Workplace email policies should take privacy law into account

Q&A

Workplace email policies should take privacy law into account

Some recent questions to our Ask an expert service have highlighted the on-going concern of some businesses about the impact of the federal privacy laws when applied to workplace policies on email use. This issue is considered below.

WantToReadMore

Get unlimited access to all of our content.

 

Some recent questions to our Ask an expert service have highlighted the on-going concern of some businesses about the impact of the federal privacy laws when applied to workplace policies on email use. This issue is considered below.

The federal privacy laws were extended to private industry from 21 December 2001. Helpful guidelines from the Privacy Commission are reproduced below.

Question: Are we in breach of the guidelines if a manager was to go through one of his/her employee's emails without their permission?

Comment: There are 'Guidelines on Web Browsing and Email Usage' in the workplace released by the Office of the Federal Privacy Commissioner, which would be very useful for you to refer to. They are not legally binding but it is good company practice to adhere to them. The extracted Guidelines are reproduced at the end of this article. 

Employers should have a policy in place that makes it clear that monitoring of e-mail can occur and that the Net is only to be used for business purposes (if this is company policy). Ideally, employees should be reminded of this regularly as reliance on the existence of a policy alone will not be enough in any contested proceedings.


Question - Monitoring staff email: 

  1. Is it lawful to trace an employee's use of the Internet?
  2. Do they have to be advised of it first?
  3. Is there a level of personal email use that is considered excessive? Is offensive material permissible in personal mail?
  4. Are there recognised guidelines for both of these?

Comment: The four questions here seem to depend on the particular workplace policies of the business.

The employer provides the facility so it can make the rules as to its reasonable use. A policy that employees' email may be traced would seem to allow the employer to do so. Advising employees is a good idea. It is simply good staff relations to do so.

Personal email can be limited as directed by the employer.

Offensive material in personal email that is not disseminated could amount to harassment or possibly criminal offences and consequently employers can put themselves in a difficult position if they monitor and fail to act. A policy saying 'no offensive material' would seem reasonable.


Privacy Commission Guidelines

Extracts from 'Guidelines on Workplace E-mail, Web Browsing and Privacy

Privacy expectations in the workplace

It is clear that most staff do not expect to completely sacrifice their privacy while at work. Their organisation may provide them with an office, a locker or filing cabinet to which they possess keys and also access to the computer network including storage space for their files. Typically their access to the network and computer systems will be by password control. They may be encouraged or required to use non-obvious passwords and to change them frequently.

Their personal password gives them access to their files, e-mail account and to web browsing. This may give the impression that no-one can access their files or monitor their activities on the network. Some staff may not be aware that system administrators are usually able to access everything on the network. …

Guidelines

The following Guidelines are provided to assist organisations to develop policies or improve their existing policies.

  1. The policy should be promulgated to staff and management should ensure that it is known and understood by staff. Ideally the policy should be linked from a screen that the user sees when they log on to the network.

    Consultation with staff may also be useful. A consultative process can engender an understanding by management of the sorts of legitimate activities staff are using e-mail and web browsing for and increase the understanding by staff of the possible risk to the organisation associated with improper e-mail and Internet use.

  2. The policy should be explicit as to what activities are permitted and forbidden.

    While it is for each organisation to determine what it considers to be appropriate usage of its system, to simply say that all activity must be "work-related" may not be clear. There may be scope for guidelines outlining what personal use of e-mail, both within the organisation and externally, to other organisations, is appropriate. Other activities may be specifically prohibited, eg. the use of e-mail to harass, flame (to send abusive e-mail) or defame or disclose information, or to transmit pornography.

    The issue of appropriate usage may be harder to define in respect to web browsing. It may not be possible to tell if a web page is relevant until it has been read. The operation of web search engines can result in surprising and irrelevant search results. Links on websites may also be misleading. Discussion with staff on the issue of work related web use might help to clarify this issue. Where an organisation determines that usage is to be work related only, it should clearly spell out what it considers to be work-related.

    The policy should refer to any relevant legislation. In the Commonwealth public sector this would include the Privacy Act, the Archives Act, the Freedom of Information Act, the Crimes Act, the Public Service Act, Regulations and the Australian Public Service (APS) Code of Conduct. APS Regulations provide that employees must use Commonwealth resources in a proper manner and behave in a way that upholds the APS values and the integrity and good reputation of the APS. For more information on the Public Service Act 1999 please visit the Public Service and Merit Protection Commission website.

    The Sex, Race and Disability Discrimination Acts and workplace relations law apply in both the public and private sectors. In particular, employers (please refer to the 'Employers' Page on the Human Rights and Equal Opportunity Commission website') should be aware of their obligations under these acts to protect their employees against sexual harassment, racial vilification and other forms of unlawful discrimination which could occur through e-mail and Internet use. The corporations law may also be relevant as well as state and territory statutes.

  3. The policy should clearly set out what information is logged and who in the organisation has rights to access the logs and content of staff e-mail and browsing activities.

    Staff e-mail boxes will normally contain the e-mails they have sent and received. Back-ups and archives may also contain copies of e-mails that have been deleted by the user. As well as the actual content of messages, the date and time the message was transmitted, received and opened and the e-mail addresses of the sender and recipients will normally be recorded.

    With web browsing the URLs (Uniform Resource Locaters or website addresses) of sites visited, the date and time they were visited and the duration of site visits may be logged. Normally, access rights to staff mail boxes and logs would be restricted to those with the responsibility for administering the system. Such access should be as limited as possible and who has access rights should be clearly set out in the policy. The policy should outline in what circumstances IT staff can legitimately access staff e-mails and browsing logs.

    The policy should also indicate, in general terms, under what circumstances an organisation will disclose the contents of e-mails and logs. Many organisations will only do this on the production of a legal authority.

  4. The policy should refer to the organisation's computer security policy. Improper use of e-mail may pose a threat to system security, the privacy of staff and others and the legal liability of the organisation.
  5. The policy should outline, in plain English, how the organisation intends to monitor or audit staff compliance with its rules relating to acceptable usage of e-mail and web browsing.
  6. The policy should be reviewed on a regular basis in order to keep up with the accelerating development of the Internet and Information Technology. The policy should be re-issued whenever significant change is made. This would help to reinforce the message to staff.

Related article on WorkplaceInfo:

Post details