The long awaited Regulation of Interception of Communications and Provision of Communications-Related Information Act, number 70 of 2002 ('the Act') is now law.
As a business you might ask yourself the question: "so what; how will this affect my business?" Although the Act deals with a variety of different issues (for certain organisations, such as the Telecommunication Industry organisations, more than other), the most important aspect for any organisation to consider is to understand the balance between the right to privacy of an individual and the right of the organisation to mitigate risks in accordance with its risk management/corporate governance, says Gerrie van Gaalen from van Gaalen Attorneys.
We all know that interception of communications in most organisations take place on a daily basis, especially now that we use technology such as e-mail and instant messaging, but in light of the new law those organisations and the rest where there is no clear policy, should carefully consider the following:
The general rule:
No person has the right to intentionally1 intercept or attempt to intercept or authorise or procure any other person to intercept at any place in the Republic any communications (direct and indirect2 communications) in the course of its occurrence or transmission.
By just reading the above you should already realise that this new Act has an impact on your organisation. Luckily, like any other Act there are certain exceptions, with the following three exceptions as the most relevant exceptions applicable to your organisation and more particularly in an employer-employee relationship; interception:
1. By a person that is part of the communication (section 4);
2. With prior written consent from a party to the communication (section 5); and
3. In connection with carrying on of a business of that person (section 6).
Some companies jump to the wrongful conclusion that section 6 exception gives them an open gate to intercept all incoming and outgoing communications says Gerrie van Gaalen. To select the most appropriate exception or combination of exceptions for your organisation you should understand the requirements under each of the exceptions, especially section 5 and section 6 exceptions.
Section 5: The Electronic Communications and Transactions Act now also allows us to obtain the necessary written consent in an electronic format, therefore prior written consent does not necessarily mean a signature on paper from every employee. It is further advisable to reflect the right of the employer to intercept under all employment agreements, independent contractor agreements and Service Provider Agreements. Organisations can also include a section under an appropriate company policy, eCommunication Policy or draft a separate Monitoring Policy, that deals with the interception of communications;
Section 6: Section 6 can only be used as an exception if the following requirements have been met:
1. It applies only to business related communications or communications which otherwise take place in the course of carrying on of the business, in the course of its transmission over a telecommunications network;
2. Interception must be effected by, or with the express or implied permission of, the System Controller. Some advisors will tell you it is the CEO or MD, but could also be the CIO, but definitely someone that sits on the board of directors or is in the position to take such decisions;
3. Monitoring and keeping of a record only to establish the existence of facts, investigating unauthorised use of the telecommunication system, secure the effective operation of the telecommunication system; and
4. Very important - the System Controller must have used reasonable efforts to inform, in advance, the person (employee) that communications may be intercepted or the employer must have received the express or implied consent of the employee to intercept communications, eg, Monitoring Policy and/or eCommunication Policy.
It is clear from exception 6 that there are a few 'grey' areas, eg, "Interception can only occur in the course of its transmission over a telecommunication system" and therefore exclude eg, e-mails or other files that are stored on the PC of the employee. Any of the above exceptions or combination of exceptions can work for your organisation, but it will be imperative to understand the underlying requirements.
Like any other Act, there is a general rule, exceptions and then obviously the "what if I do not comply?" Employers that read and intercept employee communications without following the exception(s) correctly will be guilty of an offence and may face with fines up to R2 million and imprisonment of up to 10 years.
Do not be deceived - your organisation is affected by this new law.
The information in this article was prepared by Gerrie van Gaalen, an attorney and partner at Gaalen Attorneys ( firstname.lastname@example.org
) and is intended for general information purposes only. To execute an appropriate solution we recommend that the advice of a qualified IT attorney should be obtained.
1. Interception means aural or other acquisition of contents of any communication through the use of any means, including an interception device (this includes e-mail filtering and blocking technologies), so as to make some or all of the contents of a communication available to a person other than the sender or recipient or intended recipient of that communication and includes, monitoring by means of a monitoring device, viewing, examination or inspection of the content of any indirect communications and diversion of any indirect communication from its intended destination to any other destination.
2. Indirect communication as applied above, which means the transfer of information, including a message or any part of a message whether in the form of speech, music, or other sounds, data, text, visual images, whether animated or not, signals or radio frequency spectrum.