'Bizarre' British rules on e-mail a security risk

Australia will be open to security risks if it follows British examples in limiting employers' ability to monitor e-mails, legal experts say.

Employers in the UK may face restrictions on their ability to monitor employee Web surfing and e-mail activity under a new privacy code due to be released in the UK in the next two months.

The UK privacy protection follows the tradition of European nations, which have far more stringent privacy rules than their US counterparts.

Leif Gamertsfelder, senior associate and leader of the security group at Sydney-based law firm Deacons, dubbed the British initiative "bizarre".

The new British code, which sets out workplace privacy rights, does not allow any covert monitoring of either telephone calls or Internet use unless criminal activity has been identified. To comply, British employers are required to spell out their monitoring to employees and conduct monitoring that is "proportionate" to the risk employee activity poses.

According to Gamerstfelder, covert monitoring of employee e-mails is "OK" in Australia, as long as it doesn't breach the Privacy Act.

"Under current Federal Privacy rules, employee e-mail monitoring is a difficult issue. In some instances, it is permissible to monitor e-mail activity as long as it is for reviewing work performance or employee conduct," Gamerstfelder said. "It's like being able to use a company's vehicle without the company being able to monitor the vehicle's use.

"For some employers, the question is, if you, as the employer, own the information systems, why can't you do what you like with it?" he added. The UK approach is not stringent enough and he believes Australia should be looking at the European approach where "security is paramount and privacy yields to security".

Gamertsfelder said the main reasons for monitoring are to be able to discover intrusions rather than for checks on Internet use or on employees who may disclose trade secrets.

"Laws that impact on those monitoring create security risks by virtue of increasing privacy rights," Gamertsfelder said.

Kim Heitman, chairman of the Electronic Frontiers Association (EFA) and Perth-based lawyer on Internet issues, said that Australia's Privacy Act is largely "toothless" and follows the US lead, where "it is hard to find a hook to hang a case on".

"The Privacy Act expressly excludes employee data. It's not covered. It's a big loop hole in the Act," he said.

Under the Privacy Code in Australia, covert monitoring of e-mails is a breach of civil rules, rather than criminal law, Heitman said. Overt monitoring is allowed as long as the employer stipulates it in an acceptable usage policy with the employee.

"However, even if someone does breach the Privacy Act, the only thing that can be done is the Federal Privacy Commissioner can embarrass the company in a report," he said.

"In Australia, we need to set up privacy laws. Digital collection and transfer of e-mails has made privacy an issue. It is a lot easier for employers or anyone to build an advance profile on someone, and get access to personal information and e-mails."

In 2000, the law firm Freehills showed that 76 per cent of the top 200 Australian companies periodically monitor e-mail and 65 per cent do it without notification.

NSW proposes clamp down

The NSW Government's recent proposal to clamp down on surveillance of workers' e-mails will bring it more in line with the British code, but open up compliance nightmares and security risks, according to Gamertsfelder.

He went on to dub the state-based Government legislation as an "old-world approach".

The NSW Government announced late last year it is looking at changing workplace relation laws regarding e-mail surveillance, although no timeframe has been set. The State Government has accepted in principle recommendations of the Law Reform Commission requiring employers to give 14 days' notice before conducting surveillance of employees' e-mails, or to obtain a warrant from the Industrial Relations Commission if they want to covertly monitor their electronic activity.

"The Government's proposed laws give employees much stronger rights to use companies information systems without monitoring," Gamertsfelder said.

"It's a state-based law, so compliance becomes a nightmare from a national perspective. It creates a range of problems because the Internet opens up markets and allows people to operate more and more on a global level. Also, companies have servers located in different states," he said.

Heitman said the NSW reforms just back up common law.

"However, the NSW Government's state-based law has limited ambit. It can't apply to everyone in that state."

Heitman added there was no attempt to get privacy advocates on board when drafting the proposals.

- Patrick Thibodeau contributed to this article

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about DeaconsEFAE*TradeIndustrial Relations CommissionNSW Government

Show Comments