Updated 9 February 2009
The questions below are based on general queries posted to our enquiry service.
JISC Legal would like to remind you that the information being provided is for informational purposes only and should not be construed as constituting legal advice. The contents of this website are provided for information purposes only and do not constitute legal advice.
Questions
- What should we do if we come across email communications that clearly break the law? Should we inform the police or conduct our own investigation?
- A college principal has just received by email a sample of obscene materials which his IT manager says a member of staff has been downloading from the internet onto college computers. What should he do?
- What is the legal position concerning defamatory statements posted on an institutions computer networks?
- An institution has been made aware of terrorist material found on an employee’s PC. What is the legal position concerning disclosure of such communications data to the police?
1. What should we do if we come across email communications that clearly break the law? Should we inform the police or conduct our own investigation?
Any monitoring of systems, even if it is minimal, must be made only after consent has been sought from the persons who are subject to monitoring. This is mostly done by institutions through their Acceptable Use Policy (AUP) or interception and monitoring policy document. With regard to in-depth monitoring of content, the institution will require specific consent to do so. It is thus essential that the individuals who are subject to monitoring be informed what the institution is doing and why.
With regard to gathering evidence where there is an allegation of improper conduct; it is to be ensured that this is done in compliance with The Data Protection Act, The Regulation of Investigatory Powers Act and The Human Rights Act.
It is essential that staff understand their responsibilities and the limits of their authority.
The UK Information Commissioner has issued a code of practice on
Employment Practices which includes a section on monitoring in the
workplace (Part 3) and this is essential reading for those involved in
decisions concerning the monitoring of personal information.
With regard to interception where there is suspicion of criminal conduct or use of illicit material, the recent JISC Legal webcast on Interception and Monitoring Law provides detailed guidance.
If the administrator comes across mail that clearly breaks the law, the wiser option would be to contact the police and have them conduct a lawful responsible investigation rather than conduct the investigation oneself. If it is doubtful whether the police should be involved, then a bit of covert monitoring could be conducted to establish a cause for contacting the police. But, the covert monitoring should be carried out only in very, very exceptional circumstances where there is a concrete suspicion concerning illegal activities.
As you are likely to be using materials under the Copyright Licensing Agency Ltd (CLA) licence you should become familiar with the guidelines which are provided by the CLA for use of the materials which a college may use. These guidelines are available online at - http://www.cla.co.uk/support/fe/index.html
2. A college principal has just received by email a sample of obscene materials which his IT manager says a member of staff has been downloading from the internet onto college computers. What should he do?
As with any other incident response the first aim of is to limit the damage caused by the incident.
Clearly the college principal has to be very careful and one of the first difficulties is that someone has to make a decision as to whether the material involved is illegal or not. If it is obviously illegal (such as child pornography images) then the police should be involved as soon as possible. A local police liaison officer should be able to provide guidance on appropriate actions to take once illegal materials are discovered on college computers. The situation is also likely to be a breach of college disciplinary rules and has to be handled as would any other breach of discipline.
Where the materials are not illegal and if the institution has a clear acceptable use policy which sets the limits on what is permitted for staff use of the college information systems (and an interrelated disciplinary procedure) then the email which the college principal has received should trigger this disciplinary investigation procedure.
It should be remembered that what the college is really doing is allowing individuals to use the IT facilities so long as they remain within the 'terms and conditions of acceptable use' which the college specifies. Just like any other college facility the privilege can be withdrawn if abused. Ensuring that the Acceptable Use Policy (AUP) terms and conditions are clear to all users is essential.
If these procedures are not already in place at your institution then you should take steps to get them in place as soon as possible.
It is important that the Acceptable Use Policy is enforceable otherwise the institution may be held to have treated a member of staff or a student unfairly when taking disciplinary action.
Collecting Evidence
One important question to be asked and answered, though, is how the IT manager has come across the materials in the first place. Was it by monitoring individuals? Was this done lawfully?
The outcome of such an investigation may in the extreme result in dismissal of an employee and may form the basis of a subsequent action for unfair dismissal. Such action is likely to be vigorously contested.
In that event is a risk that evidence gathered by IT staff during an investigation will be held inadmissible if it were gathered in an unlawful way. Evidence could also be discredited if presented inappropriately. The authenticity of email messages and the validity of login records are particularly likely to be challenged. Often college and university IT departments are unaware of these issues. Whilst they may receive guidance from the Police investigating a serious crime this will not be so for minor offences or for civil actions. Consequently, there is a risk that what may seem a cast iron case will founder when contested for example in an employment appeals hearing.
IT staff are increasingly likely to be called upon to investigate and gather evidence when there is an allegation of improper conduct. This has to be carried out in compliance with the Data Protection Act, the Regulation of Investigatory Powers Act and the Human Rights Act. It is essential that staff understand their responsibilities and the limits of their authority. Documented procedures, making clear what staff are authorised to do (and what they are not), must be provided.
