'...Interception and monitoring legislation is a potentially contentious area for colleges and universities. It is important to strike a balance between the need on occasions to intercept or monitor communications (e.g. by the police for the prevention or detection of crime, or by the college or university itself for operational purposes) and the privacy and freedom of expression rights of the individual whose communications may be intercepted.
New laws were therefore introduced to take account of advances in technology and to attempt to address the interests of both camps.
...It is important to emphasise at the outset that any interception should be regarded as exceptional by nature and must always be done on a clear legal base. Any action taken should always be directed to a statutory provision and must be proportionate to that purpose.
...The Regulation of Investigatory Powers Act 2000 ('the RIPA') rovides that to intentionally and without lawful authority intercept a communication on a private system (e.g. the JANET connection) in the course of its transmission, unless it is done or authorised by someone with the right of control e.g. the Principal or his IT manager acting on his authority, is a criminal offence.
It should also be noted that whilst it may not be a criminal offence for someone with the right of control or authorised, to intercept on a private system, there may be grounds for a civil action for damages if there is no lawful authority to intercept...
Lawful Authority to Intercept
- Lawful authority is required to intercept.
- If there is no lawful authority then consent of the sender and receiver of the communication is needed.
- The RIPA allows some limited interception by the controller of the system without the consent of the sender or the recipient.
- The RIPA sets out the conditions under which third parties such as the police may intercept.
- The Lawful Business Regulations are the main source of lawful authority for the controller of the system to intercept and monitor. They permit the monitoring or keeping a record of communications to for purposes such as standards, national security, prevention and detection of crime, investigating unauthorized use, and ensuring effective system operation.
- The interception must also be relevant to the business of the system controller.
- Every effort must have been made to tell users that interception may take place.
- A communication which has been intercepted and contains personal data is subject to the Data Protection Act 1998.
- To check the content of e-mail to ensure that the institutions standards and quality control is not being breached or that third party standards are being followed e.g. the JANET Acceptable Use Policy.
- To check that the system is being used for legitimate purposes only.
- Under a valid warrant obtained by a specified authority e.g. the police or customs and excise etc.
- Some measure of interception is likely to be essential to for example, check or prevent a virus spreading through the system, or to eliminate spam.
- Routine interception for operational purposes such as backing up or forwarding to the correct address.
- Monitoring (but not recording) may also be permissible to ascertain whether a communication is business or personal. An institution may need to check e-mails or voice mail for example in the prolonged absence of staff in accordance with an agreed institutional procedure.
- Where a college operates a confidential helpline service, (for example a collaboration between the institution and the students union), monitoring (but not recording) of calls to support or protect the staff.
None of these examples should be taken as providing unlimited interception powers to colleges and universities and heed should always be paid to the purpose of the interception and the legal basis on which it is done. Staff and students should be clear as to the level of monitoring which may take place.Essentials for colleges and universities
Colleges and Universities as a minimum should have the following in place. An email and internet policy which:
- Lets the user know what level of interception is likely to take place
- states the do's and don'ts for the user including whether personal use is permitted
- states the level of privacy the user can expect including whether 'cookies ' or other information gathering devices are in use
- lets the user know the penalties for breach of the policy
- is linked with employment contracts, grievance and disciplinary procedures, and acceptable use policies
- has been cross checked with student and staff handbooks, departmental guidelines etc to ensure consistency
- forms part of induction training
- is visible to all e.g. consider notices at log in, on walls in computer suites, and regular on screen reminder notices to ensure ongoing visibility of the policy
- is reviewed on a regular basis...
The above does not allow for much flexibility and since electronic communications are relatively new, as the author states it 'is a difficult area of law which in many respects has still to be interpreted by courts'.
Most universities are likely to have in place an Acceptable Use Policy, along the lines of:
The University seeks to promote and facilitate the proper and extensive use of Information Technology in the interests of learning and research. Whilst the tradition of academic freedom will be fully respected, this also requires responsible and legal use of the technologies and facilities made available to students and staff of the University... The University fully reserves the right to monitor e-mail, telephone and any other electronically-mediated communications...
And this is where the grey area appears, i.e. academic freedom will be fully respected BUT the university reserves the right to monitor... and if needed - or if convinient - apply disciplinary penalties. The end result is some daring individuals testing the system, or self-censorship.
A report released by the Foundation for Individual Rights in Education (FIRE) reveals that burdensome restrictions on speech are commonplace at America’s colleges and universities. The report, entitled Spotlight on Speech Codes 2006: The State of Free Speech on Our Nation’s Campuses, surveyed more than 330 schools and found that an overwhelming majority of them explicitly prohibit speech that, outside the borders of campus, is protected by the First Amendment to the U.S. Constitution.
And here is a daring academic that challenged the system... The true story of the world precedent legal ruling on email privacy.