Is virus scanning interception?

Richard Clayton richard at highwayman.com
Fri, 12 Jul 2002 19:29:10 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <AFB26DF151B3D511BB2B009027C2C7A957EAF0@controller1.ukerna.ac
.uk>, Andrew Cormack <A.Cormack@ukerna.ac.uk> writes

>I've just been checking the published draft of the Information
>Commissioner's Code of Practice on Monitoring at Work (from
>http://www.dataprotection.gov.uk/dpr/dpdoc.nsf click on Guidance and Other
>Publications, then Codes of Practice). A side issue in that document, but
>one that has confused me, is the definition of whether an automated
>virus-scanning system necessarily performs interceptions.

It's really important to remember that although the Information
Commissioner's CoP has to stay within the limitations of RIP there's no
need for it to be identical to RIP.

                This confused a lot of people last time round, who
                thought that the IC was just interpreting RIP rather
                than saying "if you do "x+" then you infringe RIP, but
                if you do "x-" then you infringe the DPA"

The RIP answer is that s3(3) says...

        (3) Conduct consisting in the interception of a communication is
        authorised by this section if- 
  
          (a)   it is conduct by or on behalf of a person who provides a
                postal service or a telecommunications service; and 
          (b)   it takes place for purposes connected with the provision
                or operation of that service or with the enforcement, in
                relation to that service, of any enactment relating to
                the use of postal services or telecommunications
                services

so if providing virus scanning is part of the provision of the service
then the provider may do it (either in an automated way, or by
inspecting every email themselves) without infringing RIP.

What the IC is saying is that there may be _more_ legal considerations
involved than just infringing RIP and she is giving guidance on what
those considerations are and how one might avoid unlawful behaviour.

If she does this by mentioning "interception" a lot, then this is
unhelpful, and that might usefully be fixed. But in the end, you should
not expect RIP and the IC's CoP to be identical.

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBPS8f9hfnRQV/feRLEQKVMwCdGBh+EhI/sFfvJPXcyZILTv5m8/gAn2c6
D2POqdkqtQ46n9jpgXwecC0P
=EcTB
-----END PGP SIGNATURE-----