The vastly increased use of email over the past few decades has transformed the way we communicate at work. This has resulted in the monitoring of emails becoming one of the most common way employers monitor the conduct of their employees. Through storing years’ worth of emails employers have a huge amount of information about their employees available to them. However, this, perhaps surprisingly to some, does not give employers the right to use the information as they please.
Why do employers want to monitor their employees’ emails?
- Employers typically wish to monitor emails for the following reasons:
- Use of improper or offensive language which might result in complaints of harassment or bullying.
- Misuse of confidential information.
- To ensure employees are performing their duties and not, for example, spending inappropriate amount on personal matters or carrying out other business activities.
- To ensure systems are not being exposed to viruses.
By monitoring employees’ emails employers can mitigate the risks associated with its use. However such monitoring must be done in accordance with the applicable legal framework.
What is the law on monitoring employee’s emails?
The relevant legislation governing the monitoring of employee’s emails can be found in three main statutes: The Data Protection Act 1998 (DPA), the Human Rights Act 1998 (HRA) and the Regulation of Investigatory Powers Act 2000 (RIPA).
Monitoring employees’ emails will involve the processing of personal data. Under the DPA, “processing” means obtaining, recording, or holding the data. Whilst the DPA does not itself prevent an employer monitoring emails, the DPA regulates the processing and use by the employer of such personal data. In particular, an employer must be able to show that the processing of personal data by monitoring employees’ emails is justified by one of the criteria set out in the DPA which makes such processing legitimate. Monitoring employees’ emails secretly will be difficult for the employer to justify and should only be used in exceptional circumstances.
Public sector employers have the duty to ensure any monitoring of emails complies with the employee’s right to privacy under the HRA. Similarly, all employers owe a duty of trust and confidence to their employees. As a result, emails which are clearly personal should generally not be opened without very good reason.
The RIPA regulates the interception of emails and requires an employer to have “lawful authority” to intercept emails which have yet to be received by the employee they were sent to. Employers can lawfully intercept emails if they have the consent of both the intended recipient of the email and the sender of the email in question. In addition, an employer will be deemed to have “lawful authority” if their reason for monitoring an employee falls under those listed within the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. Examples of such reasons include monitoring “for the purpose of preventing or detecting crime” or “in the interests of national security.”
The consequences of unlawful monitoring:
Arbitrary actions relating to personal data obtained through the monitoring of employees’ emails can lead to:
- Claims for constructive dismissal (i.e. fundamental breach of the employment contract).
- Claims for compensation.
- An employer not being able to rely on any evidence obtained in court or tribunal proceedings.
- An investigation by the Information Commissioner’s Office if the monitoring of employees’ emails cannot be justified under the DPA.
- Bad publicity for the employer.
What do employees need to be informed of?
- When the email use is monitored.
- Why the email use is being monitored.
- How the information collected will be used.
- Who the information collected will be disclosed to.
Top Tips for employers:
- Consider whether any alternative, less intrusive methods or approaches would be suitable.
- Establish a ‘Use Policy’ for work emails, setting out examples of acceptable and unacceptable usage, how and why monitoring will be carried out and the consequences of a breach of the policy.
- Ensure the ‘Use Policy’ is communicated to all employees. In doing so employers will not only be complying with the necessary legislation but could potentially minimise the risk of inappropriate email use.
- Ensure employees are reminded of the ‘Use Policy’ from time to time through, for example, email updates or training sessions.
- Ensure any existing policies relating to internet use and monitoring of emails reflect current legislation, not least because this is an area of law which is likely to be subject to change in order to reflect technological advances.
- Ensure all information gathered through monitoring is kept safe and security measures are taken against unauthorised or unlawful processing of personal data.
- Ensure all information gathered through monitoring is kept no longer than necessary.