RICA stands for the Regulation of Interception of Communications and Provision of Communication Related Information Act 70 of 2002 and finally came into effect on 30 September 2005. RICA is the piece of South African legislation that governs the interception or monitoring of paper-based and electronic communications.
It has recently been in the headlines because some sections of the RICA only came into effect on 1 July 2009. These sections mean that millions of prepaid mobile customers will need to be registered with the networks. However, despite previous outrage by the mobile operators, it seems to be all systems go. The press release from the Department of Justice and Constitutional Development provides a full explanation.
Click here for a leaflet about registering your cell phone number.
RICA is the piece of legislation in South Africa that governs the interception or monitoring of communications
RICA in a nutshell
The word cloud on the right provides an overview of RICA. Every time communications are monitored and thereafter intercepted there is a potential infringement of the Constitutional right to privacy. RICA deals with the protection of that right and the circumstances under which the right is limited and the infringement permitted. RICA does not prevent an employer from monitoring its employees, but such monitoring must comply with RICA.
RICA states that no person – who is not a party to the communication, who does not have prior written consent or is not acting in the course of business – may intentionally intercept, attempt to intercept, authorize or procure any other person to intercept or attempt to intercept at any place in the Republic any communication in the course of its occurrence or transmission.
RICA provides that all forms of monitoring and interception of communications are unlawful unless the monitoring and interception takes place under one of the recognized exceptions in RICA. There are several exceptions to the general rule on the prohibition on intercepting communications, three of which apply to monitoring in the workplace:
- Party to a communication: Section 4 of the RICA allows a party to a communication to monitor and intercept the communication if he/she is a party to the communication (for example, where the participants in a meeting consent to the meeting being recorded). This exception also applies where the interceptor is acting with the consent of one of the parties to the communication.
- Written Consent: Section 5 allows for interception of any communication under any circumstances – i.e. no special motivation or reason is required for it provided the person whose communication is being intercepted has consented to it in writing prior to such interception.
- Business Purpose Exception: Section 6 contains a so-called “business purpose exception” which involves the interception of “indirect communications in connection with the carrying on of business”. Section 6 authorises any person to intercept indirect communications in the course of carrying out their business by means of which a transaction is concluded in the course of that business, which “otherwise relates to that business” or which “otherwise takes place in the course of the carrying on of that business, in the course of its transmission over a telecommunication system”.
However, to be lawful such interceptions must be made for two specified purposes, and are subject to three provisos.
- The first authorised purpose is to “establish the existence of facts”;
- The second is to “secure” the system, or which is “undertaken as an inherent part of the system”.
- The first proviso is that each interception must be authorised by the system controller;
- The second is that the system concerned is “provided for use wholly or partly in connection with the business concerned”;
- The third is that the system controller must have “made all reasonable efforts to inform in advance a person who intends to use the telecommunications system concerned that indirect communications transmitted by means thereof may be intercepted”, or if the user concerned consents to the interception.
Important note: If section 6 is contravened, the CEO is exposed to imprisonment not exceeding of 10 years or a fine not exceeding R2 million.
Purpose of monitoring policy and compliance documentation
Whilst obtaining written consent to monitoring (under section 5) is the first prize, the company will in all probability not be able to get written consent from all employees. As such it is necessary to be able to create a “safety net” and be able to rely on the section 6 business purpose exception . Relying on section 6 will often entail having to “find the evidence” after the fact in order to demonstrate that the system controller made all reasonable efforts or obtained the express or implied consent of a person to monitor.
The following monitoring compliance documentation assist an organisation to comply with the section 6 business purpose exception.
Explanation of monitoring deliverables
In order to cater for those situations where “something slips through the net” and written consent for some reason has not been obtained, the employer would have to rely on the provisions of section 6. Section 6 does not require consent in writing (which might be difficult to obtain where the employer has a large workforce).
- Authorisation from the CEO /MD as 1st system controller to IT Department to be system controller: The system controller is responsible for monitoring.RICA defines the “System Controller” in the case of a juristic person (e.g. a company) as “the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer … or person who is acting as such …”. The CEO will typically appoint a business unit (e.g. HR) as a system controller to authorise a monitoring and (ii) appoint another business unit (e.g. the IT department) as another system controller to carry out the technical monitoring (“Authorised Persons”). There needs to be a written authorisation in place from the CEO to one of these Authorised Persons.
- Authorisation to outsource partners: Some companies outsource aspects of their monitoring to 3rd parties. This is permitted. However, the 3rd party must either (i) be appointed system controller or (ii) be authorised by the system controller to monitor.
- Monitoring Policy for End Users: The objective of this policy is to inform employees of the (i) types of monitoring (e.g. secret, once off, occasional and continuous), (ii) the methods of monitoring (manual and automatic) and the circumstances under which monitoring will be conducted (typically to investigate allegations of fraud, corruption or breach of a policy, or for the continued optimal operation of the company’s information and communication systems).
- Monitoring Policy for Technical Staff: The objective of this policy is to ensure that all the technical staff monitor in a legally compliant manner. They are accordingly forbidden to monitor or intercept any paper-based or electronic communication (whether in transit or stored) unless they have been authorised to do so in writing. Where technical staff are so authorised, they can only monitor in terms of this Monitoring Policy and in terms of the Monitoring Guidelines provided to them. They are also required to keep proper logs for evidential purposes.
- Monitoring Guidelines for Technical Staff: The guidelines are designed to assist all network administrators, server administrators, desktop support personnel, application support personnel and any other IT support personnel, consultants and contractors who are called upon to assist in the interception and/or monitoring of paper-based and electronic communications and stored data in determining which actions and behaviour are lawful under South African law and which are acceptable to the company. The guidelines support the Monitoring Policy for Technical Staff and assist the system controller to be able to show that a member of the IT department, for example, acted outside the scope of the delegation of authority and went on a frolic of his own when carrying out a prohibited monitoring.
- Pro Forma Monitoring Request Template: Before a member of technical staff carries out the technical monitoring, a formal approval process has to be followed and an application must be made using a template request (to monitor) document which must be approved by relevant system controller on a per interception basis, before the interception may commence.
- Consents to Monitoring: For purposes of section 5, the employer should get written consent (which can include an appropriately worded “logon notice”. For purposes of section 6, and in order to demonstrate that the system controller received the express or implied consent of the person who uses that system to monitor, such a consent should be obtained from the employee.
- Pro Forma Monitoring Report Template: From a good corporate governance perspective, the system controller may choose to report to management on the number and type of interception and monitoring activities within a particular period. Typically, the interception and monitoring activities for the period are broken down into six broad categories, namely (i) network, which is concerned with network performance and security, (ii) Internet which is concerned with access to inappropriate Internet websites as defined in the Internet Policy we have suggested be drafted, (iii) e-mail, dealing both with general productivity, performance and security issues (such as viruses, pictures etc) and specific email content, (iv) telephone, fax concerned with productivity issues, (v) personal computers, storage media and storage devices, which are concerned with content and security issues and (vi) other direct and indirect communications.
- Wording for e-mail reminder from IT Department: This is one of the ways of demonstrating “implied consent” for purposes of section 6.