Monitoring, recording and intercepting electronic communications

Operational policy and guidance on monitoring, recording and intercepting electronic communications under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

• What does this policy cover?
• When might the Council undertake electronic surveillance?
• What safeguards must the Council observe before undertaking electronic surveillance of any sort?
• What does the Regulation of Investigatory Powers Act 2000 say?
• What types of electronic surveillance are covered?
• Who in the Council may authorise electronic surveillance?
• Where is authorisation required?
• What about the Data Protection Act?
• How is an application for authorisation made?
• How long will the authorisation last?
• Can an authorisation be renewed?
• Can or should an authorisation be revoked?
• What will the Authorising Officer have to consider?
• What is meant by the term proportionate?
• What records must be kept?
• Who keeps the record?
• What reference documents are there

What does this policy cover?

This policy covers the interception, monitoring and recording of telephone calls, faxes, emails and use of the Internet and Intranet to the extent the transmissions take place on the Councils telecommunications systems (electronic surveillance).

When might the Council undertake electronic surveillance?

The Council undertakes electronic surveillance for a variety of reasons, for example to check that no obscene or pornographic material is being transmitted through its systems, or as part of an investigation into alleged misconduct.

What safeguards must the Council observe before undertaking electronic surveillance of any sort?

• Firstly, the Council has to be satisfied that the surveillance is undertaken in accordance with the law
• Secondly, if the surveillance is likely to intrude upon someones human rights, for example the right to respect for private and family life, home and correspondence, that such interference can be justified legally. Advice on the Human Rights Act is available from the Councils legal officers
• Thirdly, that the surveillance is properly authorised and lawful

What does the Regulation of Investigatory Powers Act 2000 say?

Part 1 of the Regulation of Investigatory Powers Act 2000 (the 2000 Act) makes it unlawful for employers and others to intercept communications, in the course of their transmission on a private telecommunications system, unless certain conditions are met. Interception is allowed where:

• the parties to the call, email or other communication have both consented to the interception
• the interception is of communications taking place using the employers business telecommunications system and is authorised under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

The 2000 Act only restricts access to the contents of a communication. It does not address the collection and use of traffic data on a private network, for example, the information about telephone calls that would typically be produced by a call logger. This is subject only to the requirements of the Data Protection Act 1998.

What types of electronic surveillance are covered?

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 authorise certain interceptions of communications that would otherwise be prohibited under the 2000 Act. The interception has to be for purposes relevant to the Councils business, and using the Councils own telecommunication system.

Interceptions are authorised:

• for monitoring or recording communications:
  • to establish the existence of facts, to ascertain compliance with regulatory or self-regulatory practices or procedures or to ascertain or demonstrate standards which are or ought to be achieved (quality control and training)
  • in the interests of national security (in which case only certain specified public officials may make the interception)
  • to prevent or detect crime
  • to investigate or detect unauthorised use of telecommunication systems
  • to secure, or as an inherent part of, effective system operation
• for monitoring received communications to determine whether or not they are business communications
• for monitoring communications made to anonymous telephone helplines

The Council has told its employees that interceptions of emails, telephone calls and electronic communications of any type may be made and IT equipment interrogated for that purpose.

In any other case an authorisation given in accordance with this policy should be obtained.

Who in the Council may authorise electronic surveillance?

The Authorising Officer will ordinarily be the Head of Information and Communication Technology. However, in the absence of the Head of Information and Communication Technology or when the reason for the request relates to his or her area of operation or for reasons of probity or fairness it would be inappropriate for him or her to act, the following may act as Authorising Officers:

• The Chief Executive
• The City Solicitor and Monitoring Officer
• The City Treasurer
• All Heads of Service

Ideally the Authorising Officer should not be responsible for authorising their own activities, ie those operations or investigations in which they are directly involved or for which they have direct responsibility.

Where is authorisation required?

Authorisation is not required for spot, general, routine, regular or random monitoring or recording by the Head of Information and Communication Technology in order to:

• detect the downloading of or access to internet sites which contain pornographic material or indecent images
• detect pornographic material, indecent or inappropriate images or obscene language contained in email traffic
• detect the misuse or abuse of electronic communication systems
• check email boxes of employees in their absence
• detect computer viruses
• detect the number, source and user etc of telephone calls made and/or received
• monitor performance against targets or for the purposes of training (employees affected will have been made aware that such monitoring will take place)

Authorisation under this Policy is required in any cases other than those outlined above.

What about the Data Protection Act?

The Data Protection Act (DPA) applies to all personal data. This means information about identifiable living individuals and includes both facts and opinions about the individual. Where the electronic surveillance involves the processing of personal data it should be assumed that the DPA will apply.

Personal data must be:

• fairly and lawfully processed
• processed for limited purposes and not in any manner compatible with those purposes
• adequate, relevant and not excessive
• accurate
• processed in accordance with the individuals rights
• secure

In undertaking any monitoring the following must be considered in the context of the DPA:

• what is the business purpose for which the monitoring is to be undertaken and is that sufficiently specific?
• what is the impact of the monitoring on the privacy, autonomy and other legitimate rights of those affected?
• can comparable benefits be reasonably achieved by another method with less adverse impact?
• is the monitoring targeted to those areas where it is actually necessary and proportionate to achieve the business purpose?
• is the form of monitoring proposed reflected in the IT Security Policy?
• is the information to be collected likely to be relevant and accurate?
• has the need for the monitoring been established?
• what is the likely impact of the monitoring on the privacy of those making calls or sending emails to the Council and those receiving calls or emails from the Council?
• what is the likely impact of the monitoring on the privacy of those who might be referred to in a communication without being a sender or recipient?

