The monitoring of communications must be done lawfully. For example, employers often monitor employee communications (for example, email, websites visited and telephone calls made) in order to gather the evidence required to dismiss an employee fairly. Companies sometimes monitor other communications to comply with regulatory requirements. In South Africa, the law dealing with the monitoring and interception of communications is governed by the tongue-twistingly named Regulation of Interception of Communications and Provision of Communication Related Information Act, 70 of 2002 (RICA) which finally came into effect on 30 September 2005.

Monitoring and interception

The fundamental principle of RICA is that communications cannot be monitored or intercepted unless in accordance with RICA and to do so is an offence. “Monitoring” involves observing the flow of information usually with the aim of collecting information. Monitoring may involve catching, diverting or blocking the communication (“intercepting” it), or accessing some of the information caught, keeping the information, disclosing it to others or deleting it.

Both “monitoring” and “interception” are governed by RICA, irrespective of whether the monitoring is continuous (i.e. it takes place indefinitely – e.g. where antivirus software scans email activity continuously), once-off (as a short term measure in response to a particular problem) or covert (e.g. to gather evidence to prove allegations of misconduct where notification to the employee would prejudice the investigation).

RICA specifically refers to both “direct” and “indirect” communications. “Direct” involves face-to-face, predominantly oral discussions and “indirect” involves which include post and all forms of electronic communication or telecommunication, such as telephone, fax, email, SMS and instant messaging, even an employee’s access to corporate systems, network etc. RICA also requires all electronic communications service providers (ECSPs) (including Internet service providers (ISPs) and mobile network providers) to make it possible to intercept emails and cellphone calls and other electronic communications.

In terms of RICA, offences are punishable by heavy penalties which include a fine of up to R2 million or imprisonment for up to 10 years.

Understanding RICA

It is important to know that ALL monitoring is prohibited under RICA (including the intentional interception or the authorisation of the interception of any communications whilst it is in the course of transmission) UNLESS the monitoring falls within one of the several exceptions allowed by the Act.

Three of the exceptions which are very important in the context of the employment relationship are where the interception is permitted:

  1. By a person, if that person is a party to the communication.
  2. With the prior written consent of a party to the communication (section 5).
  3. When the interception occurs in connection with carrying on of business (the so-called “business exception”), where written consent is not necessarily required and where ‘express’ (can be verbal) or implied consent suffices (section 6).

Lawfully Monitoring of Communications

In order not to run afoul of the law, employers are going to have to monitor in a legally compliant manner as well as ensure that their implementation roll-out reflects the employer’s style of management and culture.

Ultimately, the choice that an employer has to make is whether to base their implementation plans on section 5 (prior written consent) or section 6 (the business exception where written consent is not necessarily required) or a combination.  It may not be practical in all circumstances to obtain employee consent to the automated monitoring that is so essential for the information security needs of the modern networked enterprise, so the combined approach or reliance on the business exception is preferred.

How we can help you

Check your legal compliance in the workplace and that you are monitoring communications lawfully by asking us to conduct a monitoring audit. As a general rule, you should bear the following general principles in mind:

  1. Develop a formal Monitoring Policy on the monitoring of all communications which covers different technologies – e.g. phone, e-mail and ‘snail’ mail, levels of intensity – e.g. continuous, once-off, and purposes – e.g. network security.
  2. Develop monitoring guidelines – which deal with the different monitoring purposes, processes and procedures to be followed.
  3. Integrate policy and guidelines with other Information Security initiatives.
  4. Appoint your “system controller” – authorise someone else to be the system controller and ensure that he is familiar with his obligations under RICA in the correct manner.
  5. Obtain written, express or implied consent to monitor.
  6. Implement an employee communication and awareness training programme for existing employees and at the induction of new employees.
  7. Conduct a Monitoring Audit to check you are monitoring communications lawfully.

Lawfully monitor or intercept communications by asking for your advice or a legal opinion.