Employers often monitor employee communications in order to gather the evidence required to dismiss an employee fairly. In South Africa, the law dealing with the monitoring and interception of employee communications is governed by the tongue-twistingly named Regulation of Interception of Communications and Provision of Communication Related Information Act, 70 of 2002 (RICA) which finally came into effect on 30 September 2005.
Monitoring and Interception
The fundamental principle of RICA is that communications cannot be monitored or intercepted unless in accordance with RICA and to do so is an offence.
“Monitoring” involves observing the flow of information usually with the aim of collecting information. Monitoring may involve catching, diverting or blocking the communication (“intercepting” it), or accessing some of the information caught, keeping the information, disclosing it to others or deleting it.
Both “monitoring” and “interception” are governed by RICA, irrespective of whether the monitoring is continuous (i.e. it takes place indefinitely – e.g. where antivirus software scans email activity continuously), once-off (as a short term measure in response to a particular problem) or covert (e.g. to gather evidence to prove allegations of misconduct where notification to the employee would prejudice the investigation).
RICA specifically refers to both “direct” and “indirect” communications. “Direct” involves face-to-face, predominantly oral discussions and “indirect” involves which include post and all forms of electronic communication or telecommunication, such as telephone, fax, email, SMS and instant messaging, even an employees access to corporate systems, network etc. RICA also requires all telecommunication service providers (including Internet service providers (ISPs) and cellular network providers) to make it possible to intercept e-mails and cellphone calls and other electronic communications.
In terms of RICA, offences are punishable by heavy penalties which include a fine of up to R2 million or imprisonment for up to 10 years.
It is important to know that ALL monitoring is prohibited under RICA (including the intentional interception or the authorisation of the interception of any communications whilst it is in the course of transmission) UNLESS the monitoring falls within one of the several exceptions allowed by the Act.
Three of the exceptions which are very important in the context of the employment relationship are where interception is permitted:
- By a person if that person is a party to the communication
- With the prior written consent of a party to the communication (section 5)
- When the interception occurs in connection with carrying on of business (the so-called “business exception”), where written consent is not necessarily required and where ‘express’ (can be verbal) or implied consent suffices (section 6).
COMPLYING WITH RICA
In order not to run foul of the law, employers are going to have to monitor in a legally compliant manner as well as ensure that their implementation roll-out reflects the employer’s style of management and culture.
Ultimately, the choice that an employer has to make is whether to base their implementation plans on section 5 (prior written consent) or section 6 (the business exception where written consent is not necessarily required) or a combination thereof. It may not be practical in all circumstances to obtain employee consent to the automated monitoring that is so essential for the Information Security needs of the modern networked enterprise, so the combined approach or reliance on the business exception is preferred.
As a general rule, the following general principles should be borne in mind:
- Develop a formal Monitoring Policy on the monitoring of all communications which covers different technologies (e.g. phone, e-mail and ‘snail’ mail), levels of intensity (e.g. continuous, once-off), purposes (e.g. network security)
- Develop monitoring guidelines (which inter alia deal with the different monitoring purposes, processes and procedures to be followed)
- Integrate policy and guidelines with other Information Security initiatives
- Appoint your “system controller” / authorise someone else to be the system controller and ensure that he is familiar with his obligations under RICA in the correct manner
- Obtain written consent / express / implied employee consent to monitor
- Implement an employee communication and awareness training program for existing employees and at induction of new employees.