This chapter considers key legal and regulatory provisions relevant to the use of Internet technologies for providing advice and services. A wide range of legal compliance provisions applies and they are categorised for easier reference and understanding:
• Website management: identifies provisions for consideration when using websites to provide information and advertise services.
• Clients and services: identify specific legislative and regulatory provisions governing the use of the Internet to provide services to clients.
• Jurisdiction and applicable laws: considers provisions governing the supply of legal services involving foreign jurisdictions.
• Internet abuse: identifies legislation that governs certain types of Internet activity that might expose directors, partners and staff to civil or criminal liability.
• Monitoring and surveillance: discuss legal provisions that apply to the monitoring of employee use of e-mail and the Internet in the workplace.
When providing services over the Internet, an organisation must address a number of issues relating specifically to the management of its website.
There are many millions of domain names registered worldwide. A domain name is the way in which an organisation identifies itself on the Internet, both to its clients and other organisations. Steps must, therefore, be taken to ensure that the selected domain name is properly protected.
The selection and registration of an appropriate domain name involve two aspects. First, the selection must ensure that the organisation’s professional image is both asserted and protected in a way that is most suitable. Second, the process must ensure that there is no infringement of copyright as regards existing domain names.
Levels
Domain names have a number of constituent parts. The principal constituent part is almost always the name of the organisation to which the domain name belongs. However, beneath the principal name are a number of other ‘levels’ of name, which define certain aspects of the organisation’s status.
Top-level domain names are in two parts:
• the name of the country (for instance – .uk);
• the generic top-level domain (gTLD) name:
.com – commercial organisation;
.org – not-for-profit organisation;
.net – Internet network providers;
.edu – educational establishments;
.mil – military establishments;
.int – international treaty organisations.
Second-level domain names are usually assigned by country code administrators by reference to the country code. In the United Kingdom, such domain names end in .uk. Some of the more common examples are:
• .co.uk for commercial enterprises;
• .org.uk for organisations;
• .ac.uk for academic institutions;
• .gov.uk for government bodies;
• .net.uk for Internet service providers (ISPs).
There are two further levels of domain name, usually selected by the domain name registrant for specialist purposes. In 2000, the ICANN (www.icann.org), the body responsible for administering domain names, introduced seven new gTLD names:
• .biz – for bona fide business and commercial use;
• .info – available to all;
• .pro – for use by medical personnel and lawyers;
• .coop – for use by co-operative organisations;
• .aero – for use in the air transport sector;
• .name – for registration by individuals;
• .museum – for use by museums.
Further gTLD names were introduced in 2004: .asia, .cat, .jobs, .mobi, .tel, and .travel.
ICANN is in the process of introducing new domain names. These are expected to include brand and city names. Regular reference to the ICANN website is suggested.
The ability to include a brand name within a gTLD is especially significant for brand owners, who will be particularly concerned to ensure that no confusion or trademark infringements arise through competitors adopting a similar strategy.
When selecting a new domain name, it is sensible to submit searches in just the same way as a client is advised to conduct a search at Companies House. Domain name registration agencies can assist. Domain names are allocated on a first-come, first-served basis.
A search will identify whether any selected domain name has already been adopted, or whether a similar name has already been adopted which might cause confusion. Some countries have restrictions on the type of domain name that can be used. There is also the problem of ensuring that the selected name does not infringe another party’s intellectual property rights.
As there are various categories of search, the domain name registration agency should be clearly instructed as to the type of search to be conducted. The broadest possible is advisable as registration of new domain names occurs continually around the world.
Registration
Nominet is the agency in the United Kingdom responsible for maintaining the register of domain names. Just as Companies House holds record of companies’ names, Nominet maintains the database of ‘uk’ registered Internet names. It is not a governing body, but a public service for the Internet community.
However, provisions in the Digital Economy Act 2010 may result in the UK government taking additional powers to control the domain name jurisdiction.
Nominet’s website (www.nic.uk) provides an overview of what is involved in the selection of a domain name, how to register, post-registration procedures, and changing domain names. While it is possible to register a domain name direct through Nominet, the agency encourages registration through an ISP, the majority of which are members of Nominet. A careful check should be made of issues such as fees, payment mechanisms and dispute resolution policies, if any.
Domain name registrations are valid for two years. Most ISPs will inform the organisation when the name is due for renewal. Transfers of domain names are also possible. Nominet has terms and conditions which are applied where changes are to be made.
Disputes
Because of the number of domain names being registered at any one time, there is considerable potential for dispute. Nominet provides a dispute resolution service, details of which are available on its website.
Nominet’s website explains how the service operates, the rules by which it is governed, some of the definitions involved and how to use the procedure. Parties are encouraged to reach a mediated settlement. Nominet states that it claims no right to transfer a domain name without consent or an order of the court, or to offer legal advice or issue judgments over the correct use of domain names.
There are also other dispute resolution resources. ICANN offers a Uniform Domain Name Dispute Resolution Policy and details can be obtained from ICANN’s website.
Cybersquatting
Cybersquatting occurs where an individual or organisation registers a well-known trademark owned by another individual or organisation as their own domain name. Two cases, which arose some years ago, are good examples of the problems that can arise. Both attracted wide publicity at the time.
In Harrods v. Network Services (1996), an individual had registered the domain name Harrods.com with NSI in America. Harrods took proceedings for infringement of trademark and passing off in the United Kingdom courts. In summary, there was eventually a consent judgment in favour of Harrods. The decision first highlighted the practice of ‘cybersquatting’.
The second case was Marks & Spencer plc and Others v. One in a Million Ltd. (1998). This was regarded as an authoritative case on domain names and was taken to the Court of Appeal. The plaintiffs were leading ‘brand name’ companies and took action against the defendant, which had registered domain names incorporating their trademarks. The Court of Appeal upheld the plaintiffs’ successful judgment in the High Court in 1998.
This is a simple summary of certain domain name issues. However, the adoption and use of domain names can raise complex legal issues and are frequently inextricably linked with brand names and trademark law and practice, both of which are beyond the scope of this book.
Therefore, any organisation seeking to obtain a new domain name should obtain specialist professional advice to ensure: the correct registration procedure is observed and that the intended domain name does not infringe the rights of any other organisations.
Legal liability may arise from information posted on a website, arising from a duty owed to those to whom information is given. This arises from the decision of Hedley Byrne & Co Ltd. v. Heller and Partners Ltd. (1964) AC 465, where the negligent provision of information gave rise to liability in law. Relying upon advice in such circumstances raises the question of whether it is reasonable that a client or casual browser should rely on the advice provided.
