The Regulation of Interception of Communications and Provision of Communication-related Information Act 70 of 2002 (‘the Interception Act’) sets out the basis on which employers can lawfully monitor employees’ communications. All employers must make themselves familiar with the provisions of the Interception Act as the penalties for unlawful interception are stiff – a fine of up to R2 000 000 or up to ten years imprisonment. In this article, Tammy Bortz and Lize Louw of Werksmans Attorneys highlight some of the salient issues with which business executives need to become acquainted. Before the Act bites.
The Interception Act was assented to on 30 December 2002 but will only come into operation on a date to be fixed by the President in the Government Gazette. The Interception Act, and in particular sections 2 and 6, regulate the extent to which individuals and corporations may lawfully intercept and monitor their employees' communications. The Interception Act accordingly provides some guidance in determining whether or not a company acts lawfully when, for example, it monitors and/or accesses employees' e-mails, monitors the websites employees browse, or records employees' telephone conversations.
General prohibition on the interception of communications
Section 2 of the Interception Act states that - "Subject to this Act, no person may intentionally intercept or attempt to intercept, or authorise or procure any other person to intercept or attempt to intercept, at any place in the Republic, any communication in the course of its occurrence or transmission."
Any entity found guilty of unlawfully intercepting any communication in breach of the Interception Act may face a fine of up to R2 000 000 or up to 10 years' imprisonment.
The basic principle is therefore that employers may not intercept any communication and to do so, other than in terms of the exceptions set out below, amounts to the commission of an offence. That said, the Interception Act should be read together with the Electronic Communications and Transactions Act 25 of 2002 ('the ECTA').
Section 86(1) of ECTA provides (in the context of the chapter dealing with 'cyber crime') that subject to the Interception Act, a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence. Section 89(1) of ECTA provides that the penalty for contravening section 86(1) would be a fine or imprisonment for a period not exceeding 12 months.
Exceptions to the general prohibition
The Interception Act recognises the following three instances in which an entity may nonetheless lawfully intercept a communication:
* Any person (including an employer) may intercept any communication if he or she is a party to the communication.
* Any person (including an employer) may intercept any communication if one of the parties to the communication has given their prior consent in writing to such interception. For these purposes, a party to a direct communication is any participant or any person to whom the direct communication is directed, whereas a party to indirect communication is the sender or (intended) recipient(s).
* Any person (including an employer) may intercept any indirect communication in the course of the carrying on of any business provided that certain requirements are met ('the business exception').
Lawful interception in terms of the business exception
The business exception is particularly useful since one of its aims is to provide employers with a lawful means of intercepting business communications without having to obtain consent from employees. The requirements that an employer must meet in order for interception in terms of the business exception to be lawful relate to:
* The nature and content of the intercepted communication.
* The purpose for which the interception is effected.
* The nature of the telecommunications system involved.
* The measure of control exercised over the interception process by the system controller.
In this regard, any employer may lawfully monitor, examine and otherwise intercept employees' telephone conversations, e-mails, faxes and other forms of indirect communication in the course of the carrying on of its business provided that:
* Such communication is the means through which a transaction is entered into in the course of that business (or otherwise relates to that business or otherwise takes place in the course of the carrying on of that business);
* Such communication is intercepted for a legitimate purpose, namely to:
• establish the existence of facts;
• investigate or detect the unauthorised use of the employer's telecommunication system; or
• secure the effective operation of the employer's telecommunications system or as an inherent part of the effective operation of such system.
* Such communication is intercepted in the course of its transmission over a telecommunication system that is provided for use wholly or partly in connection with the business of the employer; and
* The system controller has made all reasonable efforts to inform all individuals using the telecommunication system in advance that indirect communications transmitted through it may be intercepted, and the system controller has intercepted the communication himself/herself (or has consented to such interception).
Meaning of 'in the course of carrying on any business'
It must be emphasised that the business exception only applies to indirect communications, transmitted over a telecommunication system (as defined in the Telecommunications Act 103 of 1996 ('Telecommunications Act'), which are intercepted during the course of transmission.
