• to protect the company by reducing potential legal liability in respect of claims by employees or third parties
• to protect proprietary or confidential business information from unauthorised access or disclosure to third parties
• to prevent losses (e.g. of data and other proprietary information), errors and mistakes
• to educate employees in the proper use of e-mail and create an awareness of the risks that are associated with conducting business using electronic communication tools in an online environment (for example, the fact that when you surf the Internet, you may be leaving an audit trail that identifies you or your company as the source)

194

• confidentiality of company and customer proprietary information
• security practices
• pre-publication clearance requirements
• monitoring of telephone conversations
• telecommuting
• using company computer equipment at home
• personal use of company telephones, photocopiers, facsimile machines, etc.

• telephones, mobile phones and voice-mail facilities
• e-mail facilities
• fax machines, modems and servers
• computers
• network tools (e.g. Internet browsers and Internet access facilities)

• Do only employees use your systems?
• Do any independent contractors have access to affected systems?
• Do any clients or customers have access?
• Do any employees’ spouses, children or other family members have access?

197

• Absolute prohibitions on personal use of e-mail simply are not realistic (such prohibitions are difficult to police, and widely ignored where they have been imposed).
• Unless the company’s policy does permit and acknowledge the possibility of “personal use”, the policy cannot consistently and
  logically address company inspection and review rights – i.e. if all personal use is flatly prohibited, then no employee would have any possible privacy expectation in any stored material (e.g. computer files or e-mail). Thus, there would be no reason for the policy to
  discuss privacy expectations or inspection criteria, and any such discussion could create internal inconsistencies difficult to reconcile in subsequent litigation.
• Personal e-mail (as distinct from mobile phones or certain other business communications tools) typically imposes very little (if any) additional costs (like traditional postage and transportation do). Most corporate intranets support e-mail exchanges at no incremental cost; many corporate intranets are connected to the Internet via a “gateway” on a fixed-price basis. Again, there is no incremental cost for e-mail (personal or business-related) which is transmitted from the company.

198

• As South Africa becomes more connected, many employees in South Africa are beginning to work in non-traditional locations (e.g. on the road or at home) and at non-traditional times (e.g. outside of normal working hours). If these working activities eat into “personal time”, it may be fair to permit employees to take care of some “personal business” during office hours.

• carries any defamatory, discriminatory or obscene material
• carries sexually explicit messages, images, cartoons or jokes
• carries religious or racial slurs
• is used in connection with any infringement of another person’s (whether natural or legal) intellectual property rights (e.g. copyright)
• may be seen to be insulting, disruptive, offensive to other employees, harmful to company morale
• is used in connection with any attempt to penetrate the computer network or network security of the company, or other companies’ computer systems, or to gain unauthorised access to any other
  person’s computer or e-mail

• an e-mail to a distribution list that includes a non-employee (or even co-employees who do not have a need to know, in the case of some particularly sensitive information)
• posting information to a bulletin board or newsgroup that contains non-employee members
• placing information on a company-controlled intranet³⁴ that has been is-configured and allows access by non-employees
• the temporary collapse of an intranet firewall, permitting temporary access by outsiders (whether or not such access actually occurs)
• posting information to a password-controlled, externally accessible web page (where the password is compromised)
  
• loss of the computer on which the information has been stored (e.g. loss through theft of a notebook computer)
• sale of a used computer (and disk), from which confidential information has not been thoroughly removed
• loss, theft, or improper destruction³⁵ of computer media (e.g. diskettes or CD-ROMs) containing the confidential information

209

• Integrity: It allows the recipient of a digitally signed communication to determine whether the communication was changed after it was digitally signed, i.e. a digital signature provides assurance about the source and integrity of the communication.
• Authenticity: The recipient knows the communication came from the sender because only the sender’s public key will decrypt a digital signature encrypted with the sender’s private key.
• Non-repudiation: Once integrity and authenticity have been established, the sender is prevented from repudiating both the contents of the communication and having sent it.

“in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including –
(a) the nature of the right;
(b) the importance of the purpose of the limitation;
(c) the nature and extent of the limitation;
(d) the relation between the limitation and its purpose; and
(e) less restrictive means to achieve the purpose.”

Get the Constitution at http://www.polity.org.za/govdocs/constitution/index.html

“Any apparatus, instrument, pole, mast, wire, pipe, pneumatic or other tube, thing or means which is or may be used for or in connection with the sending, conveying, transmitting or receiving of signs, signals, sounds, communications or other information.”

