Many employers take the position that it is necessary to monitor email and internet usage in order to detect activity that may negatively impact on the company. There is a broad spectrum of activity that an employer may seek to curtail. Such activity may range from disparaging comments about the company, its products or its customers that are made on social media sites to illegal actions, such as the circulation of pornographic material in the workplace.
However, what an employer believes to be necessary may not be permissible.
In fact, across all seven jurisdictions there are at least some limits placed upon the employer’s ability to monitor an employee’s email or internet activity, even though the activity being monitored takes place on company systems.
For example, in Canadian jurisdictions in which privacy legislation exists, an employer may be entitled to monitor an employee’s e-mail and computer usage provided that it does so in a reasonable manner and with a limited impact on the privacy rights of the employee. Federally regulated employees, for example, are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Employers who are subject to PIPEDA must generally ensure that they collect, use and disclose employees' personal information only for purposes that would be considered appropriate by a reasonable person in the circumstances, in addition to obtaining the employees’ consent. (Legislation that is substantially similar to PIPEDA exists in the provinces of Quebec, British Columbia and Alberta and similar considerations would apply to the monitoring of employee email and internet usage in those provinces.)
What is reasonable will generally depend on the purpose for which the monitoring has been undertaken. If the employer is attempting to confirm whether an employee has breached their employment obligations in some manner, reasonableness is more likely to be established. For example, where the employer has become aware that an employee is engaging in workplace harassment by email or through posts on social media sites, it will likely be reasonable that the employee’s email communications and internet activity are monitored.
Whether an employee can assert a privacy interest over their email or internet activity will depend upon whether the employee has a reasonable expectation of privacy when using the computer equipment. An employee’s privacy interest over their email or internet usage will be diminished where they have been advised that their corporate email account may be accessed by the company and where prohibitions have been placed on the personal use of those systems. To that end, a clear policy governing the use of email and internet systems will assist an employer that wants to monitor its employees’ activity whilst on company email and internet systems.
In provinces where there is no privacy legislation, the employer has more latitude to monitor an employee’s email and internet activity. This is as a result of the absence of any statutory limitations on the employer’s right to access the computer provided by the employer. Special considerations may have to be given in the unionised workplace which may have terms and conditions in collective agreements that dictate whether (and how) such activity can be monitored.
In the United Kingdom, the Regulation of Investigatory Powers Act 2000 (RIPA) regulates an employer’s ability to intercept and monitor the emails of its employees on the employer’s computer systems. Monitoring an employee’s emails will be lawful under the RIPA where the employer reasonably believes that the sender and intended recipient have consented to the interception. A clear policy or wording in an employment contract explaining that such interception could take place is likely to be sufficient to demonstrate employee consent.
In the absence of consent, the employer may also be able to rely on the provisions of the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the Regulations) which authorise monitoring without consent in certain specified circumstances including where it is necessary to ensure compliance with regulatory practices; to ensure that standards of service are maintained - e.g. in call centres; to prevent or detect crime; to protect the communications system itself - e.g. to protect against unauthorised use and potential viruses; or to determine the relevance of the communication to the employer's business - e.g. by picking up relevant messages when someone is away from work.
Even when the employer relies on the Regulations, it is expected to make all reasonable efforts to ensure that its employees know that communications may be intercepted and the monitoring must also comply with the provisions of the Data Protection Act 1998.
In South Africa, the Constitution of the Republic of South Africa entrenches an employee’s right to privacy and may in certain circumstances curtail the employer’s ability to access the employee’s private email and internet communications, even where those communications are made on company equipment. This right is, however, not absolute and in terms of the Regulation of Interception of Communications and Provision of Communication Related Information Act of 2002 (RICA), an exception exists where the employer is investigating or detecting the unauthorised use of its telecommunications systems; where the employer must establish the existence of facts related to a workplace investigation; or where the employee has provided his or her consent in writing to the interception. Consent may be obtained through an employment agreement that sets out the employer’s right to monitor email and internet usage on company equipment.
The privacy of the employee is similarly protected in France, where monitoring of email and internet communications on company equipment may be permissible where the monitoring is justified by a legitimate purpose and is carried out in a reasonable manner. However, employees must be given prior notice of the possibility that their internet and email communications may be monitored. This can be achieved through the use of an employment policy.
In addition, the works council of the company and the company’s health and safety committee must be informed and consulted about the monitoring in advance of it taking place.
