We live in a world where our personal details are known to an ever-increasing number of people. Just look at the number of mailshots that land on your doormat every day. Much of this information is obtained and/or used illegally, contravening the Data Protection Act 1998.

The UK's data protection regime is administered by the Information Commission and based on eight principles set out in the act. The Information Commission is issuing guidance on the Data Protection Act in a code of practice. The code sets out employers' rights and recommended practices in relation to the personal data that they hold about staff and customers. Employers must ensure that monitoring of employees complies with the principles set out in the act.

Any surveillance of employees' activities in the workplace must fall into one of the approved categories. Ideally, the employees' acceptance should be obtained first, by getting them to sign the employer's policy on email and Internet use. Monitoring must be for a specific purpose, be "fair and lawful" and not involve the retention of more data than is appropriate. Also, the employer must not retain the data for longer than is necessary to serve the purpose and must do its best to ensure that the data is accurate.

The fifth Principle of the Data Protection Act 1998 states that, "Personal data shall not be kept for longer than is necessary." This begs the question: how long is necessary for data retention? Earlier this year, the Information Commission published the first of a four-part set of guidelines for compliance with the act, entitled Information Commissioner's Employment Practices Data Protection Code Part 1. The publication considers the question of retention of records by employers but does not specify a fixed period after which collected data must be destroyed.

The first part of the guidelines does not consider other types of data retention, such as those relating to customers rather than staff. This is addressed in later instalments

Employers would be well advised to make sure that their Internet and email policy closely follows the code issued by the Information Commissioner. Any departure from the act and code may infringe employees' rights to privacy - which include privacy for correspondence in the workplace, under Article 8 of the Human Rights Act - or otherwise expose the employer to various claims, the most common of which are usually based on alleged discriminatory conduct or, if the employee is dismissed, unfair dismissal.

Employers should remember that where the activities of their employees are illegal, it is nearly always the case that, as employers, they are responsible for the acts and omissions of their staff even if the staff are not acting in accordance with the specific instructions of their employers.

Information commissioner Elizabeth France recently indicated that she intends to step up checks on corporate compliance with the Data Protection Act and will seek harsh penalties against any companies found to be breaching the law.

France also announced that Web sites will be the main target for her enforcement team. Obviously, any companies found to be in breach are likely to receive a lot of bad publicity as well as applicable fines.

Have your say: contact IT Week

About Simon Halberstam

• Simon Halberstam started specialising in IT law in 1991.
• He has worked at Sprecher Grier Halberstam since March 1999 as a partner and head of the firm's Weblaw team, which advises on all areas of IT and e-commerce law.