Legal advice should be taken from the Councils legal officers for guidance on the DPA and to the IT Security Policy.

How is an application for authorisation made?

An application for authorisation for electronic surveillance must be in writing. It should specify:

• the action to be authorised eg interception of emails, recording of telephone conversations etc
• the identities, where known, of those whose communications are to be the subject of electronic surveillance
• an account of the investigation or operation and how long it is likely to take
• the grounds on which the authorisation is sought (eg for the detection of crime)
• why the electronic surveillance is considered to be proportionate to what it seeks to achieve
• an explanation of the information which it is desired to obtain as a result of the authorisation
• the potential for collateral intrusion, that is to say, interference with the privacy of persons other than the subjects of the electronic surveillance, and an assessment of the risk(s) of such intrusion or interference
• the likelihood of acquiring any confidential material or personal data
• an outline of the assessment for the purposes of the DPA
• where authorisation is sought urgently, reasons why the case is considered to be urgent

There should then be a record of whether authority was given or refused, by whom, and the time and date.

How long will the authorisation last?

The written authorisation will cease to have effect (unless renewed) at the end of a period of 3 months beginning with the date on which it took effect but will normally be issued for a lesser period. Exceptionally, an oral authorisation may be given in cases of urgent necessity, in which case the detail referred to above should be recorded in writing as soon as reasonably practicable, and such authorisations will cease to have effect after 72 hours beginning with the time when the authorisation was granted.

Can an authorisation be renewed?

If at any time, the Authorising Officer considers it necessary for the authorisation to continue for the same purpose for which it was given, then he/she may renew it in writing for a further period. The renewal will normally be for not more than 3 months. The request for a renewal of an authorisation should record:

• whether this is the first renewal, or on how many occasions it has been renewed
• the same information as outlined for an original application
• details of any significant difference in the information given in the previous authorisation
• the reasons why it is necessary to continue with the surveillance
• the content and value to the investigation or operation of the information so far obtained by the surveillance
• an estimate of the length of time the surveillance will continue to be necessary

Can or should an authorisation be revoked?

The Authorising Officer who granted or last renewed the authorisation must cancel it if he/she is satisfied that the electronic surveillance no longer meets the criteria for authorisation.

Regular reviews of authorisations should be undertaken to assess the need for the surveillance to continue. The results of any review should be recorded. Reviews should be more frequent where there may be collateral intrusion into the rights of persons other than those whose communications are the subject of surveillance. As soon as a decision is taken to cease surveillance, an instruction must be given to those involved in the operation to stop listening, intercepting or recording the activities of the subject. The date on which that instruction is given should also be recorded.

What will the Authorising Officer have to consider?

Firstly, the Authorising Officer must be satisfied that the authorisation is necessary:

• in the interests of national security
• for the purpose of preventing and detecting crime
• to establish the existence of facts
• to ascertain compliance with the Councils regulations, practices, procedures and rules
• to demonstrate that standards of performance have been achieved
• to demonstrate or detect unauthorised use of the telecommunications system
• to secure effective system operation
• to determine whether the communications are business communications

Secondly, the Authorising Officer must also believe that the surveillance is proportionate to what it seeks to achieve.

Thirdly, the Authorising Officer must be satisfied that the Data Protection principles are met.

What is meant by the term proportionate?

Proportionality is a very important concept, and it means that any interference with a persons rights must be proportionate to the intended objective. This means that the action is aimed at pursuing a legitimate aim (for example, protecting a child from potential abuse). Interference will not be justified if the means used to achieve the aim are excessive in all the circumstances. Therefore, where surveillance is proposed that action must be designed to do no more than meet the objective in question; it must not be unfair or arbitrary; and the impact on the individual or group of people concerned or who may be affected, must not be too severe.

What records must be kept?

The following records must be kept:

• a copy of the application for authorisation
• a copy of the authorisation
• a record of the period over which the surveillance is taking or has taken place (including any significant suspensions of coverage)
• a record of the result of periodic reviews of the authorisation
• a copy of any renewal of authorisation, together with the supporting documentation when the renewal was requested

Who keeps the record?

A register of records will be kept by the Head of Information and Communication Technology.

What reference documents are there?

The Council must have regard to any Code of Practice issued by the Data Protection Commissioner under Section 51(3)(b) of the Data Protection Act 1998.

Before applying for an authorisation the Councils IT Security Policy must be considered.

The Council has prepared four forms for use by officers applying for authority to carry out electronic surveillance.

Copies of these forms will be available on the Councils intranet site.

Where fraud or corruption is suspected, then regard should be had to the Councils anti-fraud and corruption strategy.

Electronic communications help chart [148KB]

Electronic communications flow chart [279KB]

[Back to top]