customer's behaviour in some way.

Most individuals accept that some monitoring of them will take place from time to time. If you walk down Whitehall in London, you shouldn't really be miffed about being filmed on CCTV. If you call your bank, you can typically expect your conversation to be recorded.

So when does surveillance go from 'acceptable' to 'icky'? When does it start to feel just a bit creepy? When does a business cross the line?

Alas, nowadays, that line is fiendishly hard to draw.

The law does provide some help (see below), but businesses have to be a bit more sophisticated than simply spouting 'we are in full compliance with our legal obligations'.

The law is all well and good but if you start 'playing hard and fast' with what your customers expect of you, then you could find yourself dealing with a messy PR disaster and plenty of lost customers.

Just because you can monitor doesn't mean that you should monitor.

It strikes me that the key word that is often forgotten when this subject is discussed is 'trust'.

In an interconnected world, trust is more important than we think. When trust exists—and what an intangible quality it is!—things are just, well, easier. It is the superglue that binds us together and this includes businesses and customers.

If you over-monitor staff or customers, trust is easily jeopardised and vital relationships may be compromised.

Take a deep breath—as difficult as this may be at first—and trust your staff. Have some faith in your customers.

I attended an event on Monday evening which debated this topic. The Guardian journalist, Luke Harding, ventured (and I'd agree) that constant surveillance 'corrodes the soul'. In this case he was talking about when he worked in Russia and he was under the constant watch of the security services there.

Even Sir David Omand, Ex-Director of GCHQ—who you'd think would want mini-cameras permanently installed on all of our heads—made it clear that he did not want to see a society where everything was monitored all of the time. He opined that 'we need to live with risk' and, more interestingly, 'a crime-less society is not desirable because of what you need to do to get to it.'

Now whether you believe Sir David or not is, as it happens, down to trust in the government and our democratic institutions. That is perhaps for another day.

Clearly, there are a smattering of bad guys out there which need to be dealt with (I'm not suggesting that you turn off all of your anti-viral software for instance) but this shouldn't mean that you treat all of your key stakeholders with unwarranted suspicion or contempt.

What does the law say?

The following laws are relevant to monitoring IT and communications systems:

  • the Data Protection Act 1998
  • the Human Rights Act 1998
  • the Regulation of Investigatory Powers Act 2000
  • the subordinate legislation to the above laws, and
  • the obligations set out in employment law of 'trust and confidence'.

Generally speaking, monitoring is permitted provided appropriate notices are given to those being monitored. Notices are usually given to employees in staff policies, such as Internet acceptable use policies. Notices can also be given to people other than employees in customer terms and conditions, recorded messages and website notices.

As for consent, it is generally neither practicable nor legally necessary for a business to obtain consents to monitor its own (not third-party) IT or communications systems provided the conditions of the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 have been met.

What's more, there is also an implied duty of trust and confidence between employers and employees implied into UK contracts of employment.  Added to this are the provisions in the Human Rights Act 1998 which grant individuals a right to respect for private and family life.  Breach of an employee's reasonable expectation of confidentiality or privacy may give rise to a claim, such as a discrimination claim where an employee claims their communications are excessively monitored or restricted compared to other staff.

So there’s a (very rough) run through of the laws that you should consider in the first instance.

Perhaps you have decided to go ahead and are looking to implement a robust monitoring policy. What then?

Top five things that a monitoring policy should make clear

Businesses can prevent unlawful and excessive monitoring by implementing comprehensive procedures when, for example, IT personnel conduct monitoring. This is typically done through a monitoring policy.

Ideally, such a policy should make clear:

  • who is authorised to monitor IT systems
  • which systems they are authorised to monitor
  • the permitted reasons for monitoring and the internal approvals required before monitoring (eg when and how often monitoring can take place)
  • what must be done with the results of monitoring and how information should be stored (eg in 'read only' form if required).  Before any disciplinary action is taken as a result of monitoring, those affected should be entitled to make appropriate representations in accordance with employment law
  • what the sanctions are for misbehaviour. Those monitoring should be aware that unauthorised monitoring of IT systems and communications not only may give rise to disciplinary action, but may also give rise to criminal sanctions for computer misuse (including for unlawful data processing under the Data Protection Act 1998).

This area is notoriously complicated so it is sensible to have a chat with a lawyer specialising in this area for tailored advice.

Moreover, have a word with your sales teams. What do your customers expect from you?

If you are transparent about monitoring and ensure that it is as focussed as possible, then you should be able to minimise any legal and PR risk to your business and, all being well, keep customers happy. No bad thing!

Do let us have your thoughts. As always, comments can be posted below.

Area of Interest