Monitoring in the workplace must be done lawfully. There are many examples of where employees have taken on employers for unlawfully monitoring their communications (like telephone calls) in the workplace, especially their electronic communications (like email and SMSs). We can help you to lawfully monitor activities in the workplace. It depends on whether you have the written consent of every employee to monitor, or not.
If you have written consent
Getting all employees to consent in writing is first prize. The consent must be properly worded and can take the form of:
- a standalone written consent, or
- a written consent to monitor clause for new appointments for inclusion in your existing employment contract.
There are good reasons for having properly worded consents.
- The employee is contracting out of a constitutional right, which is ‘more important’ than a non-constitutional right.
- RICA, our monitoring law, deals with paper documents, as well as electronic documents (a fact which is often overlooked).
- It is debatable whether RICA only applies to monitoring taking place in real time (RICA refers to monitoring a communication during the “course of its occurrence or transmission”) or to stored data as well. This has very important practical ramifications for the organisation regarding what it can monitor.
We can review your existing consent to check that it is lawful. We can also provide you with an Electronic Communications Policy for your specific organisation.
If you don’t have consent to monitor
Where an organisation has not obtained written consent, it can nevertheless monitor in specific circumstances by following a procedure.
How we can help you
Check your legal compliance and that you are monitoring communications lawfully by asking us to conduct a monitoring audit.
Explanation of monitoring deliverables
In order to cater for those situations where “something slips through the net” and written consent for some reason has not been obtained, the employer would have to rely on the provisions of section 6. Section 6 does not require consent in writing (which might be difficult to obtain where the employer has a large workforce).
- Authorisation from the CEO /MD as 1st system controller to IT Department to be system controller: The system controller is responsible for monitoring.RICA defines the “System Controller” in the case of a juristic person (e.g. a company) as “the chief executive officer or equivalent officer of the juristic person or any person duly authorised by that officer … or person who is acting as such …”. The CEO will typically appoint a business unit (e.g. HR) as a system controller to authorise a monitoring and (ii) appoint another business unit (e.g. the IT department) as another system controller to carry out the technical monitoring (“Authorised Persons”). There needs to be a written authorisation in place from the CEO to one of these Authorised Persons.
- Authorisation to outsource partners: Some companies outsource aspects of their monitoring to 3rd parties. This is permitted. However, the 3rd party must either (i) be appointed system controller or (ii) be authorised by the system controller to monitor.
- Policy for call centre staff (to regulate the company’s monitoring of call centre personnel).
- Monitoring Policy for End Users: The objective of this policy is to inform employees of the (i) types of monitoring (e.g. secret, once off, occasional and continuous), (ii) the methods of monitoring (manual and automatic) and the circumstances under which monitoring will be conducted (typically to investigate allegations of fraud, corruption or breach of a policy, or for the continued optimal operation of the company’s information and communication systems).
- Monitoring Policy for Technical Staff: The objective of this policy is to ensure that all the technical staff monitor in a legally compliant manner. They are accordingly forbidden to monitor or intercept any paper-based or electronic communication (whether in transit or stored) unless they have been authorised to do so in writing. Where technical staff are so authorised, they can only monitor in terms of this Monitoring Policy and in terms of the Monitoring Guidelines provided to them. They are also required to keep proper logs for evidential purposes.
- Monitoring Guidelines for Technical Staff: The guidelines are designed to assist all network administrators, server administrators, desktop support personnel, application support personnel and any other IT support personnel, consultants and contractors who are called upon to assist in the interception and/or monitoring of paper-based and electronic communications and stored data in determining which actions and behaviour are lawful under South African law and which are acceptable to the company. The guidelines support the Monitoring Policy for Technical Staff and assist the system controller to be able to show that a member of the IT department, for example, acted outside the scope of the delegation of authority and went on a frolic of his own when carrying out a prohibited monitoring.
- Pro Forma Monitoring Request Template: Before a member of technical staff carries out the technical monitoring, a formal approval process has to be followed and an application must be made using a template request (to monitor) document which must be approved by relevant system controller on a per interception basis, before the interception may commence.
- Consents to Monitoring: For purposes of section 5, the employer should get written consent (which can include an appropriately worded “logon notice”. For purposes of section 6, and in order to demonstrate that the system controller received the express or implied consent of the person who uses that system to monitor, such a consent should be obtained from the employee.
- Pro Forma Monitoring Report Template: From a good corporate governance and King perspective, the system controller may choose to report to management on the number and type of interception and monitoring activities within a particular period. Typically, the interception and monitoring activities for the period are broken down into six broad categories, namely (i) network, which is concerned with network performance and security, (ii) Internet which is concerned with access to inappropriate Internet websites as defined in the Internet Policy we have suggested be drafted, (iii) e-mail, dealing both with general productivity, performance and security issues (such as viruses, pictures etc) and specific email content, (iv) telephone, fax concerned with productivity issues, (v) personal computers, storage media and storage devices, which are concerned with content and security issues and (vi) other direct and indirect communications.
- Wording for e-mail reminder from IT Department: This is one of the ways of demonstrating “implied consent” for purposes of section 6.
- A properly worded visitor sign in sheet and notice at the entrance to the company building where CCTV cameras are used on company premises.
- FAQ and Glossary of Terms.
How you benefit
- Ensure that you can use electronic communications as evidence in hearings or court cases.
- Avoid disputes with employees as to whether you have infringed their right to privacy.
- Empower your organisation to lawfully monitor communications.
- Avoid the significant risks of non-compliance (up to R10 million)
Automated monitoring legal solution
We have developed a practical legal solution using technology which automates the process for the obtaining of requests to monitor as covered in items 6 and 8.