In terms of the Telecommunications Act, a telecommunications system is 'any system or series of telecommunications facilities or radio, optical or electromagnetic apparatus or any technical system used for the purpose of telecommunication, whether or not such telecommunication is subject to re-arrangement, composition or processes by any means in the course of the transmission or emission or reception'.
Accordingly, e-mails and Internet usage by employees may be lawfully intercepted by an employer in the course of the carrying on of any business if all the other requirements for lawful interception in terms of the business exception (as set out above) have been met.
But face-to-face discussions and other forms of direct communication could not be lawfully monitored on this basis. Nor could an employer intercept employees' post and other forms of indirect communication not 'transmitted over a telecommunications system'. In addition, the business exception ceases to apply once an e-mail or other message or download 'arrives' at its destination since the Interception Act makes it clear that interception must occur 'during the course of transmission.'
Because of the wide range of communications that fall outside the ambit of the business exception, it remains important for an employer to obtain the correctly-worded written consent in advance from its employees. For instance, should an employer deem it necessary to monitor what programs an employee has downloaded and saved to his/her computer, the employee would have to consent thereto in advance and in writing.
Further limitations on the scope of application of the business exception
It is currently unclear what the legislature meant when it legitimised interceptions 'in the course of the carrying on of any business'.
For instance, an employee might send an e-mail during business hours on his employer's system relating to a medical crisis at home. Could his employer lawfully inspect the contents of such an e-mail, provided the other requirements of the business exception are met, on the basis that the communication was transmitted in the course of the carrying on of the employer's business? Common sense seems to suggest that 'in the course of the carrying on of any business' is not broad enough to cover this type of scenario and that it would in any event be desirable for the employer to respect its employee's right to privacy in this type of situation and obtain the necessary consent to monitor all employee communications.
The business exception has to some extent been modelled on the United Kingdom Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations of 2000 (SI 2000 No 2699) ('British Regulations'). For the purposes of the British Regulations, a communication which serves as the means through which a transaction is entered into in the course of the business (or which otherwise relates to that business, or which otherwise takes place in the course of the carrying on of that business) amounts to a communication which is relevant to a business.
The effect of the Interception Act is that entities who intercept communications on their own systems will need to be sure that their actions are legally sanctioned, either because their employees have consented thereto, or because they fall within the ambit of the business exception. To intercept communications in circumstances not authorised by the Interception Act amounts to the commission of an offence which carries stiff penalties.
In order to ensure that they do not fall foul of the provisions of the Interception Act and in particular, the business exception, employers must put in place clear and comprehensive rules and policies relating to the use by their employees of the employer's telecommunication system and setting out the parameters for the personal use of telephones, e-mail, the Internet and so forth.
Because of the uncertainty as to how our courts will apply the business exception, it is equally important for employers to obtain the correctly-worded written consent from current and future employees which will allow them to lawfully intercept communications in circumstances where the business exception does not apply.
For more information contact Tammy Bortz or Lize Louw, Werksmans Attorneys, 011 535 8454.
A 'communication' has been defined in the Interception Act and means both 'indirect' and 'direct' communications which are in turn defined as -follows:
* 'Indirect communication' means the transfer of information (including a message or any part of a message) (in any form or combination of forms) by means of a telecommunication system or a postal service. Such forms of information transfer include speech, music or other sounds, data, text, visual images, signals or radio frequency spectrum;
* 'Direct communication' means either:
• oral communication between two or more persons (not amounting to an indirect communication), which occurs in the immediate presence of all the persons participating in that communication; or
• an utterance by a person participating in an indirect communication, if the utterance is audible to another person, who at the time when the indirect communication occurs, is in the immediate presence of the person participating in the indirect communication.
* A direct communication would, for example, be face-to-face discussions between two or more people and telephone conversations overheard by a third party who is with one of the callers. An indirect communication would include, for example, a telephone conversation, e-mail transmission, fax, SMS, postal communication and downloading information from the Internet.
* The Interception Act defines 'interception' as, to acquire the contents of any communication (whether direct or indirect) through whatever means, so as to make some or all of the contents of that communication available to a person other than the sender or (intended) recipient of the communication. Interception therefore includes monitoring any communication by means of a monitoring device, viewing, examining or inspecting the contents of any indirect communication, and diverting any indirect communication from its intended destination.