Introduction | JANET Policies | Laws on Networking | Regulated Activities | Other Documents
ACTIVITIES: NETWORK MONITORING AND INVESTIGATION
Monitoring
Any network operator will need, from time to time, to examine the traffic that is flowing on their network, whether for capacity planning, tracing faults or investigating use or abuse of the network. The law provides for these kinds of activity; however, any work on a communications network must comply with the Human Rights Act 1998 which states that individuals have a right to respect for the privacy of their communications.
Information about the volume or performance of network traffic flows will not normally fall within the Human Rights Act, but if a flow can be associated with an individual person then it will be protected by the Data Protection Act 1998. Any monitoring or investigation that may, whether deliberately or accidentally, reveal the content of packets or messages will also be subject to the Regulation of Investigatory Powers Act 2000. This Act distinguishes between monitoring required for the operation of a service (for example tracing network faults), and monitoring done for business purposes, including the policing of Acceptable Use Policies. Operational monitoring may, in general, be done at any time by the authorised operator of the service. Business monitoring may only be done after users have been notified and for purposes set out in the Lawful Business Practice Regulations associated with the Act. Examples of how these apply to education can be found in articles by the JISC Legal Information Service.
The Human Rights Act further requires that any invasion of privacy must be proportionate to the risk that is being addressed by the monitoring. Any decision to monitor or investigate should therefore include an impact assessment to ensure that it will not cause more harm than good. Codes of Practice on Monitoring at Work (see especially Part 3) have been produced by the Information Commissioner: their provisions are likely to apply to students and other users as well as employees. An Introduction to Monitoring has been written by Eversheds for the JISC Legal Information Service.
It should be noted that network measurement - creating packets or traffic flows and measuring their progress across a network - is unlikely to be affected by any laws on privacy or monitoring.
Investigation
Files on disk are not, in general, covered by the Regulation of Investigatory Powers Act (note that this Act does apply to e-mail messages in mailboxes or queues, and the process described by JISCLegal should normally be used in these cases). However the rights of their owners under the Human Rights Act must still be respected in any investigation. Where an investigation may result in disciplinary or legal action, extreme care must be taken to preserve computer evidence as this is easily challenged. The Association of Chief Police Officers' Good Practice Guide for Computer Based Electronic Evidence and the US Department of Justice guide to Electronic Crime Scene Investigation are both published. An excellent guide to preparing for forensic investigations is published by IAAC and CPNI have an introduction to forensic readiness. The JISC Legal Information Service publish an investigation process for desktop computers.
A further problem that has arisen in some investigations is where material is discovered that is unlawful to posess. In the specific case of indecent images of children, section 46 of the Sexual Offences Act 2003 provides legitimate investigators with a defence to the criminal offences of posessing or making such images. The Criminal Justice and Immigration Act 2008 made certain types of extreme adult pornographic image illegal to posess, but also contains a similar defence. As described in a Memorandum of Understanding between the Crown Prosecution Service (CPS) and the Association of Chief Police Officers (ACPO), these defences will be interpreted strictly so investigators must be sure that have clear authorisation, and that they document and report their actions to prove their legimate purpose. JANET(UK) has developed guidelines to help sites comply with the ACPO/CPS Memorandum of Understanding. The Internet Watch Foundation have a helpful best practice guide to assist organisations in dealing with these types of material. (In Scotland, the relevant law is the Protection of Children and Prevention of Sexual Offences (Scotland) Act 2005, however it is understood that the same best practice would apply).
Investigating Copyright Complaints
The Digital Economy Act 2010 defines the actions that must be taken by a "Qualifying ISP" if they receive a Copyright Infringement Report that is subject to the Act. Although it is not clear whether JANET customer organisations will be classed as "ISPs" or whether they will qualify for inclusion within the scope of the Act, existing good practice in enforcing the JANET AUP (as set out in our factsheet on Investigating Copyright Complaints) seems likely to fulfil most of the Act's requirements.
Authorisation
A common theme to all these Acts is that anyone performing monitoring or investigation, or handling personal data, must be authorised to do so. Although this is not stated in the Acts, written authorisation seems preferable. This authorisation should include both the powers that the individual may exercise and the procedures preventing abuse of those powers: it is natural for users to be concerned if they know of the power but not the controls on its use.