Get the Interception and Monitoring Prohibition Act and recent amendments at http://www.polity.org.za/govdocs/legislation/doclaw.html   Get the South African Law Commission Discussion Paper 78 at http://www.law.wits.ac.za/salc/discussn/discussn.html

• In terms of section 14(d) of the South African Constitution privacy of communications is recognised as a fundamental right.
• Notwithstanding that the Interception and Monitoring Prohibition Act provides that no person shall intentionally and without the knowledge or permission of the dispatcher intercept a communication which has been or is being or is intended to be transmitted by telephone or in any other manner over a telecommunications line, nor is any person entitled to intentionally monitor a conversation by means of a monitoring device, the Witwatersrand Local Division of the High Court has held in the Protea Technology case⁶² that the court nevertheless retains the discretion to admit evidence intercepted in contravention of the provisions of the Act in a civil dispute where to refuse to do so might allow a grave injustice to occur.
• While the position in the United States of America is such that, notwithstanding their strict privacy laws, certain exceptions exist allowing for the interception and monitoring of communications in the employer-employee context within the legitimate business arena, the current position in South Africa is quite different. Pending the proposed legislative reforms to the Monitoring Act put forward by the South African Law Commission (whose recommendations will hopefully be further expanded to cater specifically for legitimate interceptions for business use and prior consent situations), the South African position is at present extremely prohibitive and accordingly more far-reaching in its effect than the American position.⁶³
• The argument moreover which can be raised in the American courts, namely that a differentiation can be drawn between the interception and monitoring of a “live” communication and a “stored” communication, cannot readily be used as a justification for legitimising an interception in South Africa, inasmuch as section 2(1)(a) of the Monitoring Act in its present form provides specifically for the prohibition to intercept the communication which “has been or is being or is intended to be transmitted” (our emphasis).

224

• The only remaining argument which an employer can accordingly put forward in favour of having intercepted or monitored e-mail or other electronic communications of an employee, would possibly be that, notwithstanding the employee’s right to privacy as set out above, the employee has, contractually, waived his/her constitutional rights. This would arise in circumstances where there has been an agreement to adhere to the employer’s policy of use of the e-mail or other electronic facility provided by the employer for business purposes only within the employer’s premises. The waiver of rights is not lightly implied, however, in South African law, and it is therefore unlikely that such a fundamental constitutional right will be deemed to have been implicitly waived by an employee. Rather, where an employee can be shown to have expressly consented to the monitoring or interception of his/her communications the employer will be far more likely to succeed with such an argument. At present, and pending possible judicial reforms in this regard, this would appear to be the only possible legitimisation for the interception, monitoring and use of electronic information against an employee. This underscores the importance of the ECP in the workplace.

• that there was a rule
• that the rule was reasonable
• that the rule had been brought to the attention of the employee

225

• first, whether or not damage has been caused to the employer
• second, whether or not the misconduct has led to the irretrievable breakdown of the relationship between the employer and employee