Notably, in France, where an email is identified as “private” or “personal” by the employee, the employer may not access it. To do otherwise is a criminal offence punishable by monetary penalties and/or the imposition of a jail sentence. However, an employer may seek advance authorisation by a court of the search if it wishes to avoid criminal prosecution. Where an electronic file is identified as “private” or “personal” by the employee, the employer must ask the employee to be present when the employer accesses the item.
In Germany, an employer’s ability to monitor an employee’s internet and email usage will depend upon whether the employee has been permitted to use the employer’s computer system for personal use.
Where employees are permitted to use the company’s email and internet only for business purposes, the employer can monitor the connection data (e.g. date, time, originating and receiving email / IP addresses, size of submitted data, duration of use) and the content of emails and the websites that have been visited to the extent required for certain reasonable purposes. Those purposes include monitoring the employee’s compliance with the rules regarding email and internet use; investigating whether criminal activity has taken place; and maintaining the employer’s electronic systems and protecting its technical devices. Accordingly, an employer would generally be allowed to randomly check the content of websites visited by employees in order to make sure that the employees only use the internet for business purposes; 24-7 surveillance of those systems and a review of email content that is obviously private (e.g. on the basis of the subject) would not be allowed.
By contrast, if an employee is allowed to access the company’s email and internet for both work related and personal use, the employer is not permitted to collect any data about the employee’s use of its systems. The only exception to this general rule is that connection data may be monitored to maintain the electronic systems and protect the company’s technical devices and to assess connection fees as well as – to a certain extent – to investigate the abuse of the employer’s telecommunication system.
In Hong Kong, the Personal Data (Privacy) Ordinance (PDPO) and various codes and guidelines issued by the Privacy Commissioner for Personal Data (e.g. the Privacy Guidelines on Monitoring and Personal Data Privacy at Work (the Monitoring Guidelines)), regulate the employer’s ability to monitor its employees’ email correspondence and internet usage. The Monitoring Guidelines do not have the force of law, but represent best practices that are encouraged by the Privacy Commissioner in that jurisdiction.
The Monitoring Guidelines set out certain factors that an employer should take into account when determining whether the monitoring of email or internet usage is appropriate. These factors include the need to assess the risks that the monitoring seeks to address and the benefits that may be achieved by engaging in the monitoring; the impact on the privacy of the employees; the requirement to consider alternatives to monitoring; and how the employer will comply with its responsibility to implement privacy compliant data management policies when handling employees’ personal data that it obtains as a result of the monitoring.
In accordance with the PDPO, data may only be collected by means that are “fair in the circumstances” and data collection should be kept to an absolute minimum. To that end, employers are generally required to notify their employees that their email and internet usage may be monitored; the purpose for the monitoring and how the monitoring will be carried out.
Despite the foregoing, ‘concealed’ monitoring may be permitted where there is a legitimate rationale to undertake it and where all other options have been considered and appropriately rejected. Much will depend on the individual circumstances of the individual case. For example, ‘concealed’ monitoring may be appropriate where an employer has good reason to suspect theft by an employee and it would impinge on the investigation into the theft if the employee was alerted to the proposed monitoring of his or her email or internet usage.
As in other jurisdictions, an employer should have a policy in place that addresses the possibility that workplace computer systems will be monitored. Given the prohibitions set out above, records should be kept of the employer’s reasons for needing to engage in ‘concealed’ monitoring. In addition, the employer should consider and manage the effect of this form of monitoring on its other employees.
In Australia, the regulation of surveillance of employee use of workplace computer systems is done primarily at state level and so the laws are not uniform. In New South Wales, the Workplace Surveillance Act 2005 (NSW) regulates the overt and covert use of camera, computer and tracking devices in the workplace. In order to lawfully conduct surveillance of email and internet use, the employer will be required to notify the employee in advance of the intended surveillance in such a way that it is reasonable to assume that the employee is aware of and understands the policy. However, in Western Australia, the Surveillance Devices Act 1998 (WA) prohibits the use of listening devices or optical surveillance devices to listen to or observe private activities but does not specifically address an employer monitoring an employee’s use of computer systems. It is recommended that an employer have a policy allowing for employer monitoring of employee use of email and internet clearly setting out what an employer considers to be reasonable use of such systems. Without such a policy it will be difficult to discipline or dismiss an employee for inappropriate use of an employer’s computer system.