The Regulation of Investigatory Powers Act 2000 (RIPA) received Royal Assent on 28th July 2000, and introduced a new legal framework to govern the use of intrusive investigative techniques. The implications for business are far-reaching, and consequently businesses need to review their current practices in light of RIPA. The Act contains provisions in relation to:
- The interception of communications (including faxes, emails and telephone calls);
- The use of covert surveillance;
- The provision of new powers for authorities to access encrypted communications.
RIPA also seeks to ensure that all of these activities are carried out in accordance with the requirements of the Human Rights Act 2000. The general premise of RIPA is that, except in very limited circumstances, the interception of emails, faxes or telephone calls is prohibited without the consent of the parties to the communication. RIPA provides for the provision of regulations regarding its implementation and the Lawful Business Practice Regulations have recently been published by the DTI, setting out when the interception of communications is permitted.
In addition the provisions of the Data Protection Act 1998 will also affect some activities regulated under this Act where they concern personal data.
RIPA has a significant impact on e-commerce, and therefore businesses should conduct a thorough evaluation of their current working practices to ensure compliance. The most important day to day implications for business relate to the monitoring or recording of business communications – whether internally between employees, business related communications by an employee, or an employee with an external friend.
The Act provides for the lawful interception of communications where there is actual consent or reasonable grounds to believe that consent for such interception has been given by both the sender and the intended recipient. The Lawful Business Practice Regulations, which came into force on 24th October 2000, provides that emails, faxes and telephone calls may be monitored or recorded where the purpose is to:
- Detect crime;
- Establish facts or compliance with self-regulatory practices;
- Ensure quality control;
- Detect unauthorised use of the telecommunications system;
- Review email accounts in staff absence (monitor for business purposes only).
In all cases, businesses need to make all reasonable efforts to inform every person who may use the telecommunications system that communications may be intercepted. Equally, interception must be solely for the purpose of monitoring communications relevant to the business. The issue as to what constitutes "reasonable efforts to inform" and "solely for the purpose of monitoring communications relevant to the […..] business" remains contentious. Businesses need to react swiftly and implement a compliance programme to ensure that they do not fall foul of the new legislative provisions, as both criminal and civil liability may arise.
For further information, please contact partner, John Armstrong by e-mail at john.armstrong@cms-cmck.com or by telephone on +44 (0)20 7367 2701.
