The paper lists the purposes for which interception is legally authorised as being:
The Regulations only address the act of interception, they do not deal with the monitoring of traffic (as opposed to content) data, nor do they deal with the storage and use of personal information obtained as a result of interception.
The document additionally sets out the rules for incorporating the monitoring of workers' communications within the workplace saying that employers must have a pre-drafted policy detailing: 'Why [employers] are monitoring, What is being monitored, and What action will be taken as a result of that monitoring.'
Most businesses will be able to incorporate the RIP act simply by citing that it is for 'security matters.'
'Electronic Communications at Work' says that workers must be made aware of their employers' ability to intercept their communications by being made aware of: 'The purpose of monitoring, The monitoring process and The consequences of adverse findings.'
It advises that: 'Departments and agencies should consider including a clause in staff employment contracts explaining that communications may be monitored and setting out the consequences for breaching the communications policy.
The paper says the wording of such notices should be to the effect that:
"Communications on the [Department's] computer systems may be monitored and/or recorded to secure the effective operation of the system and for other lawful purposes."'
The paper has a special section for contractors regarding the monitoring of their communications without consent:
'Contractors must abide by the same rules regarding the use of communications facilities as employees. As far as possible, contractors should be obliged by the terms and conditions of their contracts to follow the same principles and procedures as the Department or agency which employs them. It is standard practice to ask contractors to observe confidentiality. Government departments and agencies also have to comply with the seventh data protection principle of the Data Protection Act 1998. This principle states:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The principle also obliges departments and agencies to choose only those contractors who can provide sufficient guarantees in these matters. A contractor must not only comply with the Data Protection Act but there must be a written contract between the two parties whereby the contractor may only act on the data controller's instructions and the contractor must work under security obligations equivalent to those placed on the data controller.
There has been much opposition to the RIP Act since it was introduced. One of the main voices of online opposition is the Internet policy think-tank, the Foundation for Information Policy Research (FIPR).
Caspar Bowden, Director of FIPR commented, "The guidance is silent on some difficult issues which will soon become pressing. Can employers ban contractors and employees from using encrypted e-mail or web mail to guarantee their own security and privacy? Can employers contractually insist that personal decryption keys are escrowed or surrendered on demand? If the answer to these questions is 'No', and they do raise fundamental human rights issues, then instituting much of the blanket monitoring that RIP in theory allows, will serve no useful purpose."
Shout99 asked the Home Office if it understands or sympathises with people's claims that the Regulation of Investigatory Powers Act is an invasion of people's privacy.
A Home Office spokesperson said:
"On the contrary, the Act puts surveillance work, an important tool for fighting crime, on a proper footing and into a framework where it can be regulated and controlled. The Government believes that the Act's provisions are compatible with the European Convention on Human Rights."
--
Richard Powell, Shout99