Whatever may be the legal position on the facts, the key issue is that organisations must be aware that inaccurate or misleading information may expose it to proceedings. Steps should, therefore, be taken to ensure that the content of the organisation’s website complies with all relevant legislation, regulations and professional and commercial codes. Examples of some typical difficulties that might arise were described earlier.
To address these concerns, legal developments must be monitored. This applies in two respects. First, any advice provided on the site must be accurate and up to date. Second, there must be compliance with any legal requirements in respect of the use of the site to provide information, advice and services. Responsibility for updating the site might most conveniently be that of the IT manager. The organisation should identify an individual to collate the necessary information to ensure compliance and provide this to the IT manager. Published content should be checked and monitored regularly for accuracy and timeliness.
Although apparently a risk relating to clients and services and identified as such in Chapter 3, the issue of online contracts is also a website management issue, both in respect of the actions of personnel and the display of appropriate notices on the organisation’s website. In deciding whether liability arises beyond the mere supply of information, the question arises as to whether the information constitutes an offer capable of acceptance, or an invitation to treat.
As services become more commoditised, websites routinely offer fixed-price services. It should be made clear to visitors to a website that (if it is intended to be the case) any services offered are intended as an invitation to treat (as in a conventional retail outlet), and are not a formal offer, the acceptance of which by a visitor will result in a binding contract. This might well form part of the terms and conditions (see next section) by which the organisation requires visitors to the site to be bound.
In certain circumstances, an organisation may wish to attach terms and conditions to the facility of viewing information or seeking services from its website. It is a general principle of contract law that terms and conditions must be brought to a prospective contracting party’s attention before a contract is concluded and it is likely that this would be applied by English courts.
In practical terms, a visitor might be required to scroll down through a number of web pages before accessing the relevant terms and conditions. How can a website owner be sure that the terms and conditions have come to the visitor’s attention? Probably the most obvious way, if lacking in user-friendliness, is to post the terms and conditions before the visitor can enter the full site area.
The same problem might arise in the case of linking. Terms and conditions attached to a primary site might also have relevance to a linked site. Steps will need to be considered with the owners of the linked site on the posting of relevant terms and conditions, so that they are correctly and adequately brought to visitors’ attention.
One widely adopted solution to potential exposure to liability has been to post a disclaimer notice in respect of information on the site. It is a basic principle of law that such a notice must be drawn to the attention of the party to whom it is directed. Any disclaimer notice should, therefore, be prominently displayed, so that each web page carrying information or advice that is the subject of the disclaimer will be seen by the visitor.
The scope of a disclaimer notice is likely to be governed by the Unfair Contract Terms Act 1977 and the Unfair Terms in Consumer Regulations 1999. Both seek to protect the consumer from the enforcement of unfair terms.
In broad terms, any attempt to disclaim liability in a contract is subject to a test of reasonableness.
Two general points should be borne in mind when considering the placement of disclaimers on a website. First, if an overall view of the site demonstrates a clear assumption of responsibility on the part of the site owner to the visitor for the validity and accuracy of information or advice on the site, the mere appearance of a disclaimer notice will not operate against the substance of the relationship. Second, any disclaimer should be carefully drafted, excluding liability for indirect, as well as direct, losses.
A website can be accessed worldwide and can, therefore, give rise to consequential liability for any information displayed. A global limitation or disclaimer will not be enforceable in practical terms because of the numerous jurisdictions in which it will fall to be interpreted, and so a residual risk remains whenever a disclaimer is posted.
Patchett and Patchett v. Swimming Pool & Allied Trades Association (2009) EWCA Civ 717 decided that where a visitor relied on website information which was found to be incorrect, the website owner owed a duty of care to ensure that the information was correct only if it was to be reasonably expected that the visitor would act on the statement without further inquiry. The disclaimer advised visitors to obtain more information before purchasing services from third parties listed on the website, and the website owner was not, therefore, held liable for inaccuracies. Further, one judge implied that interactive sites are more likely to owe a duty of care to visitors than passive sites.
The Advertising Standards Authority (ASA) (www.asa.org.uk) is an independent, self-regulatory body for non-broadcast advertisements in the United Kingdom. A new advertising code is effective from 1 September 2010. It has been produced following a consultation by the Committee of Advertising Practice and comprises a non-broadcast code (CAP code) and a broadcast code (BCAP code).
It is available for download from the ASA website and the principles are well established. Broadly, advertisements should be legal, decent, honest, truthful and responsible, and should not bring advertising into disrepute. However, the new code also introduces sector-specific provisions governing ease of use, protection for children, social and environmental issues, health, consumer protection, and specific activities (for instance, charities).
The ASA is not a law enforcement agency but adverse publicity will often result from infringement of the code. Certain cases may be referred to the Director General of Fair Trading. The International Chamber of Commerce also publishes a number of guidelines, codes and rules relating to marketing and advertising, to be found on its website at www.iccwbo.org.
The ASA regulates advertising claims in the traditional media but in the context of digital advertising only covers pushed advertising, such as e-mails and website sales promotions .The ASA has limited jurisdiction over website marketing, which is under consideration for extension.
Professional services organisations are often required to observe codes of practice in the course of publicising and promoting their services. Regard should, therefore, be paid to any guidance or best-practice advice offered by relevant professional bodies and regulators.
It is possible for web pages to contain links to other websites. These are termed hyperlinks. The name originates from the language – hypertext mark-up language (HTML) – that is used to perform the link to the other site. It is usually signified on the web page as a blue highlighted website address. Clicking on the address takes the visitor directly to the linked site. Linking can give rise to risks in respect of copyright and disclaimers.
Copyright
A typical example of how copyright issues can arise from links to other websites can be found in a case when the Internet was in its earliest stages of development. In The Shetland Times v. Dr Jonathan Wills and Zetnews Ltd. (1996), the defendants published the Shetland News and linked their site to the plaintiff’s site. The plaintiff objected as the defendants were bypassing the plaintiff’s revenue-producing home page and linking directly to an interior page. As there was no indication that the plaintiffs owned the interior page, it could have seemed to a casual visitor that the internal page was that of the defendant.
This was a Scottish case and an interim interdict (injunction) was granted to the plaintiff. Before the case was heard in full, a settlement was reached. Broadly, the terms were that defendants should not ‘deep-link’ into the text of the interior pages on the plaintiff’s site, but only to the home page, and that any links should clearly and appropriately indicate that the material originated from the plaintiff.
