Whether you see it as an invasion of privacy or a necessary security measure, most HR professionals will have considered monitoring staff emails at some point – so what exactly are you allowed to do?
“There are a number of limitations that apply to the monitoring of an employee's personal emails in the workplace,” says Carl Blake, a senior associate with Simpson Grierson.
“Although an employer may own the computer, facilities and networks that employees use to send emails – both business-related and private – there is no carte blanche right for an employer to covertly monitor and access all such emails.”
According to Blake, employers who access employee emails in the workplace must do so in accordance with the Privacy Act as there is a chance they could see personal information – however, certain contractual provisions can override the legislation.
“If an employee has consented to the monitoring of their emails, and a suitable contractual provision exists in the employee's employment agreement or employer policies that allows such monitoring, then such monitoring may occur without a breach of the Privacy Act,” says Blake.
“Otherwise, any monitoring of an employee's emails in the workplace must be undertaken in accordance with the Act.”
Blake says four of the Act’s 12 principles directly apply to the monitoring of employee emails in the workplace, as follows:
Principle 1 – Personal information may only be collected for a lawful purpose and where the collection of such information is necessary for that purpose.
“Under Principle 1, a review of an employee's emails will to be for a ‘lawful purpose’ if the monitoring is to allow the employer to access any business information on the employee's network, or to investigate any genuine and reasonable concerns the employer may have about the employee's behaviour that may be unlawful or in breach of their obligations to their employer,” explains Blake.
Principle 2 – Where an agency collects personal information, it must only be collected from the individual concerned.
Non-compliance with this requirement is permitted in various scenarios, including where an agency believes that a breach is necessary for the conduct of proceedings before any court or tribunal, or compliance is not reasonably practicable.
Another key exception is where compliance would prejudice the purpose of collecting the information, says Blake.
“The Privacy Commissioner has stated that it is not necessary for an employer to collect information directly from an employee where an employer is investigating a potential offence committed by the employee,” he explains.
“The Act recognises that advising an employee that their email is being monitored in relation to the investigation of their behaviour could potentially have an impact on the employee's behaviour in the future, and compliance with the Act would therefore prejudice the purpose of collecting the information,” he continues. “As such, the Act allows the covert collection of information in limited circumstances.”
Blake also points to four guidelines issued by the Privacy Commissioner which could go some way in helping employers test the compliance of any email monitoring.
- The purpose of the monitoring must be clearly recorded
- Ensure the information collected is held securely
- The information must only be used for the purposes of the employer's investigation
- Any information collected that is not relevant to the employer's investigation must be disregarded or deleted
Principle 4 - Personal information may not be collected by unlawful, unfair or unreasonably intrusive means.
“There is no clear guidance as to what constitutes unreasonable intrusion upon the personal affairs of the individual under Principle 4 of the Act. However, provided the Principles are complied with, and the guidelines above are followed, an employer would be in a strong position to argue that the covert monitoring of an employee's emails is not unreasonable or unlawful,” says Blake.