The security services have new powers to intercept and investigate electronic data. But the story does not end there. explains why e-mails in colleges will never be the same again
What is RIP (the Regulation ofinvestigatory powers act 2000)?
It's not just an epitaph for the Funding Council in Coventry. RIP is the abbreviation for the Regulation of Investigatory Powers Act 2000, which came into force on October 24. It repeals the Interception of Communications Act 1985, which prohibited the interception of communications on any public telecommunications network.
The RIP Act takes account of advances within the communications industry in the past15 years, such as the development of the Internet and e-mail. It extends the powers of the security services by allowing the interception and surveillance of electronic data in special circumstances, such as preventing and detecting crime and safeguarding public health and safety. It gives law enforcement authorities the right to serve decryption notices on internet service providers, requiring them to disclose encryption keys - either toprevent or detect crime or in the interests of national security.
Why is the Act so controversial?
The Act has been criticised by civil liberty campaigners and the TUC; they see the provisions as an invasion of privacy that are likely to breach the Human Rights Act, which came into force on October 2.
Is the Act relevant to colleges and other education providers or does it just affect the security services?
The RIP Act may seem irrelevant as its main purpose is to regulate the powers of authorities such as the police and intelligence services to intercept communications. But in some cases, the Secretary of State has the power to allow "businesses" to intercept communications in the course of lawful business practice without the consent of the sender and recipient. "Businesses" means public authorities, government departments, those exercising statutory functions, charities or non-commercial bodies. This broad definition means that the regulations will cover all education bodies, including colleges and private providers of educational services.
Have those regulations been introduced?
Yes. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 were issued on October 24. The regulations allow "businesses" (and thus employers) to intercept, record or monitor communications such as telephone calls and e-mails for the following purposes:
* to establish the existence of facts * to ascertain compliance with regulatory or self-regulatory practices * to monitor for quality control and staff training purposes, but not for purposes such as marketing or market research;
* to prevent or detect crime * to investigate or detect unauthorised use of a college's telecommunications system * to intercept for operational purposes, such as protecting against viruses, or to ensure e-mails are forwarded to the correct destinations * to check routine business messages such as voice-mail while staff are on holiday or sick leave * to monitor calls to the college's own welfare helplines, on condition that these are provided free of charge and on a confidential basis. The regulations specify this.
Is consent required?
No, but colleges must make "all reasonable efforts" to inform staff, students and other potential users of their own systems that interception might take place.
What is the best way of informing users that interception may take place?
Monitoring to investigate or detect unauthorised use of telecommunications is permitted by the regulations. But while consent is not required, there is an obliation to "inform" potential users.
This obligation could be met by simply telling staff and students that communications may be monitored in some cases - for instance, to monitor abuse of the Internet or to make sure inappropriate e-mail is not being sent.
A statement could be included in staff and student handbooks and disciplinary procedures, setting out what use of the telephone, Internet and e-mail systems is allowed and what is unauthorised.
Importantly, some uses will be unauthorised even without notice from the employer: for instance, an illegal act such as downloading child pornography would inevitably constitute unauthorised use.
To maintain the confidentiality of information obtained by monitoring, colleges should have guidelines to ensure that only authorised individuals will have access to the information.
Are there any benefits to colleges now that the Regulations are in place?
Yes. The huge increase in the number of people using the Internet and e-mail at work has led to an increase in abuse of these facilities. Defamation and harassment are two of the most common claims arising from abuse of e-mail systems, and in either case employers may be responsible by way of the principle of vicarious liability.
The regulations allow colleges to intercept e-mails and telephone calls and to monitor use of the Internet to detect crime or the unauthorised use of their own systems. This means colleges can monitor e-mail harassment as well as pick up any excessive private use of the Internet.
The new Human Rights Act came into effect in October. AREthere any overlaps between the two ?
Yes. Article 8 of the Human Rights Act gives individuals the right to have their private life, family life, home and correspondence respected. The case brought by Alison Halford in the European Court of Human Rights established that these rights extend into the workplace and to the use of an employer's communications equipment. Ms Halford's office telephone, designated for private use, was tapped by her employer. This was held to be a violation of the right to respect for her private life.
Colleges can comply with both Acts by making sure they can justify any monitoring that could be seen to infringe an individual's right to privacy. Article 8 is a qualified right, meaning that restrictions deemed necessary in a democratic society can be imposed. But in effect, the means have to justify the ends - so don't use a sledgehammer to crack a nut!
A college monitoring an employee'se-mails - perhaps after complaints about offensive messages - would be allowed to do so and would probably not breach Article 8 as it would be protecting the rights of another employee or student.
Using itemised telephone call records that show the number of the caller - as opposed to recording a conversation - would reduce the risk of breaching an individual's right to privacy.
What should colleges do next?
They should get to know the regulations and be aware of precisely when communications may be monitored without consent. They should also:
* Review policies and procedures to establish that they meet a specific need and purpose * Consider the human rights implications of all policies andprocedures to establish whether they interfere with any human rights * Ensure that all policies (including amendments) are brought to the attention of staff and students.
Only time will tell whether the regulations strike the correct balance between protecting the individual's right to privacy and allowing colleges to act as Big Brother in legitimate circumstances.
John T Hall is head of education law at Eversheds, solicitors, London EC4