Further problems can arise under the Copyright and Rights in Databases Regulations 1997 (S I 1997/3032). These regulations are designed to protect databases into which considerable effort has been invested in their compilation. A basic website may fall within the definition of a ‘database’, particularly if valuable information is posted. In such circumstances, there may be infringement if there is unauthorised extraction or use of information posted on the site. It is, therefore, a sensible precaution to post a notice warning visitors of the danger of copyright infringement. Such a notice should at a minimum state:
• that any posted material is protected by copyright worldwide;
• whether or not permission is given to download and print off any material;
• the use, if any, that is permitted to be made of such material;
• that use for commercial purposes is prohibited without consent;
• a point of contact for permission.
For some examples of model notices, see eCommerce: a Practical Guide to the Law, Singleton S, Gower Publishing (2001).
Notices and disclaimers
These were considered earlier. Linking to another site can give rise to problems in respect of notices and disclaimers. Following general principles, the most sensible course is to ensure that where a hyperlink is contained, the site to which it takes the visitor displays a disclaimer in appropriate terms which cannot escape the notice of the visitor when entering the site. Alternatively, the original site might contain a disclaimer in respect of any site to which it is linked, but this is subject to the test of ‘reasonableness’, as explained earlier.
This section identifies some key legislative provisions that govern both the supply of information and the services to clients. First, they provide a framework for the provisions of services over the Internet. Second, they provide consumers with certain rights.
The Electronic Commerce Directive’s full title is Directive of the European Parliament and of the Council on certain legal aspects of information society services, in particular electronic commerce in the Internal Market (2000/31/EC).
Commonly referred to as the E-Commerce Directive, it was adopted on 8 June 2000 and governs the formation of online contracts. It broadly includes:
• the general information to be provided;
• the provision of certain information to be provided for commercial communications;
• the sending of unsolicited communications;
• provisions applying to regulated professions;
• provisions applying to electronic contracts;
The Directive became law with the introduction of the Electronic Commerce (EC Directive) Regulations 2002 (SI 2002/2013) on 21 August 2002, save for regulation 16 which came into force on 23 October 2003.
Since then, these regulations have been extended to include additional provisions by a number of ‘extension’ regulations in 2003 (SI 2003/115 and SI 2003/2500) and 2004 (SI 2004/1178).
This Act came into force on 25 July 2000. Its origins lie in the Electronic Signatures Directive 1999/93/EC (see next section).
Two parts of the Act are of particular importance for electronic legal services. Part I relates to the establishment of cryptographic service providers for the provision of cryptography services to provide a framework for secure and confidential messaging. Part II establishes a framework for the legal admissibility of electronic signatures and the process under which they may be generated, communicated or verified.
The Act permits digital signatures to be admissible as evidence on questions of authority and integrity in respect of electronic communications or data. The courts will decide whether a digital signature has been correctly used and what weight it should be given against other evidence. As an indication of the universality of application, the Act sets out wide-ranging definitions of ‘documents’ and ‘communications’ in an electronic context.
The importance of the Act lies in its aim of facilitating the conduct of transactions – the delivery of services – electronically. Underpinning the commercial forces of consumer demand, together with the other elements already driving the demand for electronic services, the Act provides a framework for the development and provision of services, electronically.
The Electronic Signatures Directive’s full title is Directive of the European Parliament and of the Council on a Community Framework for Electronic Signatures (1999/93/EC).
The previous chapter described the technological aspects of digital signatures and digital certificates. This Directive was published on 19 January 2000. Its aims were to prevent a patchwork of laws on digital signatures emerging from individual member states, to make the use of electronic signatures easier, and to establish criteria for their legal recognition.
The Directive tries to ensure that digital signatures are accorded legal admissibility on certain grounds and to establish benchmarks for signature creation devices and certificates used to support such signatures.
Voluntary accreditation schemes
Member states may introduce voluntary accreditation schemes to provide enhanced levels of certification services. Under the Electronic Communications Act 2000, a voluntary approval scheme was established – the tScheme (www.tscheme.org) – by a group of trade organisations which called itself the Trust Services Group.
Qualified certificates
Article 2.10 of the Directive provides for the issue of qualified certificates which provide confirmation of competence and integrity.
Advanced electronic signatures
Article 2.2 of the Directive introduces the advanced electronic signature, which is uniquely associated with the signatory and in certain circumstances may be seen as the equivalent of a handwritten signature.
The Electronic Signatures Directive became law with the introduction of the Electronic Signatures Regulations 2002 (SI 2002/318) on 8 March 2002.
The open and insecure nature of Internet technologies makes personal data particularly vulnerable. Data protection principles and regulations aim to balance the right to hold information with the right of those about whom information is held to have the information properly handled. As organisations collect increasing amounts of information from and about consumers and other sources, data protection compliance becomes extremely important.
Data protection legislation originated with the European Data Protection Directive (formally named Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data 95/46/EC). In the United Kingdom, the DPA 1984 provided the original legislative framework for data protection. This was replaced by the DPA which came into force on 1 March 2000.
The ICO administers data protection compliance. There are various publications providing help and guidance on compliance issues. Current information and developments can also be found on the ICO’s website at www.ico.gov.uk.
Parties
The Act introduces three parties: data controllers – who decide the way in which data is to be processed; data subjects – who are those about whom information is held; and data processors – who are responsible for processing the information.
Data
Data includes data relating to an individual who may be identifiable from that data, or from that data and any other data that might be in the possession of, or likely to come into the possession of, the data controller.
Requirements
Under the DPA, a data controller must (except in exempted circumstances) notify the ICO of his or her identity and provide specific information about the type of data and the reasons for its processing by the data controller. Additionally, the data controller must process any data in accordance with the eight data protection principles stipulated in the Act, and provide access to processed data by the data subject, when requested to so, for the purpose of checking for accuracy and to prevent unacceptable processing.
Data protection principles
These are set out in the Act. In broad terms, the Act states that personal data shall:
• be obtained and processed fairly and lawfully with the consent of the individual except in certain circumstances;
• be obtained and held for one or more specified or lawful purposes which are stated in the Data Protection Register, and must not be used for any purpose incompatible with the purposes;
• be adequate, relevant and not excessive in relation to the purpose for which the data is held;
• be accurate and kept up to date;
• be held no longer than is necessary for the stated purpose(s);
• be processed in accordance with the rights of the data subject conferred by the Act;
• be the subject of proper security measures in respect of loss, damage, destruction and unauthorised processing;
• not be transferred outside the European Economic Area, unless the recipient country’s protective measures comply with the EU Data Protection Directive.
Under Section 55 of the DPA it is an offence to knowingly or recklessly obtain, disclose, sell or procure the disclosure of personal data without the consent of the data controller.
