Home

Internet & Email Interception

Jan du Toit

A recent study at company employing 600 employees found that employees spend almost 79% of their working time on gaming and Internet sites such as Facebook. In another study it was found that almost 80% of the e-mail sent and received by employees during working hours were of a private nature. One can only imagine what the productivity levels are in those companies.

The interception of communication is currently regulated by the Regulation of Interception of Communications and Provision of Communication Related Information act 70 of 2002. The interception of communication in prohibited in terms of section 2 in that, subject to this Act, no person may intentionally intercept or attempt to intercept, or authorise or procure any other person to intercept or attempt to intercept, at any place in the Republic, any communication in the course of its occurrence or transmission.

In terms of section 4, any person, other than a law enforcement officer, may intercept any communication if he or she is a party to the communication, unless such communication is intercepted by such person for purposes of committing an offence. Furthermore, any person, other than a law enforcement officer, may intercept any communication if one of the parties to the communication has given prior consent in writing to such interception, unless such communication is intercepted for purposes of committing an offence.

Any person who intentionally intercepts or attempts to do so, or authorises or procures any other person to intercept, is guilty of an offence.

The question therefore is whether an employer has the right of access to or to confiscate the employee’s computer and to intercept and read employees' e-mail?

In this regard, both the interests of the employer and the employee should be considered. Firstly, one should consider the fact that the computer and network access is usually provided by the employer as a business tool, and that, as a rule, it remains the property of the employer.

Secondly, there is the constitutional right to privacy of the employee. The Constitution provides that everyone has the right to privacy, which includes the right not to have the privacy of their communications infringed. This should be balanced against the very real business and operational concern - that employees may be using the employer's computer and network access to, either waste time and network resources, or to download pornography or other offensive material from the internet and forward it to others, exposing the employer to viruses that can cripple its network. There are also very real confidentiality issues such as disclosure of confidential information belonging to the employer, on email.

From the language of section 2 mentioned above it appears that the section is wide enough to include e-mail within the scope of the prohibition. An employer is prohibited from intercepting e-mail or other electronic messages at any stage during the existence or the transfer of that message, from one point to another. This also gives effect to the Constitution as an employer must respect the privacy of the employee and his communications via email or telephone.

It should however be noted that the Act does not absolutely prohibits interception. An interception direction can be obtained to authorise the interception of communications, or the employee can consent to interception. Consent should be given freely, without duress and within the framework of fairness.

Employers can employ various means to regulate email and internet use, or then abuse. Firstly, employers can electronically regulate what the employee can use and access. This can mean, for example, that an employee may send and receive e-mail only within the organisation, and that no external e-mail is allowed. This would probably be an unrealistic approach. Another solution is regulating the attachments employees can receive in emails.

Secondly, employers must draft and implement email and internet policies, regulating the use of internet and email more comprehensively and specifically regulating what the consequences of non-compliance would be, for example, setting out the specific conduct and the sanctions it would attract. Employees should also be requested to inform third parties that their emails may be intercepted by the employer. A message to this effect can be added to the bottom of emails.

What does this mean for practical, day-to-day purposes? Firstly, that if an employer intercepts and reads employees' e-mails without consent or a clearly communicated policy, the employer will be contravening the Act.  Policies should be written in such a way that it not only regulates the conduct of the employees, but also that of the employer, therefore protecting the employer from contravening the Act. 

Secondly, if the evidence the employer obtains in this way is illegally obtained, it may be inadmissible in the disciplinary hearing or the CCMA but a mere finding that evidence was illegally obtained does not, however, render the evidence inadmissible. 

In S v Dzukuda 2000 (2) SACR 443 (CC) the court explained that it would simply not be possible to draw up a fixed list to determine whether illegally obtained evidence should be admitted but that the following ought to be considered;

  • prejudice to the accused;
  • the interests of society;
  • and public policy.

In S v Mphala 1986 (1) SACR 368 (W) the court highlighted that exclusion must be favoured where it would have a detrimental effect on the administration of justice.

Employers can employ different means to obtain evidence. It can for example, track the amount of messages going in and out of the computer network, ascertaining where those e-mail messages are being sent to. Evidence from third parties may be obtained, for example if the employee sends inappropriate email to others. The employer can also confront the employee with evidence, which does not necessary includes the contents of the message, but with the number of messages or the addresses to which the messages have been sent. The employer is not opening the e-mail messages and reading their contents, however it may track the emails on its system.

To summarize, the employer is entitled to stipulate (and indeed should stipulate) in the employment contract that all electronic communications equipment is provided for business use only and that private use is prohibited (including telephones), further that interception of communications shall take place from time to time and that any breach of these requirements shall result in disciplinary action which may lead to dismissal

For more information contact Jan du toit [email protected]

 

What does POPI compliance mean?

By Jan du Toit

 

Latest developments – Registration of Information Officers:

 

On 17 May 2021 the Information Regulator’s long awaited online portal went live for the registration of Information and Deputy Information Officers.

 

The Information Officer of a Responsible Party is the person at the head of your company (CEO or MD) or any person acting in such capacity, or specifically appointed by the MD or CEO to be the Information Officer. Registration must be completed before the end for June 2021.

 

The address for the portal is  https://justice.gov.za/inforeg/portal.html   

 

The following information is required to successfully register: 

  • Company name.

