Monday, September 08, 2008

Privacy on Employer Computers

There has been a recent ruling in the USA (strictly, a Supreme Court ruling in the State of New Jersey) that you have little expectation of privacy on computers at work. While I agree partly with Masons - the statement by Mr Docherty that the equivalent scenario (significant theft by employee) would allow a similar investigation in the UK, and the statement by Mr Malcolm that permitted personal use does create an expectation of privacy (but only in material covered by "permitted personal use" - i.e. not including theft from your employer or, for that matter, anybody else. Ed notes: Unless you are a lawyer, perhaps? Many people on the wrong end of a lawyer's bill consider that, like taxes, legally sanctioned theft!)

However ...

The Data Protection Act 1998, s29(1), exempts the processing of personal information for "the prevention or detection of crime"; SI (Statutory Instrument) 417/2000, where processing is "is necessary for the purposes of the prevention or detection of any unlawful act", exempts you from the explict consent requirements of Schedule 3*; and SI 2699/2000, the appallingly titled "The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000", S3(1)(a)(iii) allows interception for "the purpose of preventing or detecting crime" and (iv) allows it for "the purpose of investigating or detecting the unauthorised use of that or any other telecommunication system".

So, actually, as far as investigation goes (as opposed to monitoring which is covered by the non-statutory Information Commissioner's Employment Practices Code - Section 3), you actually have a fairly free reign.

Mr Malcolm's suggestion that you should contact the police is interesting (and you certainly should if you think you are in possession of material that creates a strict liability offence of possession for you) but you will often be much better off (and have it sorted much more quickly) if you take legal advice and engage a professional forensic investigator. Not all abuses or malpractice are criminal and, in any case, the particular event or accusation you are worried about would have to be really quite significant (or merely high profile for one or more senior cops, if you'll pardon the cynicism) for you to be high up the priority list for the relevant police specialists.

Now, back to swearing ...

* Note that s2(g) of DPA98 makes information about "the commission or alleged commission ... of any offence" sensitive personal data.


Brennig said...

Well, I'm with you all the way but... The Data Protection Act 1998, s29(1), isn't American legislation, and the chief point you're swearing about is an American ruling.

Surreptitious Evil said...

Being clear as mud, again, I apologise. My comments were aimed at the Pinsent Masons commentary regarding the equivalent situation in the UK.

Generally, as far as employment law goes, you have far less protection in the US than the UK, especially if you are an "at will" employee (as most Americans, even in the more unionised trades, are.) I was making the point that even though you might assume that the DPA, RIPA et al might give a UK employee some protection, if you are suspected of committing a crime (whether agin your employer or no) you have very little, where there is sufficient evidence (or suspicion) to justify investigation. This is not quite the same in Europe (particularly in Germany and France.)

I also thought, apart from the silent expletive that can always be assumed in front of "lawyer", that I had avoided swearing here?

HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.