In order to ensure compliance with the principles, the ICO has certain enforcement powers. These include: the service of an enforcement notice under Section 40 of the DPA requiring steps to be taken to comply with a specific principle; the service of a deregistration notice cancelling wholly or partly a user’s entry on the Register; and the service of a transfer prohibition notice, preventing the transfer of information overseas if a potential breach of a principle is likely.
Criminal sanctions take the form of fines. For instance, in recent years, a number of law firms have been convicted and fined for failure to notify the ICO of their data processing activities.
Section 55 of the DPA has been extended by the Criminal Justice and Immigration Act 2008 by the insertion of Section 55A, allowing the ICO to serve a monetary penalty notice for any sum up to £500,000 in respect of serious breaches of the DPA principles.
This has been given effect by the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010/31) which came into force on 6 April 2010. They prescribe a maximum fine of £500,000 for deliberately or knowingly seriously contravening the data protection principles. They also prescribe the details to be inserted in a notice of intent and a monetary penalty notice.
The Coroners and Justice Act 2009 also confers new powers of inspection upon the ICO and powers to issue assessment notices.
The ICO issued statutory guidance in respect of these powers on 12 January 2010, which can be found at www.ico.gov.uk via the ‘Tools and Resources – Document Library – Data Protection – Practical Application – Detailed Specialist Guide’ links.
Another issue has arisen as a result of widespread publicity surrounding the loss of data, particularly in the public sector. Currently, there is no duty under the DPA to report or disclose a breach of security involving loss of data. This is inconsistent with the legal position in a number of other countries, including EU countries. The UK government has indicated that the issue is under consideration but that it introduces a number of complexities which need to be addressed before any measures can be considered.
However, where a breach arises, the ICO advises that it is good practice to report this if there is likely to be serious loss or damage; the volume of data involved is significant; or sensitive data is involved. The ICO’s Guidance on Data Breach Notification, dated 8 July 2010, details best practice and is complemented by Guidance on Data Breach Management, issued on 27 March 2009, both of which can be found at www.ico.gov.uk via the ‘Good Practice – Data Protection Guidance – Good Practice Notes’ links. The ICO advises that failure to report a breach voluntarily will be taken into account.
In practical terms, a legal duty to report may also arise under a contract, in which case relevant parties should be informed, so that risks are reduced. The parties concerned should be informed of the nature and volume of the data and when and how the breach arose.
Data processing
The collection of data through interactive websites is a potential marketing opportunity. Data may be collected by visitors to a site completing an online information form that asks for certain personal data. In respect of the first principle, the processing of personal data, at least one of the following must apply:
• the data subject must have given consent;
• processing must be necessary for performing a contract with the data subject;
• processing must be required to perform a legal obligation;
• processing must be necessary to protect the interests of the individual;
• processing must be necessary to perform public functions;
• processing must be necessary to pursue the legitimate interests of the data controller (unless prejudicial to the data subject).
Certain data is categorised as ‘sensitive’ under the DPA. Sensitive data involves the data subject’s racial or ethnic origin, political opinions, religious or other similar beliefs, trade union status, physical or mental health, sexual life, and commission of offences. Sensitive data calls for particular conditions to be met:
• there must be explicit consent by the data subject;
• processing should be necessary to comply with the law in connection with employment;
• processing should be necessary to protect the data subject’s interests where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain consent;
• processing must be carried out by certain bodies which are not-for-profit and exist for political, trade union, philosophical or religious purposes;
• the data was made public by deliberate action of the data subject;
• processing must be necessary for legal proceedings, legal advice, or exercising the defence of legal rights;
• processing must be necessary for administration of justice or the exercise of any function by government or under an enactment;
• processing is necessary for medical purposes, undertaken by a health professional or an individual owing a comparable duty of confidentiality.
Transborder data
The development of global e-commerce and the establishment of international locations make it increasingly likely that data will be transferred abroad. It is, therefore, important to understand the regulatory provisions governing this activity.
Under principle eight of the DPA, there is a restriction upon the transfer of data to any country outside the European Economic Area, because certain countries are considered not to have adequate data protection measures in place.
Originally, the United States of America was included in this category. Negotiations resulted in the Safe Harbor Principles, under which data may be transferred to an organisation in the United States provided, in broad terms, that:
• the organisation informs the data subject of the reasons for collecting data, to whom data will be disclosed, and the processing controls;
• data subjects have the right to ‘opt out’;
• data will not be transferred to another country, unless it is a Safe Harbor subscriber, subject to the EU Data Protection Directive, or subject to another approved agreement;
• adequate data protection policies are in place regarding disclosure, protection and destruction of information;
• data is processed in accordance with the first principle;
• data subjects have a right of access to the information and to correct errors;
• a complaints and resolution of disputes procedure is published.
In 2001, the European Commission adopted standard clauses for data export, which many companies had already started using when contracting with parties outside the European Economic Area for the export of data. These involve a detailed contract which imposes obligations on the recipient of the data, similar to those under European Union data protection law.
The European Commission has now updated its model clauses for inclusion in contracts provided for the transfer of data overseas. From 15 May 2010, all such contracts should include these model clauses. Details of the Commission’s decision of 5 February 2010 on the standard contractual clauses can be found at www.europa.eu in the EUR-Lex section of the website.
Personal Information Online Code of Practice
On 7 July 2010, the ICO published a code of practice for the handling of personal information online – the Personal Information Online Code of Practice. It contains recommendations for handling personal information and is aimed at helping organisations with an online presence to negotiate areas of legal uncertainty by adopting good practice.
Typical examples of the issues addressed include: collection of individuals’ details through online application forms, creation of visitor profiles by analysing online activity, collection of data for the purposes of marketing, and use of Cloud Computing facilities for processing personal data.
A recent development in EU law has caused concern to business and the professions. A proposal has been advanced that website hosts should obtain the consent of a visitor to the site when downloading ‘cookies’ which involve the visitor’s personal data on to the visitor’s computer. ‘Cookies’ are programs which collect data from website visitors, so that on subsequent visits, the visitor is provided with information and advice tailored to his or her interests.
This proposed legislation was approved on 26 October 2009 and requires member states to ensure that the storage of information or the gaining of access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent. EU member states have 18 months to incorporate this into legislation.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force on 11 December 2003. In summary, the Regulations:
• require businesses to obtain prior explicit ‘opt-in’ consent before sending unsolicited advertising e-mail to individuals, unless there is an existing relationship;
• require the use of cookies to be brought to a recipient’s attention so they may reject them;
• allow network operators and their partners to provide advertising services provided recipients consent and understand the data protection implications;
• ensure stronger rights for individuals to decide if they wish to be listed in subscriber directories.
By Regulation 30, anyone who has suffered damage through a breach of the regulations has the right to take proceedings against the person responsible for compensation.