For users every institution should have an Acceptable Use Policy (AUP). To be enforceable, the AUP must be properly incorporated into the student contract or into an employee's terms and conditions and, additionally, reasonable steps must be taken to communicate its contents and any sanctions that might be imposed.
JISC Legal has published an Overview paper on Cybercrime and it is available on the JISC Legal website at - http://www.jisclegal.ac.uk/cybercrime/cybercrime.htm.
3. What is the legal position concerning defamatory statements posted on an institutions computer networks?
The general rule of UK defamation law is that the publisher of defamation faces liability. This applies to FE and HE institutions in the same way as to any other publisher.
Under general principles of law, institutions may be liable for defamation if they know, or have reason to know that the information distributed on their websites/networks is defamatory. There is an obligation on the institution to take offending material down once notified that it is defamatory.
JISC Legal has published an Overview paper on Internet Service Provider Liability and it is available on the JISC Legal website at - http://www.jisclegal.ac.uk/ispliability/ispliability.htm.
Liability may arise if, for example, the institution exercises some discretion over how long material is stored or has the power to remove material (as with newsgroups or websites). In defamation law, institutions, who host email discussion groups, may be considered secondary publishers. Although this term does not appear in the legislation, it is commonly used to describe those involved in disseminating a defamatory statement, other than the author, editor and commercial publisher.
The defence of innocent dissemination of a defamation is available to secondary publishers and intermediaries where:
- they are not the author, editor, or publisher of the defamation.
- they did not know and had no reason to believe that the statement in question was defamatory
- they took reasonable care in relation to the publication of the statement in question.
Further, under Section 1(3)(e), of the Defamation Act 1996 an intermediary is not considered to be the author, editor, or publisher of a defamatory statement:
if [the intermediary] is only involved as the operator of or provider of access to a communication system by means of which the statement is transmitted, or made available, by a person over whom he has no effective control.
The key thing here is that an institution (or any other intermediary with no knowledge of the defamatory material complained of) will lose the protection of section 1 if it is given notice of the defamatory material and does not delete that material. As a result, any FE or HE institution should treat a notice of complaint seriously and investigate it immediately.
Since July 2002, the requirements of the Electronic Commerce (EC Directive) Regulations 2002, which give effect to the European Electronic Commerce Directive (known as the E-Commerce Directive) must be considered. The Regulations limit the liability of service providers who unwittingly transmit or store unlawful content provided by others in certain circumstances.
Further detailed information on the E-Commerce Directive is available in the document FE/HE Institutions and Liability for Third Party Provided Content by Gavin Sutter on the JISC Legal website at - http://www.jisclegal.ac.uk/publications/thirdpartycontent.htm.
4. An institution has been made aware of terrorist material found on an employees PC. What is the legal position concerning disclosure of such communications data to the police?
Under the Regulatory and Investigatory Powers Act 2000 (RIPA) some public authorities (e.g. the police) are empowered to ask a college or university to produce or disclose to them certain communications data for specified purposes e.g., for prevention of crime.
The Kent Police website contains a useful publication on this titled Accessing Communications Data accessible at http://www.kent.police.uk/
The relevant part of this policy guidance notes RIPA - Part 1, Chapter 2 provides a legislative regime for Public authorities, e.g. Law Enforcement, to access (obtain) the communications data of persons, in compliance with the Human Rights Act 1998 and the European Convention of Human Rights. Mechanisms used under this part of RIPA to obtain legal authority to acquire data mirror that under other parts of RIPA.
Further, communications data can only be accessed lawfully for one of the following purposes under the Regulation of Investigatory Powers Act 2000.
1. in the interests of National Security S22 (2) (a)
2. for the prevention and detection of crime or preventing disorder S22 (2) (b)
3. in the interests of the economic well being of the United Kingdom S22 (2) (c)
4. in the interests of public safety S22 (2) (d)
5. for the purpose of protecting public health S22 (2) (e).
Materials relating to acts of terrorism will most likely fall under one or all of these sections. However, the university should exercise discretion and should go about accessing the data only upon clear guidance being from the police. The Association of Police Officers (ACPO) has published a good a practice guide (though focussed principally at police officers and other law enforcement authorities) which deals with the procedures to be used in the recovery of computer based electronic evidence. The same which might be of helpful guidance can be accessed at http://www.acpo.police.uk/asp/policies/Data/gpg_computer_based_evidence_v3.pdf
We can conclude that the legal position is thus that upon a request being made by the police, files from the employees PC might need to be extracted to comply with the law.
Updated 9 February 2009
As part of our research we would like to hear from you. If you are unable to find a response to your question in this section please contact us at: info@jisclegal.ac.uk. In addition, if you would like to provide feedback then please email us at: feedback@jisclegal.ac.uk.
We look forward to hearing from you.
Further FAQs
The Sussex Police Computer Crime Unit have a set of FAQs for computer crime at http://www.sussex.police.uk/comp_crime/faq.asp
The BBC have a helpful page on protecting your identity at:
http://news.bbc.co.uk/1/hi/business/4311073.stm