Internet Service Providers' Association

Advisory 13: Interception Of Private Communications In The Workplace

Release date: 16 February 2005
Author: Ryk Meiring

Disclaimer: This advisory is produced for informational purposes only to familiarize ISPA members with the main provisions of legal implications. It is not a complete analysis of the relevant law or its implications and in no way should be interpreted as legal advice offered by ISPA. ISPA, its members, and its advisors cannot be held liable for any reliance by readers on this document, its accuracy or interpretation of the law.

Abstract

Workplace-based communication systems are implemented by business for the development and maintenance of that entity's commercial activities. Business is alive to the reality that, while most employees will not engage in communications that may compromise that entity's prospects, exceptions to the rule may cripple that entity's business standing.

This Advisory reviews the existing and prospective legal frameworks regulating this environment, and concludes that:

• At present, a business may intercept communications FROM an employee, if that employee has given consent to or is aware of the potential for interception;
• Communications TO an employee may currently not be intercepted, unless the person which dispatched the communication to the employee has provided consent or is aware of the potential for interception;
• Though prior written consent is advisable in all instances of potential interception, it is not specifically required by legislation; and
• In all other instances, only members of the police or intelligence communities may intercept communications, and then only on authority of an Interception Directive authorised by a High Court Judge.

Introduction

With the imperative recognition of the individual's right to privacy enshrined in South Africa's Constitution of the Republic of South Africa Act No. 108 of 1996, and s14(d) specifically prohibiting the infringement of the right to privacy in communications, much attention and various cases have focused on the fast-evolving branch of privacy law dealing with lawful interception and monitoring of work-based communications.

That this privacy right is not absolute is well-recognised, as per s36 of the Constitution¹, in terms of Interception and Monitoring Prohibition Act, 127 of 1992 ("IMPA"), and its intended replacement, the Regulation of Interception of Communications and Provision of Communication-Related Information Act No. 70 of 2002 ("RICA").

Seminal privacy case law holds that "Protection accorded to the right of privacy is broad, but it can also be limited in the appropriate circumstances"² . Since the promulgation of RICA, the topic of a right to privacy in the work-place has been the subject of extensive and conflicting legal opinion.

The common-law right to privacy, as expressed in Bernstein³, was most fittingly expressed in an earlier case: "[The] scope of a person's privacy should extend only to those aspects in regard to which a legitimate expectation of privacy can be had."

This Advisory addresses the degree of privacy in communications an Employee can reasonably expect in the workplace under applicable South African law, and related information.

Business Risks and Vicarious Liability

Two types of communications are carried over an Employer's communication systems:

• Business communications (No trouble); and
• Private communications (Where the Employer's expectation to monitor compliance with an Acceptable Use Policy ("AUP') may conflict with the Employee's privacy expectations).

The ordinary business concerns of Employers in communications systems include:

• Cost implications of unauthorised communications usage (call, usage and storage charges);
• The access, display or distribution of unauthorised content (including racist content, obscene material, and software, music and images used in violation of Intellectual Property Rights); and
• The Employer's vicarious liability for intentional or negligent delict of Employees (including sexual harassment, misrepresentation, and defamation).

Vicarious Liability defined: In civil law, the unlawful act of the Employee is legally attributable to the Employer (even where the Employer is unaware of the Employee's act) when:

• There is a contract of service between the Employer and Employee;
• The act of the Employee is unlawful (sufficient requirements for a delict); and
• The acts occurred
• whilst the Employee was acting in the course and scope of the Employee's duties or services, alternatively
• where the Employee was acting with the tacit approval of the Employer.

The result is that the Employer, by making its communications infrastructure accessible to the Employee for business purposes, may be required to assume the liability occasioned by the Employee's misuse of those systems.

Current Law in Force

The RICA⁴ (having already been signed into law on 30 December, 2002) comes into operation on a date fixed by the President by proclamation in the Government Gazette. This commencement date is yet to occur. Until that date, the provisions of IMPA remain in full force and effect, and the provisions of RICA will remain of academic interest.