Consumer Protection (Distance Selling) Regulations 2000
These regulations govern how contracts performed at a distance should be lawfully undertaken and came into force on 31 October 2000. The substance of the legislation is that consumers or clients must be given information about goods or services offered, receive confirmation after the purchase or supply, and be allowed a cooling-off period of seven working days.
A ‘distance contract’ is a contract for goods or services under an organised sales or service provision scheme at a distance. Certain contracts are exempt from the regulations. A ‘consumer’ is a person who is acting for purposes which are outside their business.
Distant communication is a means of communication that involves the presence of neither party. Schedule I of the regulations specifies these methods in detail and includes e-mail communications. Where a consumer is seen by an organisation for a face-to-face interview, the regulations do not apply. However, where contracts are concluded, for instance, by telephone, e-mail or fax, or by the provision of online legal advice or services delivered by an interactive website, the regulations will apply. The distinction is based upon whether or not a face-to-face meeting has taken place.
Information
Certain information must be given to the consumer prior to conclusion of the contract. This includes, for instance:
• the identity and address of the supplier;
• a description and price of the goods or services and delivery and payment details;
• the existence of a right to cancellation;
• the cost of using the means of distance communication where it is calculated other than at the basic rate;
• the period of validity of any offer;
• the minimum duration of the contract.
By Regulation 8, certain additional written information must be given prior to the conclusion of the contract, and in the case of services, during the performance of the contract.
The requirement for written information to be provided could be fulfilled by e-mail or even via a website, provided the provision was clearly notified before a contract was formed.
Cancellation
Regulation 10 provides for the right of cancellation. The period within which consumers can cancel contracts for services is seven days, or longer if certain information is not provided. An exception arises under Regulation 8(3), where written notice is given to the consumer that the contract cannot be cancelled once performance has begun with the client’s agreement. A cancellation period of three months applies in the event of failure to give notice of the seven-day cancellation period.
Under Regulation 19, services must be provided within 30 days from the date when instructions were given. If there is non-compliance, the consumer must be informed and any sums paid reimbursed, unless the consumer agrees to substitute services or a revised supply date. If the consumer does not agree, the contract is cancelled and any sums paid in advance must be repaid.
The exclusion of visually impaired visitors to inappropriately designed websites could result in legal proceedings against the website owner under the Equality Act 2010. This received the Royal Assent on 8 April 2010 and the main provisions are effective from October 2010 and others in April 2011. Chapter 2 of the Act contains the provisions governing disability discrimination, which codify and replace the Disability Discrimination Act 1995.
The World Wide Web Consortium has developed a set of accessibility guidelines – the Web Content Accessibility Guidelines (WCAG). Version 2.0 was published on 11 December 2008.
This requires website owners, designers and developers to ensure websites comply with certain principles in the context of accessibility – perceivable, operable, understandable and robust. Within these principles are 12 success criteria. Each of the principles is assessed on the levels – level A, level AA and level AAA.
The requirements and standards are technically complex and are supported by documentation offering guidance on implementation. Various surveys conducted in the past have shown that many websites have not complied with even the basic level A standard.
Organisations seeking to comply should refer to the ‘accessibility’ section of the World Wide Web Consortium at www.w3.org.
These regulations came into force on 28 December 2009. They contain a list of compulsory information to be given to clients by most providers of services. Relevant ‘services’ include activities of the professions, among other business activities.
• Regulation 7 addresses the contact details which must be made available.
• Regulation 8 requires certain information to be provided in respect of the organisation’s professional activities, such as registration with a trade or professional body, contractual terms and conditions, the holding of professional indemnity insurance, the main features of the service, and the application of any non-judicial dispute resolution procedures in the contract.
• Regulation 9 provides that making the required information easily accessible is sufficient compliance.
These regulations are complex and detailed and care should be exercised over their implementation.
Section 82 of the Companies Act 2006 provides that a company must comply with any regulations made by the Secretary of State regarding the disclosure of company information in specified locations, which almost certainly include a website.
Failure to provide the information specified may mean that any subsequent action for breach of contract by the company might fail in civil proceedings under Section 83, while Section 84 provides that a criminal offence is committed for which a fine may be imposed.
As commerce and industry extend their activities on a global basis, organisations are routinely expected to respond by offering their services internationally. This could extend to developing countries where there may be no appreciation of jurisdictional issues. Issues of jurisdiction may emerge in the following ways:
• a dissatisfied consumer from abroad may seek legal redress against the organisation for allegedly unsatisfactory advice and services;
• an organisation may collaborate with an international agency for the provision of services which have proved inadequate and give rise to legal remedy;
• legal issues may arise over the direction and receipt of website pages in a foreign jurisdiction.
Jurisdiction is the power of a particular country, through its courts, to hear and adjudicate upon a dispute.
The question of jurisdiction can become confusing. Some years ago, the French courts took action against the American ISP, Yahoo! Inc., when its website made available Nazi memorabilia for auction, in contravention of French law. Yahoo® claimed the French court had no jurisdiction because its site was based in the United States of America. Experts decided that the site could be blocked in France and the French court ordered that steps be taken to make sale of the items impossible to French citizens through its site. This is a typical example of how confusion and uncertainties can arise where different jurisdictions become involved.
The present framework for establishing jurisdiction in the European Community is founded upon the Convention on Jurisdiction and the Enforcement of Judgments in Civil and Commercial Matters 1968 – often referred to as the 1968 Brussels Convention. It contains provisions governing which country has jurisdiction over specific actions at law relating to civil and commercial matters with an international element.
The Civil Jurisdiction and Judgments Act 1982 enacted the provisions of the Brussels Convention in the United Kingdom. If a jurisdiction clause is to be included in a contract, the parties should specify which of the jurisdictions of Scotland, Northern Ireland, or England and Wales should apply. In default, this Act will be applied.
In essence, the Brussels Convention determines the court in which proceedings may be brought by a claimant in one European Union country against a defendant residing in another. The general principle is that a claimant should take legal proceedings in the courts of the member state where the proposed defendant is domiciled, unless there is a ‘jurisdiction’ clause, although certain exceptions arise.
The Regulation on Jurisdiction and the Recognition and Enforcement of Judgments in Civil and Commercial Matters (Regulation 44/2001) – the Brussels Regulation – was adopted on 22 December 2000. This is the principal law in the European Union on jurisdictional issues. It is a complex provision and requires specific reference for professional advice in any circumstances involving its possible application.