1. Portions of this chapter contain material from the draft American Bar Association Model Policy on Electronic Communications Policies and the author’s comments on it in terms of the necessary adaptations for use in South Africa by multinational companies based in the United States of America wanting to do business in South Africa. (Back)
2. Another issue is whether a so-called “workplace forum” can compel an employer to discuss the implementation of an ECP, bearing in mind that such a forum can compel an employer to discuss issues such as restructuring the workplace (which includes the introduction of new technology and new work methods), changes in the organisation of work, education and training (employers may have to train employees how to use electronic communications tools).
3. Section 64(4) of the Labour Relations Act 66 of 1995 prevents employers from unilaterally changing terms and conditions of employment. The question is whether an ECP would fall under this category.
4. Section 23 of the Constitution of the Republic of South Africa Act No 108 of 1996
5. Section 23 of the Constitution of the Republic of South Africa Act No 108 of 1996. The right to strike only relates to an “interest dispute”. An “interest dispute” includes a grievance, but excludes any issue where the law allows for arbitration or adjudication (schedule 7 deals with residual unfair labour practices that gives employees the right to go to court). (Back)
6. The existence of “superuser” accounts with systems privileges and the ability to also change all users’ passwords is well known (at least to anyone who has ever forgotten one of their passwords), and also should negate any such possible argument.
7. See discussion: para 2 below
8. Mere issuance of an ECP may erect some legal defences, but certainly will do little to prevent accidental or inadvertent losses. To be truly useful, all ECPs should be broadly distributed to employees, and should be coupled with training and education programmes that illustrate the principles of the ECP and the underlying reasoning.
9. Possession of child pornography is also expressly prohibited under the Act.
10. Section 14(d) of the Constitution of the Republic of South Africa Act No 108 of 1996 (Back)
11. Section 16 (1) of the Constitution of the Republic of South Africa Act No 108 of 1996.
12. In South Africa, defamation is fault based (in the form of intention or negligence) and the principle of strict liability no longer applies to any type of defendant.
13. The British High Court in the March 1999 decision of Laurence Godfrey v Daemon Internet (presently on appeal) stripped ISPs of their “innocent dissemination” defence afforded under the Defamation Act of 1996 and held them to be liable for defamatory material posted through their servers. Most of the cases in the United States revolve around the interpretation of section 230 of the Communications Decency Act of 1996 which was enacted to remove the aspect of self-regulation created by the decision of Stratton Oakmont Inc. v Prodigy Services Company.
14. Publication is the act of conveying an imputation to a person or persons who are not the subject of the defamatory imputation.
15. Usually found in the ISP’s Acceptable Use Policy posted on its web site and incorporated in its subscription agreement concluded with the subscriber. (Back)
16. Section 1A of the Business Protection Act (99 of 1978)
17. Open Democracy Bill (67 of 1998)
18. (95/46/EC)
19. Burchell Principles of Delict (1993) 161
20. Hutchison, Van Heerden, Visser & Van der Merwe Wille’s Principles of South African Law 8 ed (1991) 705 (Back)
21. Verification of electronic “identity” (through use of digital signature, Certificate Authorities, and the like) is beyond the scope of this effort.
22. An electronic agent is no more than a computer program that is designed, selected, or programmed by a party to initiate or respond to electronic messages without being supervised by a human being and is accordingly known as a “bot” or “robot”.
23. The present exchange control measures were introduced by way of the Exchange Control Regulations in 1961 and are governed by the Currency and Exchanges Act (9 of 1933). While the government is committed to a gradual relaxation and eventual abolition of exchange controls, authorised dealers (being those persons to whom the SARB has delegated certain of its powers) may approach the SARB on a case by case basis where the transaction, or the amount, does not fall within the general mandate given by the SARB to authorised dealers.
24. When a company is drafting such a signature, it must ensure that it complies with the provisions of section 50(1)(c) of the Companies Act (61 of 1973) which requires a company to mention its name and registration number in all notices and official publications of the company. (Back)
25. The identity of the sender could be verified if a digital signature was used, or in certain instances where an Internet service provider has e-mail tracking facilities, it might be possible to trace the route of the e-mail thereby identifying the computer which transmitted the e-mail.
26. See discussion above under 22.
27. See http://www.well.com/user/abacard/remail.html for a useful discussion of anonymous remailer systems.
28. See for example TUCOWS (http://tucows.is.co.za) and Strouds Consummate Winsock Apps List (http://cws.Internet.com/index.html).
29. In certain instances so-called “MP3” sound files can be downloaded in their entirety, which is currently a grave cause for concern to artists and their publishers.
30. Section 23 of the Copyright Act 98 of 1978 (Back)
31. Section 3 of the Copyright Act 98 of 1978
32. It is important, however, from a practical viewpoint to understand the difference between a computer virus proper and “virus warnings”, which refer to the existence of a computer virus “doing the rounds” at any point in time, as these warnings are often hoaxes. Two good up-to-date repositories which deal with the latest hoaxes are located at the United States Department of Energy Computer Incident Advisory Capability web site at http://ciac.llnl.gov/ciac/CIACHoaxes.html and the Computer Virus Myths homepage at http://kumite.com/myths/home.htm.
33. The confidential information may be owned by the company, or by other persons (such as the company’s customers or suppliers). In the context of a law firm, it is important to remember that the attorneys and their employees should never make reference to the names of their clients, any unannounced or unpublished details about their clients and their affairs (for example, listings on the Johannesburg Stock Exchange or whom they are negotiating with or litigating against), matters which the firm is working on at any given time, or in general furnish any information in any manner which in any way concerns any of the firm’s clients, the relationship of the firm with those clients and the business of those clients, by using any of the communications tools that are at their disposal. (Back)
34. The term “intranet” is commonly used to refer to World Wide Web facilities that can only be accessed from computers that are within the company’s Internet numbering “domain”. Protected from third-party access (perhaps through security devices called “firewalls”), corporate intranets permit use of standard network access tools (e.g. using the common TCP/IP protocols), such as Netscape’s Navigator or Communicator web browsers (and Microsoft’s Internet Explorer).
35. Simply “deleting” files on a diskette does not destroy the contents of the diskette, and CD-ROMs cannot easily be “erased”. Employees should be educated as to the proper use of “disk-wipe” software programs (or should reformat diskettes), before throwing them into the trash. CD-ROMs with important content should be physically broken, shredded or burned. (Back)
36. Some companies have instituted broad employee security awareness training programmes, supplemented by posters and other reminders, such as:
    * Is your client’s data safely put away?
    * Have you recently changed your passwords?
    * Do you leave your computer running unattended?
    * Is your password-protected screen saver active?
    * Do you regularly back-up critical data?
    * Do you have current software virus protection?
    * Do you use only properly licensed software?
    * Have you destroyed out-of-date CDs and stiffies?
37. See the Johannesburg Stock Exchange Listing Requirements.
38. The Patents Act of 1978 requires that the invention must be new, namely, that it must not have been described sufficiently to enable the invention to be understood, by word of mouth, use, in any printed publication, or in any other way, anywhere in the world before a first application is made for a patent (often referred to as “absolute novelty”).
39. Smedinghoff Online Law (1996) 497 (Back)
40. See also RSA Laboratories FAQs about cryptography at www.rsa.com/rsalabs/faq/.
41. Act 57 of 1968 (as amended)
42. Published in Regulation 888 on 13 May 1994
43. For a useful, current survey of various laws on possession and use of encryption technologies in various countries, see cwis.kub.nl/~frw/people/koops/lawsurvy.htm.
44. In several countries, even domestic “use” of cryptography (at least use for “confidentiality” purposes, if not also for integrity, authorisation and non-repudiation purposes) may be subject to local regulation. Such local regulation may take the form of outright prohibition, or prior “declaration” of an intent to use (e.g. in the case of certain crypto systems in France). Such regulations also may vary depending on the cryptography system employed, the underlying algorithm(s) (e.g., DES, Triple-DES, IDEA, CAST, Skipjack, etc.), and the length of the encryption key (key-length roughly correlates to the “strength” of the crypto system – content that is encrypted with shorter-length keys is generally easier to crack than material encoded with longer-length keys).
45. For an excellent summary of digital signature legislation world-wide, see www.mbc.com/ds_sum.html. (Back)
46. S v Makwanyane 1995 (6) 665 (CC) 104
47. One must also have regard to the courts’ inherent common law discretion to admit evidence, which discretion will be exercised by weighing up the relevance of the evidence against the fundamental right to privacy which has been infringed.
48. Bernstein v Bester NO 1992 (2) SA 751 (CC), Case v Minister of Safety and Security 1996 3 SA 617 (CC); Curtis v Minister of Safety and Security 1996 3 SA 617 (CC) 656­657 (per Didcott J) and 659 F-H per Langa J
49. Case supra 661 E (Back)
50. De Waal The Bill of Rights Handbook 2 ed (1999) 255­256
51. See infra
52. Act 127 of 1992
53. Notwithstanding that the Act was put into operation in 1993, it was only made applicable to the whole territory of the Republic (including the previous TBVC states) on 1 April 1997 when the Justice Laws Rationalisation Act 18 of 1996 came into operation.
54. State v Naidoo (1998) 1 All SA 189 at 213
55. Section 2(1)(a) (Back)
56. Protea Technology Ltd v Wainer [1997] 3 All SA 594
57. The Act does not define “confidential” information. In the Protea case 603, the court remarked as follows:

    “That expression must surely mean such information as the communicator does not intend to disclose to any person other than the person to whom he is speaking and any other person to whom the disclosure of that information is necessary or impliedly to be restricted. I think that there is a distinction between ‘confidential’ information and ‘private’ information.”
58. Supra, 608­609 (a-b):

    “The First Respondent was employed by the Applicants in a position of trust. The telephone conversations were conducted from the Applicants’ business premises within business hours. The Applicants were entitled to require the First Respondent to account for his activities during their time. (In addition the First Respondent was contractually obliged to devote his full attention to the affairs of the group). It may be accepted that, even in this context, and within reason and at the direction of the employer, an employee’s private life is not excluded. Thus he may receive and make calls which have nothing to do with his employer’s business. The employee making such calls has a legitimate expectation of privacy.”
59. The commission is still engaged in its task and the closing date for comments on its proposals was 25 January 1999. (Back)
60. 18 U.S.C., paragraph 2510­2711
61. 480 US 709 (1987). The facts of the case briefly are that in 1981, officials at a hospital, including executive director Dr Dennis O’Connor, suspected improprieties in Dr Ortega’s management of a residency programme. The officials conducted an investigation of Ortega, which included multiple searches of his office and seizure of a number of items. The items were later used in proceedings before the California State Personnel Board to impeach the credibility of witnesses who testified on Dr Ortega’s behalf. The question which presented itself for decision by the court was whether or not the supervisor’s search of the office violated Dr Ortega’s “reasonable expectation of privacy” guaranteed by the Fourth Amendment.
62. Supra (Back)
63. The possible explanation for this position having arisen is that the South African Constitution is modelled predominantly on the Canadian Constitution and not the American Constitution, and that the absolute prohibitions against the invasion of privacy contained in the Canadian Constitution are renowned world-wide for the strictness of their approach.