5th January 2001

To: dsmith@dpexecutive.demon.co.uk

FIPR Response to Draft Code of Practice (6/10/00)

On the use of personal data in employer/employee relationships

With particular reference to Chapter 6 (especially 6.3), we robustly support the draft code and hope the final version is not weakened, following the DTI rejection of a proportionate approach in their Lawful Business Practice Regulations (LBRP).

Compare:

3/10/00 DTI Response to consultation : "...small number of consultation responses suggested that the Regulations should include a proportionality test...The Government is not convinced"

Against:

23/10/00 Financial Times : UK e-snooping rules conflict - "Any monitoring must be proportionate and related to business needs...." the DTI added.

(see www.fipr.org/rip#DTI-doublespeak for links)

We deprecate attempts by the DTI to have-their-cake-and-eat-it on the proportionality issue; clearly rejecting arguments for proportionality in their official response to consultation to placate the business lobby, but later posturing in the press as proponents of proportionality when the media coverage took a turn for the worse.

In our view, the draft code represents a carefully balanced and surprisingly comprehensive package, which realistically reflects the present state of workplace surveillance technology, but is also cognisant of the imminent dangers of their wider use.

The DTI's RIP LBPR appear to sanction carte-blanche use of these technologies through approving various "specific purposes" for which interception can be justified. However these purposes in practice are sufficiently broad to allow almost any type of monitoring, irrespective of proportionality arguments. We think it will be useful to encourage partnerships between trades unions and industry bodies to develop guidelines that address issues that are unique to specific sectors, to develop a consensual interpretation of proportionality in concrete circumstances. However, trades unions are not uniformly well established in all industries (especially ITC industries) and the DPC may find that it needs to develop sectoral codes itself, for example in industries where the workforce in primarily part-time or contracted.

We note however that three looming issues are not addressed in the draft, and we believe that it would be helpful for the DPC to offer specific guidance on these matters:

A) Use of anonymising "proxy" webservers (which may encrypt all content transmitted between the desktop and the proxy website - e.g. www.safeweb.com)

We believe that use of proxies to maintain user privacy (against logs kept by ISPs or monitoring performed by the employer) will become increasingly commonplace, although we do not think that they are a substitute in any sense for a proportionate approach to monitoring. In a workplace environment that permits employee Internet access subject to guidelines, we do not think that use of proxies should be blocked or banned, or used as an indication of suspicious activity which itself justifies closer surveillance.

B) Encrypted e-mail under a personal private key

Encrypted e-mail will also become more commonplace, perhaps routine, both for personal and business use. Many companies already operate a key-escrow policy that allows them access to e-mail encrypted under a corporate key. However there remains the issue about use of personal cryptographic keys in the workplace used to protect the privacy of personal communications. This can be done either through web-based e-mail services (e.g. www.hushmail.com) or standalone programs such as PGP.

We believe there are strong public policy grounds to discourage firms from banning use of personal keys in the workplace, nor is it acceptable for firms to impose the right to demand personal keys contractually in the terms of employment. Such a policy could only be justifiable where there is an over-riding and indisputable necessity for the employer to have the capability to monitor ALL Internet communications of the employee. There may be examples (in the military or finance) where this case can be made, but they must be extremely rare. Similarly, use of personal keys within guidelines should not be viewed as suspicious in itself, or justification to undertake alternative or more detailed forms of monitoring.

C) "Spyware" designed for the US market

Most products for monitoring Internet access by employees originate in the United States, where there is no federal or general data protection law. Consequently, standard practice in the US tends toward blanket automated surveillance using a number of techniques in parallel, often enabled by default at the most intrusive levels. Such intensive but indiscriminate default settings are optimised for the convenience of network security administrators but do not in any way reflect the sensible graduated approach outlined in the Draft Code. We believe that a DETERMINED PROGRAM OF OUTREACH AND EDUCATION by the DPC will be necessary to alert system administrators and the spyware industry that installing products designed for the US market at their default settings will be in flagrant breach of the Code. We expect the DPC to be subjected to fierce lobbying pressure on this issue (on grounds of "practicality") which should be robustly resisted.

--

Caspar Bowden

Director, Foundation for Information Policy Research

Tel: +44(0)20 7354 2333