It addresses the question of where disputes should be resolved. The Regulation applies to civil and commercial matters and also specifies certain excluded legal proceedings. Individuals domiciled in a member state may, whatever their nationality, be sued in the courts of that member state. Individuals who are not nationals of the member state in which they are domiciled will be governed by the rules of jurisdiction applicable to nationals of that state.
Broadly, a consumer can bring proceedings against a potential defendant either in the consumer’s country or the defendant’s country. However, proceedings can only be taken against a consumer in his or her country.
Parties to a contract may opt to include a provision for jurisdiction should a legal dispute arise, although ultimately the assumption of jurisdiction is a matter for the court. Nevertheless, the inclusion of such a clause will be clear evidence of the parties’ intentions.
The Regulation permits parties to enter into ‘non-exclusive’ jurisdiction agreements to sue or be sued in selected courts.
Professional advice should always be obtained before entering into any contract involving jurisdictional issues.
On 21 April 2009, the European Commission adopted a report and green paper on the function of jurisdictional rules and recognition of foreign judgments. The Commission has decided there is a need for free circulation of judgments in European Union civil and commercial matters, and mutual recognition of judgments among member states. The green paper launched a consultation on a proposed revision of the existing Brussels Regulation, requiring responses by the end of 2009.
Applicable law concerns the law that is applied by any court of jurisdiction. Applicable law was governed by the Rome Convention on Applicable Law 1980, introduced to harmonise approval of legal principles throughout the European Union. In the United Kingdom, it is enacted by the Contracts (Applicable Law) Act 1990. This was changed by the Law Applicable to Contractual Obligations Regulations 2009 (SI 2009/3064), in force from 17 December 2009, and referred to as the Rome I Regulation.
Effectively, the Rome Convention allows virtual freedom of choice to choose which law should apply to a contract. In view of the uncertainty that can arise in respect of an electronic contract, it is sensible for the parties to specify in any contract the law that is to apply in the event of dispute. In the absence of any expression of choice, the court can infer the applicable law from the content of the contract or the circumstances surrounding it. If no such inference can be made, the law to which it is most closely connected governs the contract.
Rome II (Regulation EC No 864/2007) was adopted by the European Union on 11 January 2009 and applies to certain actions (for instance, product liability claims) occurring from 20 August 2007. It creates a set of rules within the European Union to govern the choice of law in civil and commercial matters, subject to certain exclusions, and contains particular provisions for certain specific types of claim. In certain cases, the parties may agree upon the applicable law in proposed proceedings. There has been particular discussion over applicable law in defamation and road traffic cases.
The Rome I Regulation covers contract claims and relates to choice of law in contractual matters. Confusingly, it came into force following Rome II.
In general within the EU, the Rome I Regulation and Brussels Regulation on jurisdiction effectively provide that, in business-to-business contracts containing choice of law and jurisdiction clauses, whatever is agreed by the parties will prevail.
This does not change current practice on clauses. It is only where there is no contract that the legislation applies and, even then, only applies within the European Union. However, many commercial organisations do not conduct business on the basis of written contracts, giving rise to considerable potential for disputes in this area.
Applicable law issues can be extremely complex and professional advice should be obtained before entering into any contract involving questions of applicable law.
Beyond the European Union, there are no universal provisions applicable to the establishment of jurisdiction. Therefore, the laws of each country must be considered in every case. If the parties contract for jurisdiction to be given to the courts of one country, the choice of law for that country will normally be applied, provided the country has a substantial connection with the parties and the contract.
Earlier, various risks were identified that arise from the way that Internet technologies are abused. These are activities or acts of misconduct with the potential to expose both any individual(s) concerned and directors or partners of organisations to civil or criminal liability. This section considers the legal consequences of such activities. An understanding of the misconduct involved enables senior management to specify unacceptable behaviour in an e-mail or Internet use policy.
Defamation may occur either internally, as between employees within an organisation, or externally to third parties. Defamation can most commonly and easily arise from the casual use of e-mail. It is most likely to arise internally from use by employees or from comments posted to newsgroups or social networking sites, but can also arise from statements posted on a website. The global reach and accessibility of websites mean that defamatory material may be posted and accessed anywhere in the world. Liability might, therefore, arise outside the United Kingdom.
An employer may be vicariously liable for the acts of an employee performed in the course of employment, even if performed without the consent or approval of the employer. Careless employee use of e-mail may, therefore, expose the employer to legal proceedings. Even if the employer attempts to avoid liability by showing that the employee concerned was acting on their own, the employer may be caught by the provision that a publisher and editor may be liable for defamatory material.
In Western Provident Association v. Norwich Union Assurance Co (1997), the defendant settled the complainant’s claim for the sum of £450,000 for an allegation in a defamatory e-mail suggesting that the complainant was in financial difficulties.
Defamation may take various forms and may arise quite unexpectedly in purely informal circumstances. For instance, organisations have been known to dismiss employees for allegedly posting unfavourable comments on social networking sites regarding their employers or, in other cases, for posting allegations regarding their working environment or conditions of employment.
The Defamation Act 1996 may provide a defence in ‘Internet’ cases. In broad terms, the defence is available where it can be shown that the defendant:
• is an operator only of equipment and not author, editor or publisher;
• took reasonable care;
• had not caused, or contributed to, publication.
The interpretation of these provisions is being provided by the courts only as proceedings arise so there is no comprehensive guidance currently available. In Godfrey v. Demon Internet (1999), the complainant successfully sued an ISP for failing to remove defamatory comments about the complainant posted on a bulletin board by another party. The ‘Internet’ defence was held not to be available to the ISP, which was considered to have had power to remove the offending material, and, therefore, control over its dissemination.
The case of Bunt v. Tilley and others (2006 EWHC 407 QB), decided that ISPs could avail themselves of this defence, provided they had no notice of the posting of any defamatory material, and if notice had been received, they took reasonable steps to remove it.
However, organisations whose employees post or send defamatory material over the Internet are likely to be ‘publishers’ and may, therefore, have difficulty raising this defence. Evidence that an employer took reasonable care might be the inclusion of some provision regarding such conduct in an e-mail use policy.
In Dow Jones & Co. Inc. v. Gutnick (2002) HCA 56, an Australian court decided that the claimant in an Internet defamation case was not bound to launch proceedings in the jurisdiction in which the defamation originated, nor in the jurisdiction in which they resided. As material on the Internet is available everywhere, it was decided that the claimant could select any jurisdiction.
Various cases in the UK courts have cited this case, and it seems likely that if the case were raised in UK litigation, this principle would be followed.
The general principle surrounding publication of defamatory material is that each act of exposure is potentially actionable. In the case of the Internet, this means that on each occasion the material is accessed, a separate cause of action arises.