  • Company registration number.

  • Company type.

  • Company physical and postal addresses.

  • Company telephone and fax numbers.

  • Information Officer gender, nationality, full name and surname, ID or passport number.

  • Deputy Information Officers same details as per above.

 

POPIA Compliance – what must be done?

With a little more than a month left before POPI becomes fully effective, many employers may find themselves out of time to become fully compliant to amongst other considerations, the 8 processing conditions prescribed in the Protection of Personal Information Act.

 

To be considered compliant the following must be considered and applied in the business of a Responsible Party before 1 July 2021. 

  1. POPI training / awareness sessions for the CEO / MD, managers and others tasked with the company’s POPI compliance project. Have a look on our website for the next POPIA training dates.

  2. Compliance audit to be conducted company-wide per department / division to determine the current processing practices within the organization and to establish what needs to be done to be compliant.

  3. Correction of contraventions as identified, and to introduce reasonable technical and organizational measures to prevent the loss or unauthorized access of Personal Information.

  4. Introduction of Data Subject rights and consent in the business through policies and consent clauses / paragraphs / contracts.

  5. The introduction of a PAIA manual (Promotion of Access to Information Act) that incorporates data subject rights and participation in terms of POPIA. This manual must be published on one of the company’s websites. It is also important to note that the current exemption granted by the Minister of Justice for some business to not have such a manual in place currently, expires at the end of June 2021.

  6. General staff POPI policy and legislation awareness training.

  7. Registration of the company’s Information Officer (the CEO, MD or any person acting in such position).

  8. Follow-up assessment on compliance measures and adherence thereto.

 

It is important to note that no institution, not even the Information Regulator, can “accredit” any Responsible Party in South Africa to be compliant in terms of legislation. Compliance (or otherwise) will only be determined should an investigation be launched by the Information Regulator following a complaint. Should such an investigation confirm a lack of compliance, consequences such an administrative fine not exceeding R10m may follow (which one may luckily pay off in instalments). Further to this those whose rights are infringed upon by a Responsible Party not adhering to the requirements of POPIA, may also institute civil proceedings. Such  proceedings may result in compensation being awarded for loss, as well as aggravated damages determined at the discretion of the court.

 

In terms of section 19 of the Act, the Responsible Party (business owner / employer) is required to introduce reasonable organizational and technical measures to secure the integrity and confidentiality of Personal Information. The organizational measures referred  to above includes inter alia both internal and external policies to introduce the principle of protection of personal information in the workplace, as well as the rights of data subjects.

 

To allow you more time to focus on your business, the author of this article compiled a bundle of detailed policies for your business, ready to use. This includes all relevant forms to be used and a template document with draft consent clauses / paragraphs / rules  to be incorporated into service and employment contracts, job applications, credit and other applications forms, WhatsApp and Facebook groups / pages, and Independent Contractor agreements.

 

Also included is an Operator Agreement as required in terms of section 21 of the Act and a consent letter for existing clients / service providers, to agree to the continued processing of their Personal Information beyond June 2021.

 

The policies bundle includes: 

  • Privacy notice template to be published on your website.

  • Personal information protection policy.

  • Personal information retention policy.

  • Data breach policy.

  • Data breach register - form.

  • Data breach report - form.

  • Data security policy.

  • Data subject access request policy and procedures.

  • Data subject access request forms.

  • Processing agreement with third parties as Operators - contract.

  • Data subject participation - draft consent paragraphs / clauses to be incorporated into service and employment contracts, job applications, credit and other applications forms, WhatsApp and Facebook groups / pages and Independent Contractor agreements

  • Guidelines on the appointment of deputy information officers, inclusive of appointment letter.

 

For only R3750 you can now order you set of POPI policies, ready to use. Contact Jan du Toit for further assistance at [email protected]

 

 

 

 

 

 

 

 

Courses and Workshops

 

                   

Strategic Human Resources Management (HRM) and - Business Partnering

27, 28 & 29 October 2021 (08:30 - 16:00)

Interactive Online Course

Employment Equity Committee Training

27 October 2021 (09:00 - 16:00)

Interactive Online Course

Health and Safety Representative and Committee Training Course

28 October 2021 (08:30 - 16:00)

Interactive Online Course

Managing Day to Day Issues/ Problem Employees Full day workshop

28 October 2021 (09:00 - 16:00)

Interactive Online Course

Managing Poor Performance/ Incapacity

29 October 2021 (09:00 - 12:00) (Fully Booked)

Interactive Online Course

19 November 2021 (09:00 - 12:00)

Interactive Online Course

Management and Leadership Skills

10, 11 & 12 November 2021 (08:30 - 16:00)

Interactive Online Course

Basic Labour Relations

12 November 2021 (09:00 - 16:00)

Interactive Online Course

The OHS Act and the Responsibilities of Management

18 November 2021 (08:30 – 16:00)

Interactive Online Course

AARTO and the Impact on Your Business

19 November 2021 (09:00 - 12:00)

Interactive Online Course

Compensation for Occupational Injuries and Diseases Course

25 November 2021 (08:30 - 16:00)

Interactive Online Course

POPIA: Protection of Personal Information Act

26 November 2021 (09:00 - 12:00)

Interactive Online Course

 

 Our Clients 

 

Android App On Google Play

Android App On Google Play