CIC Activities Liability Briefing on e-Business

The RIP Act deals with the interception of telecommunication, which includes emails. The basic principle of the Act is that you cannot intercept a communication on your own private network without the consent of the sender and recipient. To do so would be a criminal offence and also make you liable for a statutory tort enabling the sender or recipient to make a claim for damages. Thus, when it comes to monitoring your employees’ use of the network, this Act, on its own, presents some difficulties because, while you might obtain consent from your own employees, how will you be able to get consent from the senders or recipients outside the company?

Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (“Lawful Business Regulations”)

Establish what is lawful business practice and say what is permitted for an employer to do in terms of email monitoring without having to obtain consent. Put simply, what the employer has to show is that there is a ‘business motive’ for the interception. Secondly, the employer has to make reasonable efforts to warn those using the system that the employer may monitor communications on it. Note that actual consent is not an issue here. In order to comply, you must warn staff and potential senders and recipients of emails that their emails may be monitored. It is advisable therefore to include such a warning on the footer of all outgoing emails. What about someone in your company like a contract worker who is not an employee? In such a case you need to ensure that they also receive the warning. The best policy is to deal with this as a term of their contract.

Data protection is that area of law that governs what may lawfully be done with an individual’s personal data. The current law can be found in the Data Protection Act 1998 and relevant secondary legislation. The 1998 Act came into force on 1 March 2000 and aims to protect individuals’ rights to privacy with respect to the processing of personal data (note that personal data does not just mean data of a personal nature for example medical information. It means any data relating to a living individual. Data relating to companies is not covered by the Act, only data relating to individuals).

Does the e-business site use or intend to use (by collecting, storing or making use of) data relating to individuals? You might for instance use or intend to use a database to store details relating to customers, business contacts or individuals within companies that supply to you. The first step is to decide whether you are a “data controller” and therefore covered by the Data Protection Act 1998. Having assessed that your company is a data controller (processor of personal data) you must notify the Information Commissioner. You can complete a notification form online, print it out and return the form to the Information Commissioner.

WEBSITES If, for instance, a website is being used to collect information about Internet users online, a data protection notice must be included on the website. The data protection notice must include the following information:

eBUSINESS The Information Commissioner has extensive powers of enforcement. The Commissioner may take action of his own accord or following a complaint by, for example, an employee or a customer. An information notice can be served by the Commissioner requiring the data controller to provide certain information by a certain date. If the Commissioner concludes there has been a breach of the Act an enforcement notice can be served requiring the processing of personal data to cease or to cease in a particular way. Failure to comply with an information or an enforcement notice is a criminal offence.

Directors and senior managers of companies can be personally criminally liable if an offence is committed with their consent or due to their neglect. Criminal proceedings can be taken against the offender who, if found guilty, will be subject to a fine. There is no limit on the amount of the fine that could be imposed. Alongside this a data controller will be unable to continue to process personal data. This as well as the fine could be bad for business. Under the Act, data subjects have certain rights of access to information and they have the right to ask the Commissioner for an assessment of processing compliance. There are also provisions for data subjects to obtain compensation for loss or damage they suffer as a result of the data controller’s contravention of the 1998 Act.

eMAIL MONITORING The DPA says that you have to comply with the data protection principles if you hold or collect personal data. So records taken as part of surveillance are likely to be personal data and therefore must be obtained and recorded lawfully, be necessary, not excessive, nor held for too long.

The Employment Practices Data Protection Code of Practice issued by the Information Commission is applicable to employers. The Code deals with monitoring communications which includes email and Internet communications. The Code covers “private communications” which are communications which contain information that the employee would not wish to be generally known, whether or not it has been sent for business purposes. It also covers personal communications which cover emails, for example, that are sent in the course of the worker’s private life, even if sent from work. The Code suggest that businesses should:

The Human Rights Act gives individuals the right to respect for their privacy - that is privacy in relation to their private life, family and private correspondence (which would include electronic communication). On the issue of human rights, monitoring use of email or Internet infringes the employee’s human rights (eg. under Article 8 of the Convention). In response, the employer is likely to claim that they have a right to protect their interests and the interests of other members of staff and that the surveillance they have carried out is necessary and proportionate. They should also point to their email policy and the terms of their employment contracts and the contractual rights they give them to monitor emails.

Will need to be followed as with printed stationery. In the case of a partnership, the name of each partner and the business address and, in the case of a company, the corporate name, the registered office and registration number must be given. This can either be done by including the information in full each time or storing it in the signature box and repeating this at the end of every such message. The sender of an email should make it clear when signing off or on the face of the email whether he is communicating in his individual capacity or whether on behalf of his firm or company so that any contracts made, or representations or advice given, are given by the business, and not individually.

Under these Regulations database rights are owned by the creator of the database. However the definition seems to suggest that a person commissioning another to create a database could constitute a creator with database rights. The website development agreement, and any agreement with a third party who you use to help compile the database, should make clear who owns these rights.