In the case of Yousef Jameel v. Dow Jones & Co. Inc. (2005, EWCA Civ 75), it was decided that trivial publication, for instance a few ‘hits’ on a website, was insufficient to bring a claim for damages. In this case, the material was accessed five times.
In the case of social networking sites, the defence may be available, but this implies that that the hosts of the site should take reasonable steps to monitor postings for potentially defamatory material. As this seems rather impractical, the more likely position is that hosts should be quick to respond to requests to remove alleged defamatory material (see Godfrey above).
The various ways criminal liability can arise in respect of obscene and offensive material and behaviour was considered earlier. There are several sources of legislation governing this area, together with case law providing interpretation. This consideration focuses on the key legislative provisions.
Obscene Publications Act 1959
This Act makes it an offence to publish or distribute obscene material. It is a criminal offence to display it on a website or despatch such material over the Internet. In practice, prosecutions are brought against the original source of the offence. A defence is available if it can be shown that the accused did not examine the material and had no reason or cause to suspect that publication would lead to liability.
Obscene material
Under the provisions of the Indecent Displays (Control) Act 1981, it is an offence to publicly display indecent material or to cause or permit indecent material to be publicly displayed. A website, with its global accessibility, almost certainly falls within the definition of a public place. Further, the Criminal Justice and Immigration Act 2008 prohibits the holding of certain extreme images.
It is an offence under the Telecommunications Act 1984 for any person or corporate body to send a message that is grossly offensive, indecent or obscene by means of a telecommunications system. There seems no reason why this should not apply to users of the Internet, particularly in respect of e-mails, but there have been no decided cases on the subject to date.
Photographs of children
The possession of indecent images of a child (aged under 16 years) is an offence under the Criminal Justice Act 1988. It is a defence to show that an individual or organisation either did not see the image, or had no knowledge or suspicion that the image was indecent, or that there was a legitimate reason for publishing or distributing the image. It is a further defence to show that the image was not requested nor kept for an unreasonable period.
Typical conduct amounting to sexual discrimination or harassment might include sending internal or external e-mails of an unacceptable nature, or with explicit references to an individual. The offence was originally governed by Section 41 of the Sex Discrimination Act 1975.
It is a defence to show that reasonably practicable steps were actively taken to prevent the harassment. The burden is on the employer to show an attempt to prevent the act in question and harassment generally. Evidence of this may be demonstrated by its inclusion in any Internet or e-mail policy implemented by the employer.
Racially discriminatory or harassing behaviour was originally governed by the Race Relations Act 1976, which contains similar provisions to the Sex Discrimination Act 1975. Additionally, public order legislation makes it a criminal offence to publish threatening, abusive or insulting material intended to stir up racial hatred. Liability can rest upon an employer when it can be shown that the situation was sufficiently within their control. No specific legislation exists to address racial harassment.
Both Acts are codified in the Equality Act 2010 which, for the most part, is in force from October 2010.
Remedy lies through a claim to a tribunal, which has power to award unlimited compensation, including an award for injured feelings.
This is addressed by the provisions of the Digital Economy Act 2010.
In broad terms, the Act addresses certain abuses of the Internet, including infringement of copyright. Fairly draconian powers are included, such as blocking off access to certain Internet locations for those found to infringe copyright persistently. Further, the Act amends the Copyright Designs and Patents Act 1988 by increasing the penalty for infringement (including recordings) to a maximum fine of £50,000.
The Act places a duty on ISPs to monitor their networks and report suspicious customer activity to copyright holders, or face a fine of £250,000 for non-compliance.
Earlier, a number of risks were identified that might arise from the behaviour of employees in the workplace. Internet technologies have features enabling employees’ activity to be monitored. Monitoring and surveillance of employees’ use of e-mail and the Internet introduce some controversial and legally complex issues. A balance must be struck between the entitlement of an employer to expect appropriate behaviour from employees, and the rights of employees to be respected.
Monitoring in the workplace involves two activities: checking the performance of the employee, and checking the behaviour of the employee. The monitoring under consideration is concerned with employee behaviour.
There are four pieces of legislation that have implications for the question of monitoring:
• the DPA;
• the Regulation of Investigatory Powers Act 2000;
• the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000;
• the Human Rights Act 1998.
The DPA was considered earlier. Monitoring activities involve the collection of personal data assembled from surveillance of an individual’s behaviour. Organisations will need to be aware of the implications of the DPA and the potential for exposure to criminal liability.
This section outlines the key legislative provisions in respect of monitoring activities and considers the steps that an employer might reasonably take, both to comply with existing legislation and to observe employee rights.
The Regulation of Investigatory Powers Act 2000 is a measure designed to control the interception (monitoring) of secure (encrypted) messages. Its purpose is to provide the United Kingdom’s law enforcement agencies with power to intercept (Internet) communications. Under this Act, ISPs are obliged in law to allow access to certain messages and to reveal the content of any encrypted messages in a form capable of being understood.
Employers will be primarily concerned with Part I of the Act. This relates to unlawful and unauthorised interception of communications. The Act has a number of implications for the use of secure e-mail communications. Broadly:
• the unauthorised interception of communications on a public telecommunications system is a criminal offence;
• the operator of a private telecommunications system who carries out interception of any communication on a business’s own system can be liable in tort and may be the subject of civil proceedings;
• where the interceptor has reasonable grounds to believe that both the sender and recipient have consented to the interception, the Act permits the interception of communications;
• the Secretary of State has power to make regulations authorising businesses to intercept communications on their own systems without consent for certain purposes.
Enforcement is by warrant issued by the Home Secretary to the police, security services or HM Revenue and Customs. The grounds on which the Home Secretary may authorise a warrant are that it is: in the interests of national security to do so; or justified for the detection of serious crime; or in the economic interests of the United Kingdom to do so.
Organisations encrypting communications data should be aware of Part III of this Act, which came into force in October 2007. This empowers law enforcement officers to gain access to the content of evidence held in computer files even if they have been encrypted. This means that prosecuting authorities may call for the production of cryptographic keys to decrypt data required for prosecutions. Criminal proceedings may follow for failure to produce encryption keys under Part III.
Under the Act, an employer can only intercept communications if there are reasonable grounds to believe that the users have consented; or a warrant has been issued by the Home Secretary; or if the interception is undertaken within the provisions of the Telecommunications (Lawful Business Practice) Interception of Communications) Regulations 2000.
Therefore, the basic principle is that interception of communications is prohibited, unless the interception, or monitoring, falls within one of the exempted circumstances, under either the Act itself or the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. It is with the implications of these regulations that employers will be most concerned.
Although an employer’s monitoring of employees’ communications in the workplace is a managerial issue, these Regulations govern an employer’s legal right to monitor employee behaviour.
