Email monitoring is a necessary evil in the modern workplace. Businesses face an increasing number of cybersecurity threats – ranging from data theft to malicious software – which can slip through the cracks of a poorly monitored communication system.
And while it’s common for IT departments to focus on external attacks, 90% of organisations also recognise they are vulnerable to insider threats, a 2018 report from Cybersecurity Insiders showed.
These threats can come from employees, contractors, partners, and IT personnel who may either deliberately or accidentally commit a breach through email exchanges.
Companies, therefore, have the right to keep a close watch on workplace communications.
It’s no longer a question of whether employers have access to employee emails and chats – but of how and to what extent.
How work emails are monitored
Surveillance is typically done by reviewing server logs and monitoring user activity.
Some employers instruct IT personnel to perform audits manually by pulling up the “history” and, in some cases, even the contents of an individual mailbox. This is mostly done, however, when there is already a suspicious pattern of activity emerging.
Most companies, on the other hand, implement automated software that can do any of the following:
- Measure the total number of outgoing and incoming emails by team member
- Provide administrators and managers with the contents of all emails
- Record the typing, attachment, and opening of messages for visual playback
- Save a copy of all messages and their attachments
- Log keystrokes to determine suspicious activity even while the draft is being composed
- Take screenshots of the user’s email environment
- Send administrators and managers alerts based on the subject, content, sender, and recipient, especially when a user is communicating with external contacts and non-corporate accounts
Email monitoring in the GDPR era
With stricter privacy laws governing personal data collection, use, and storage around the world, however, managers cannot simply snoop on employees’ work emails and chat transcripts without first clearing the parameters of surveillance with their employees.
Under the EU’s General Data Protection Regulation (GDPR), for instance, employers must first follow these steps before they are allowed to monitor employee communication:
- Conduct a data protection impact assessment or DPIA indicating the purpose of the monitoring and whether it is justified; the adverse impact on employees; and whether there are less intrusive methods of achieving the aim.
- Examine and document legal grounds for monitoring employee data in the context of the employer’s legitimate business interests.
- Notify employees that surveillance may be conducted, and clarify the nature and extent of the monitoring, including the possibility of content being accessed.
- Only use the data obtained through surveillance – whose purpose should be specified in the beginning – unless new data emerges that an employer cannot reasonably ignore.
- Safeguard all personal data and permanently destroy it once it is no longer needed. Also, limit the number of people who can access the data and provide them with proper GDPR training.
Email monitoring without prior notice?
Email monitoring is a different scenario in Australia, however. Most states and territories permit employers to access workers’ inbox without prior notice, policy, or agreement.
The employer owns the communication platform, like the rest of the company’s IT system, and can thus survey every access point and every device connected to the network.
Only in New South Wales and the Australian Capital Territory is workplace surveillance regulated. But before monitoring can take place, employers must first:
- Give workers a written notice of surveillance 14 days or less, if agreed, prior to the monitoring.
- Specify in the notice how and when the monitoring will be conducted, including the duration and frequency.
- Ensure the surveillance aligns with workplace policies that have already been communicated to and accepted by the employee.
Employers in the ACT also have to clarify how computer data are logged, who has access to the logs, and how compliance will be audited.
Those who fulfil all of the requirements can proceed with monitoring work emails and chats even without their employees’ knowledge.
Managers should, however, handle the results carefully. If surveillance results will be used as evidence to dismiss an employee, companies in all states and territories should comply with employment law and prove the surveillance clearly follows workplace policies from the start.
Otherwise, the employer will be “staring down the barrel of a claim,” said Vanessa Andersen, partner, and Olivia Hillier, special counsel at Maddocks. The most obvious claim would be unfair dismissal.
“For all employers, the best practice is to have a clear policy about permitted use of work email and computer surveillance. The policy should state that work email is not private and may be monitored,” they said.
Are personal emails off limits?
Workers should remember that a corporate emailing system is meant precisely for business use, and that messages sent and received through it are, by default, scanned by employers for malicious and inappropriate activity.
Legislations, such as Article 8 of the European Convention on Human Rights, uphold a worker’s right to privacy of correspondence, and the provision extends to a certain degree in a professional setting.
But since surveillance – for the purpose of threat detection and productivity checks – may be justified as a means to protect the business, managers can reasonably access work emails and chats.
In some cases, records of email correspondence can be subpoenaed by the courts.
Considering the amount of investment companies make in establishing and securing their IT infrastructure, it only makes sense for employees to treat their corporate mailboxes as a property of the company.
What happens, however, if employees open their personal inbox such as Gmail in the office?
Even if users are accessing personal email, they are still likely to fall within the same monitoring systems that regulate corporate emails if they open their email 1) on a company-issued device or 2) through the company Wi-Fi.
Employers should clearly state in their workplace policies the extent of surveillance they will conduct and provide a valid reason for doing so.