Appropriate Monitoring of Employee E-mail Accounts
With the use of e-mail, instant messaging and social networking becoming increasingly popular, many employers are beginning to question how they can appropriately supervise employee’s use of technology in the workplace.
The Assistant Privacy Commissioner addressed the complaint of an employee pursuant to the Personal Information Protection and Electronic Documents Act, which alleged that his employer had breached his right to privacy when it accessed his personal e-mail account during a labour dispute. The employee believed that the information gathered by the company was used inappropriately by the employer to support disciplinary actions against him.
The complaint arose after a meeting at which the company presented the complainant with a copy of an e-mail as evidence that the employee had been involved in distributing copyrighted materials owned by the company in an online discussion forum. The company alleged that the employee had posted content belonging to the company without having received authorization to do so.
The company in this case had a corporate security policy in place. The policy stated that any messages sent via e-mail would be considered company records and that the company reserved the right to access and disclose messages sent over its e-mail system for any purpose. The policy further stated that e-mails could be disclosed to law enforcement officials without prior notice to employees. Additionally, the company’s policy declared that e-mail should only be used for business purposes, the use must not interfere with normal business activities, and must not involve non-job-related solicitation.
The Assistant Commissioner determined that the employer had an established policy for acceptable use of e-mail in the workplace and that the policy clearly created an expectation that the employer would consider messages sent using the company’s system as its own records. The policy also clearly stated that the company reserved the right to access and disclose messages.
It was found that the employee had forwarded e-mails from his personal e-mail account to his corporate account. The company explained that information available publicly on the online forum had led it to believe that the person responsible for posting the material was an employee who worked for the company in a certain area, and whose name had the same initials as the complainant. After narrowing their search, the company decided to review the employee’s corporate account which is where it came across supporting evidence.
The Assistant Commissioner concluded that the employer’s collection of the information complied with paragraphs 7(1)(b) and 7(2)(d) of the PIPEDA, which permits collection of information without the consent of the individual for the purposes of investigating a possible breach of an agreement or a contravention of the laws of Canada or a province.
The Assistant Commissioner raised concern that the company’s corporate security policy “may not establish adequate parameters for the monitoring of employee e-mail,” however, it was decided that the company had a justifiable reason to access the employee’s corporate e-mail account as it was investigating a breach of the employee’s employment agreement. The Assistant Commissioner also noted that the company had conducted an external investigation prior to accessing the employee’s corporate account.
This decision highlights the importance of a clear computer use policy which expressly authorizes the employer to monitor an employee’s computer use, including e-mail messages, and which states that the employee has no expectation of privacy with respect to the use of the company’s computer equipment. This policy should also address the use of social media such as Facebook and Twitter during working hours. Further, employers should consider the inclusion of confidentiality clauses in their employment contracts in order to protect its confidential business information against inappropriate disclosure by employees.