The Regulations allow employers lawfully to intercept business communications without the consent of an employee in a range of circumstances. All types of communication are covered by the Regulations, so the provisions will include e-mail. In broad terms, the Regulations permit the recording of communications to:
• establish factual evidence;
• monitor compliance with office practice and protocol;
• monitor service and training compliance;
• safeguard national security;
• detect or prevent crime;
• detect or prevent misuse or unauthorised use of telecommunications systems – for example, e-mail;
• maintain the safe and secure operation of the system;
• monitor voluntary and charitable helplines.
The Regulations provide that this conduct is authorised only if there have been all reasonable efforts to inform those using the systems in question that communications may be intercepted.
The Regulations require the communications to take place in the course of business and on a system provided for use in the course of business. It follows that the interception or monitoring of private communications, e-mails and Internet use is not permitted.
An employer must, therefore, decide whether to permit or prohibit personal use of business communications systems. If an employer decides to permit personal use – and to monitor that use – the consent of the parties involved must be obtained, although it seems in order to monitor private communications at ‘traffic level’ (the identity of the parties to the communication only), but not ‘content level’ (the actual content of any communication).
If an employer decides to prohibit private use, it should be borne in mind that this might be held to be a breach of an individual’s rights under the Human Rights Act 1998. Although, this applies to public organisations, a private sector employer who is challenged before an Industrial Tribunal, or another court, will find that the principles of the Human Rights Act are applied.
The Human Rights Act came into force on 2 October 2000 and incorporates the European Convention on Human Rights. Schedule 1 contains the provision relevant to monitoring – Article 8 of the Convention. This conveys a right to privacy, which includes correspondence. Arguably, this includes ‘correspondence’ in the workplace.
One early case on the subject of the interception of communications was Halford v. United Kingdom (1997) IRLR 471. The European Court of Human Rights found that interception of the claimant’s calls (to her lawyer) from the office was a breach of her rights under Article 8.
In Max Mosley v. News Group Newspapers Ltd. (2008) EWHC 1777 (QB), the High Court awarded the claimant, who was engaged in lawful activities in private when photographed covertly for the News of the World, £60,000 damages and costs for breach of confidentiality and privacy under the Human Rights Act 1998.
In June 2005, the Information Commissioner’s office published the Employment Practices Code. Part III of the Code concerns the monitoring of employees’ use of telephones, e-mail systems and the Internet. This adds to the debate on monitoring by suggesting certain practices that employers should observe when monitoring employee use of e-mail and the Internet.
In respect of monitoring, the core principles are that any monitoring must, of course, be lawful. The employer should undertake an impact assessment looking at the purpose of the monitoring, any adverse impact, any alternatives to monitoring and whether monitoring is justified. Any consent to monitoring must be freely given. In general, the intrusion should be kept to a minimum and there should be a published policy of which all employees must be aware.
The general presumption is that monitoring is intrusive and that employees are entitled to privacy. There must, therefore, be a clear purpose to any monitoring exercise and employees should be informed of its nature and extent.
Any monitoring must be proportionate. This is for the employer to decide. For example, a search of office employees for cigarettes might not be proportionate, but may be so, for instance, in respect of employees working at an oil refinery. Where possible, monitoring of traffic is preferable to monitoring of content, and automated monitoring is considered less intrusive than targeted monitoring.
The Code explains clearly and in detail the obligations of employers in these circumstances. No monitoring exercise should be undertaken without reference to the Code. It is available as a downloadable document from the website of the ICO at www.ico.gov.uk.
This network of legislative, regulatory and codified provisions is confusing. In summary, the Regulation of Investigatory Powers Act, in general, prohibits the interception or monitoring of communications except in closely defined circumstances, for example those described in the Telecommunications (Lawful Business Practice) (Interception of Communications) Telecommunication Regulations. These Regulations permit monitoring within another set of closely defined circumstances. However, they appear to conflict with the Human Rights Act 1998. In addition, the Employment Practices Code establishes further principles in respect of monitoring.
Organisations would be wise to ensure that well-documented processes and procedures are followed when performing a monitoring exercise, for example:
• any policy or protocol should be in writing – and communicated to all staff;
• the rights and obligations in respect of use of electronic communications and the World Wide Web should be clearly stated;
• prohibited uses and applications should be specifically stated;
• any steps to be taken to monitor staff should be clearly defined;
• any privacy rules to be observed should be clearly stated;
• any disciplinary sanctions for failing to comply with the established policy or protocols should be specified.
In addition to generally applicable statutes, regulations and codes of practice, business professionals should also have regard to codes of conduct and best practice issued by their professional bodies. Comprehensive coverage of the codes of every professional body is beyond the scope of this book but some typical examples are listed below.
Institute of Chartered Accountants of England and Wales
The Members’ Handbook specifies a code of ethics which includes the need to exercise due care and preserve confidentiality in providing services. In particular, certain duties of disclosure are imposed.
Solicitors Regulation Authority
The Solicitors’ Code of Conduct 2007 requires solicitors to preserve client confidentiality and display competent standards of service. In particular, under Rule 5, solicitors’ firms are required to exercise proper standards of supervision, ensure compliance with regulatory requirements and have in place appropriate strategies for the management of risk.
The Law Society is the representative body for solicitors practising in England and Wales. In November 2005, the Law Society published E-mail Guidelines for Solicitors. On 11 September 2008, the Law Society published an Information Security Practice Note for solicitors. Both documents can be found at www.lawsociety.org.uk.
Royal Institute of Chartered Surveyors
This body published Rules of Conduct for Firms on 4 June 2007, which were updated in January 2010. Included in the rules are provisions that members shall avoid situations inconsistent with professional obligations, provide necessary training and perform to required standards of competence.
How such codes are applied is a matter for each professional body, having regard to the facts and law in each case. It should not be overlooked, however, that these codes may be applied to all aspects of professional practice, including the management of Internet risk.
The legal and regulatory provisions described have a number of implications. First, in order to achieve maximum compliance throughout an organisation, it is necessary for the behaviour of everyone in the organisation to be regulated in some way. In this way, the risk of infringement may be minimised, even if it cannot be eliminated. It is unlikely that legal compliance risks can be eliminated entirely because of the uncertainty that tends to surround interpretation of the law.
There is also a need for employees to understand what is expected of them. Employees who have no clear guidance on the standards of professional conduct expected in the workplace cannot be expected to conform to the standards required of them. Lack of authority and absence of clear guidelines are likely to result in a failure to observe appropriate procedures, some of which may be vital to the organisation’s reputation or business function.
3.12.161.6