I’ve been doing a bit of work to assemble some information on the issue and cut through some of the assumptions that are made.
I should make it clear that I am not a lawyer, and that even if I was, I wouldn’t be your lawyer, so seek advice if you are unsure or feel that your circumstances are unusual. This article is intended more as a common-sense guide to the main issues. I should also make it clear that I am talking about the situation in the UK only.
There is a (mistaken) view in some quarters that – if an employee does something on a work computer then the employer ‘owns’ the data and therefore has an automatic right to read it. In Europe, there is clear case law (derived from article 8 of the European Convention on Human Rights) that allows an employee a degree of privacy – even when using company systems to send personal communication. Especially if they haven’t been told that monitoring may take place (and therefore have a greater expectation of privacy that might lead them to be less cautious about what they say).
Needless to say – there are grey areas. There is no one single clear statute that sorts it all out for us! Instead, you have to navigate the interactions of:
- Human Rights Act 1998,
- The Data Protection Act 1998,
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000,
- Regulation of Investigatory Powers Act 2000 (RIPA)
As an employer, you do NOT have an absolute right to read an employees personal emails. In fact RIPA now actually makes it a criminal offence to intercept (i.e. read) emails without ‘lawful authority’ (Yes, even when you own the email system on which the communication is taking place).
‘Lawful authority’ in this case basically falls into two groups:
- The permission of the sender and recipient
- An assortment of specific activities such as prevention of crime, ensuring regulatory compliance, etc.
Note that the second group only appears to apply to business-related communications, so they are not a carte blanche to intercept personal emails – you’d need to be able to justify your actions.
In essense – if you want the option to intercept employees personal emails – you categorically need their permission – most likely in the form of a clause in their employment contract and/or a clearly worded ‘internet use policy’ that states that personal communications may be subject to monitoring. In the absence of that permission, you will leave yourself open to legal action.
Decide, as a matter of principle, if you are happy for your staff to use the firm’s systems for personal communication at all.
Decide if this means they can use the firms email system, or if you prefer them to use personal email addresses via web-mail systems like Hotmail. (Pro:dodgy personal emails aren’t emblazoned with your company’s name. Con: Web mail won’t go through your central email filters, so it could be a source of viruses).
Once the decision has been taken to permit personal use – then it all comes down to the practical aspects of constructing the policy and communicating it to employees. There are lots of examples out there, so I won’t go through the chapter and verse, but I will suggest a few points for consideration:
- Clearly state that all messages in and out of the system MAY be subject to monitoring, and WHY (compliance, reputational risk to the firm, etc.)
- Remind users that emails may be archived for extended periods of time on servers, backup tapes, and the like – even if they have been deleted from the user’s own desktop software.
- Point out that using web-mail systems may result in some content being stored in temporary folders on desktop PC’s or on the firm’s internet firewall. This could include logon information such as passwords.
At the end of the day, you need to make it clear that if your employees are THAT concerned about their privacy, then they shouldn’t use the firms IT systems. They can then make informed decisions on the level of risk they are taking.
One approach I have seen recommended is to establish a clear protocol for personal messages – so that if, for example, you need to access an employees mail while they are away or off sick – you can distinguish work from personal without actually opening the message. Ask employees to put ‘PERSONAL’ in the subject line of the email, for example, or get them to create rules in Outlook that move all incoming personal messages to a seperate folder. You may want to also ask that staff use a different signature when composing personal emails (excluding mention of their job-title or other corporate branding).
As a final point:- if you do allow personal email traffic, then once it’s on your systems it becomes your responsibility to protect it under the Data Protection Act – make sure that access to staff emails is suitably protected so that the messages can be accessed only with a valid reason.