One 'solution' often proposed is a general prohibition of personal communications use of business systems by management. This course of action is ill-advised, owing to various decisions⁵ suggesting that a blanket prohibition on private communications using business systems would be excessive and Constitutionally unlawful.

Despite the extended and vigorous debate surrounding RICA, the fact is that it is yet to come into operation, on a date to be announced by the President.

Upon its commencement, RICA will repeal IMP. Until that date, the provisions of IMPA remains in force and effect. In terms of IMPA, the following facts are relevant:

1. Communications emanating FROM an Employee may be intercepted by an Employer, provided the Employee is aware of or has given consent to interception;
2. Other than as set out in paragraphs 1, 5 and 6; a communications TO an Employee may NOT be intercepted by the Employer, regardless of the recipient's knowledge of or consent to interception;
3. In the above instances, it is the knowledge of or consent to interception of the DISPATCHER (or sender) of a communication which defines the right to intercept;
4. The consent of the dispatcher of a communication may be oral, and does not have to be in writing. However, if the Employer has not obtained consent in writing, and the consent is disputed, the Employer may experience difficulty in proving that consent had been lawfully provided;
5. Only when an Employer notifies (or gains the permission of) an unassociated third party dispatcher of a communication to an Employee, may it intercept those communications to the Employee (in this instance, the knowledge of or consent of the Employee is irrelevant);
6. In all other cases, monitoring of communications may only be authorised on application to a High Court judge when either:
• A serious offence (referring to offences in the Criminal Procedure Act) is being or is about to be committed, and the offence cannot be investigated in any other manner; or
• The Judge is convinced that the security of the Republic of South Africa is threatened.

A company's Acceptable Use Policy (AUP)

The implementation of a definitive AUP is recommended in each instance of an Employer making its business communications systems available to Employees for business purposes, to delineate the Employee's right to privacy, and the Employer's right to monitor AUP compliance in outgoing and internal communications⁶.

It is important to set out in the AUP that the communications system is provided for business use, and that limited private use is allowed, subject to restrictions. It should further make specific reference to the entitlement of the Employer to interception communications from Employees, and to inspect saved or stored information on company systems.

Future Law

Once the commencement date of RICA is fixed by Presidential proclamation, the IMPA will be automatically repealed, and the provisions of RICA will come into force and effect.

The provisions of RICA have been largely ignored in this Advisory, as its provisions are yet to commence. For a detailed review of its provisions, please refer to ISPA Advisory 10, issued February 2003 by Ms Cohen. For convenience, a brief overview of its provisions is provided here.

The repeal of IMPA and the commencement of RICA entails, in brief and in context of workplace monitoring and interception, the following:

• Any former doubt whether the legislation applies to 'new' forms of communication including email, sms and instant messaging, is dispelled in its explicit application to both direct communications (face-to-face) and indirect (remote, including postal, telephonic and electronic) communications;
• A general prohibition of interception of communications applies⁷, subject to certain stipulated exceptions. A contravention of its provisions without lawful excuse will on conviction constitute an offence which may result in penalties of up to R2million, or imprisonment of up to 10 years;
• The 3 primary exceptions in which a workplace-based interception is lawful are:
• Where the intercepting party is a party to the communication being intercepted⁸;
• Where one of the parties to the communication has provided prior written consent to the interception⁹; and
• Where the intercepting party is the business and the communication takes place in the carrying on of that business - the so-called business exception¹⁰.

Further exceptions not relevant to the current discussion are also referred to in the legislation¹¹. Of importance to the current discussion, the final 'business exception' is the most relevant, and is fairly detailed.

It has been suggested that the section 5 exception infers that, where a business does not have the prior written consent of an employee, it may not monitor that employee's communications. This is untrue. Section 6 makes specific provision for a business to intercept business-based communications for the integrity of its operations.

When the RICA comes into force, a business may have a right to intercept all workplace-based communications, but it is highly advisable only to do so when the business:

• Has devised and implemented a clear and appropriate AUP that is not excessively invasive or burdening;
• Communicates its AUP to all employees regularly and uniformly;
• Only intercepts communications which are clearly private when there is sufficient good cause to suspect that the business' interests are being compromised, and there is a legitimate expectation that evidence of such compromise is to be found in those communications; and
• Applies the provisions of the AUP consistently.