Sets out certain requirements relating to electronic signatures. Electronic signatures are admissible in evidence in relation to any question as to the authenticity of the communication of data. The Act requires other legislation that inhibits the use of e-commerce (eg requires documents to be signed manually) to be updated.

These Regulations came into force on 21 August 2002. The Regulations affect businesses conducting online transactions and advertising over the Internet, by email or by mobile phone, whether or not the goods or services are provided electronically. They affect consumers, e-tailers and transactions between online businesses. The aim of the Regulations is to provide more clarity to the law governing online transactions.

Failure to comply Any business that sells or advertises goods or services online (eg. the “e-commerce” site described under (d) above) will need to ensure that they comply with the Regulations, otherwise they will risk their website being closed down. A failure to comply with the Regulations could also result in the contracts being unenforceable. Customers will be able to sue if the Regulations have not been complied with. Companies that fail to comply with the Regulations risk being reported to the Office of Fair Trading.

Website information The Regulations impose a number of requirements for those businesses which contract with customers online. So, what information should a website contain in order to comply with the Regulations?

Where the website refers to prices, the pricing information should be clear and unambiguous, stating whether or not prices are inclusive of tax and delivery costs.

The Regulations do not deal with the actual online contract formation, but set out the requirements when contracting with customers. Online businesses will need to acknowledge receipt of the order to the customer without undue delay and by electronic means and allow the customer to correct errors prior to the placing of the order. However, these requirements do not apply to contracts concluded exclusively by exchange of email or by equivalent individual communications. Before an order is placed, the website must provide the customer in a clear, comprehensible and unambiguous manner the different technical steps to follow to conclude the contract; whether or not the concluded contract will be filed by the service provider and whether it will be accessible; the technical means for identifying and correcting input error prior to the placing of an order; and the languages offered for the conclusion of the contract.

It is in this area where we believe most trading websites will need attention. A frequently encountered problem for customers who purchase from sites which fail to honour the order is that the terms and conditions of the site do not spell out clearly the point when a binding contract is formed. In addition the Regulations assume that most contracts will be formed upon the acknowledgement of the customer’s order being given by the site. However, a number of e-tailers, for example, have argued that the contract is not made until despatch of the goods. The Regulations provide that if the e-tailer wants to protect itself in this way (eg. from pricing or stock control errors) it must ensure the customer has no doubt, before they order, where they stand.

The contract will be unenforceable at the insistence of the customer if the site fails to provide the customer with the terms and conditions, fails to acknowledge an order or fails to allow the customer to correct errors prior to placing his order.

Businesses which use sites for e-commerce will need careful legal advice both as to the terms of use and as to elements of design and functionality in order to ensure compliance.

Spam emails - Under the Regulations, businesses that send ‘Spam emails’ promoting their goods or services, should clearly state that it is an unsolicited commercial communication. It should also clearly identify the person on whose behalf the email is made. If the email or website offer any discounts, promotional offers, gifts or competitions the qualifying conditions must be given and be easily accessible (for example, by a hyperlink) and the conditions of the offer need to be presented clearly and unambiguously.

Guidelines for the security of information systems and networks

Organisation of Economic Cooperation and Development (OECD) has recently published these Guidelines to deal with the increase in cybercrime, computer viruses, computer hacking and other forms of disruptive technology practices. The Guidelines aim to provide the foundation on which to form a framework for security and information systems.

The Guidelines recommend that those operating e-commerce sites have a “culture of security” which consists of nine principles: awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management and reassessment of security measures and practices. Although the Guidelines are non-binding the OECD hope that it will encourage governments of other countries and businesses to adopt similar practices. The OECD guidelines can be found at the following site: www.oecd.org/sti/security-privacy.

Even though the website may use a secure server connection using encryption, the data on the server must also be encrypted otherwise hackers may be able to access the servers and the unencrypted data. This is particularly important if you intend to store personal contact client details on these databases as it is a requirement under the Data Protection Act that such data is stored securely. It is also important that commercial information concerning customers and their transactions are treated securely and confidentially. While the terms of use of such sites may exclude liability for such events, if ineffective security measures have been implemented, the site owner may not be able to rely on such exclusions due to the Unfair Contract Terms Act.

Disability Discrimination Act 1995

The Disability Discrimination Act applies, amongst other things, to the design and operation of a website. This Act creates certain technical requirements for websites so as to enable them to be used by a disabled person.

Code of Practice - DISC PD0008:1999

This sets out guidelines regarding admissibility and evidential weight of eData. Related documents:

Compliance Workbook – DISC PD0009 – operates as a self-assessment document to check systems against the Code of Practice

Good Practice Guide – DISC PD00010 – offers five principles of good practice for eData management

For relevant British standards for storing/archiving eData click here