Monitoring / IM Gateway - Legal Implications?

We’ve just enabled the monitoring plugin on Openfire 3.5.2 and are having to change our internal communications policies to include IM, so that people are aware that their conversations are archived and can be accessed under certain circumstances. I believe this is a legal requirement in the UK under the Data Protection Act - but I’m not in the legal field, so I may be wrong. However, what about the IM Gateway? We could have users here (Spark) talking to external people on MSN through the IM Gateway, and the remote MSN user would have no idea that their conversations were being logged, and would have no access to the corporate policy telling them so. The Terms of Service for MSN more than likely says that your conversations are NOT stored, and that person would not necessarily know that the person they’re talking to is chatting on a corporate client and everything is being recorded.

Seems like a bit of a problem to me and I wonder if anyone else has had similar thoughts and if so what did you do to resolve it? There is another thread from a while back that touches on this, but it’s more to do with whether the IM Gateway is actually legal in itself, rather than the implications of using the monitoring plugin with it.

Cheers, Nick

Maybe that’s is an obligation of corporate user to inform his contacts that his conversations could be recorded by third party. Anyway, this question should be resolved by law authorities, though it’s often pushed to IT guys to judge/care.

In general, at least here in the states… if you’re using property belonging to your employer/school/etc., it’s fairly common knowledge that it’s going to be monitored to one extent or another. I haven’t enabled the gateway for my property because as a general rule, in my opinion – with most industries, employees don’t really have much business chatting with non-employees during work hours. Not to mention a potential security risk with file transfers coming into your network through IM programs from non-secured sources.

It’s not so much users at the company I’m concerned about - there are internal policies in place, they’re available for all to see on the intranet, blah blah blah. It’s those people on the remote end of the gateway, maybe suppliers / business partners (or personal contacts!) who are using public IM services and are not aware in any way that their conversations are being logged by an employee going through some monitoring software! As wroot says, we could just educate our users to inform their contacts of these policies, but I’m not sure that would stand up if we were taken to task for it.

I have our legal department looking into it - the guy there is quite interested in the subject and doesn’t have any personal prejudices, so it’ll be good to see what he comes up with. I’ll post the general results here anyway, might be useful to some UK people.

Cheers, Nick

You could use the MoTD plugin and set a message reminding employees to inform anyone they’re talking to through the gateway that the conversations are being logged.

Anyway, update the post when/if your legal team get’s back to you about it, I’m interested to hear what they say.