Conclusion

Interception of work-based communications is fraught with pitfalls for the Employer. Imposition of an AUP to provide guidance is essential. Though written consent is not required, it certainly is most advisable.

If an employer has not implemented an AUP (verbal or written), and it suspects illegal or unlawful use by an Employee, the Employer may not intercept or monitor communications, and may only alert the relevant Police / Defence Force / Intelligence Service, for investigation.

Remaining pertinent and other general principles of IMPA have been conclusively set out by Ms Cohen in ISPA Advisory 2, issued 24 February, 2000, and it is unnecessary to repeat them here.

Annexure A:

Examples of IMPA Disputes

Selected instances of a court or a tribunal being requested to admit evidence, despite such evidence having been obtained in contravention of Interception and Monitoring Prohibition Act include the following:

• Goosen v Caroline's Frozen Yoghurt parlour (Pty) Ltd & Another 1995 ILJ 396 (IC)
  (Decided under the Interim Constitution):
• Employee recorded Employer's telephone conversations without consent to prove Employer's bias in a disciplinary action;
• Court found in favour of Employee, stating that evidence obtained in contravention of legislation is permitted when "[I]t is relevant to the matters at hand'.
• Protea Technology Ltd and Another v Wainer and Others 1997 9 BCLR 1225 (W):
• Protea recorded calls made by Wainer in the workplace during working hours, allegedly in violation of a Restraint of Trade Agreement;
• Wainer alleged contravention of legislation and invasion of privacy;
• The court decided that Protea has a right to know if its employee (Wainer) was committing a delict; and that though the manner of obtaining evidence was in contravention of the Interception and Monitoring Prohibition Act, it was admissible on the grounds of reasonability in terms of the Constitution, s36(1).
• Moonsamy v The Mailhouse 1999 20 ILJ 464 (CCMA)
  (This is a decision of the CCMA, and has no precedent value, but has persuasive power):
• Employer Mailhouse tapped Moonsamy's work telephone to gather evidence without permission or court order;
• Arbitrator determined that evidence, though not obtained with consent, was not necessarily inadmissible in terms of the Interception and Monitoring Prohibition Act;
• The Arbitrator determined in terms of s36 of the Constitution that the invasion of privacy was unconstitutional, holding that:
• the Employee's right to privacy in the workplace is generally superior to the Employer's right to monitor the Employee's communications;
• without consent or authority, the Employer may reasonably only monitor the extent of the Employee's private communications, but not the content of the communications;
• the invasion of privacy was excessively invasive, and would only be justifiable to secure essential evidence, which was not the case in this instance; and
• the Employer should have obtained consent to monitor, either from the Employee personally, or in terms of s158 of the Labour Relations Act.

Annexure B:

Employment Law Considerations

The issue of workplace monitoring and interception of employee communications is generally contemplated in the context of gathering evidence in anticipation of disciplinary procedures based on suspected contravention of a work-place rule, one example being an AUP.

In this regard, it is important to recognise that section 23 of the Constitution provides that '[e]veryone has the right to fair labour practices'; Legislation regulating the Employer's right to discipline and/or dismiss and Employee is regulated by, among other, the Constitution, the Basic Conditions of Employment Act, and most analytically by the Labour Relations Act.

In terms of the Labour Relations Act and the Code of Good Practice for Dismissals, dismissals may only be effected due to either Employee conduct or capacity, or due to Employer operational requirements.

Dismissals are automatically unfair unless it can prove:

• Substantive fairness: Valid and fair reason; and
• Procedural fairness: Fair procedure in addressing misconduct.

In order to determine whether a dismissal for misconduct is fair depends on:

• Whether the Employee contravened a workplace rule (E.g.: the AUP); and
• Whether:
• The rule was valid or reasonable;
• The Employee was aware, or should have been aware, or the rule;
• The rule has been consistently applied by the Employer; and
• Dismissal is an appropriate remedy for the contravention of the rule

Employers who dismiss unfairly may be liable to the Employee for reinstatement and/or compensation.