Home

Email Archiving Solutions: Illegal Without Employee Consent!

June 29, 2008 - 10:48pm — bex

CMSWatch just reported on a recent ruling by the Ninth US Circuit Court of Appeals in San Francisco... essentially, they said that when an employer scanned their archives of old emails, snooping to see if their employees were doing anything naughty, that the company violated their 4th amendment protections against unreasonable search and seizure.

The ruling makes total sense... CMS Watch thinks the implications could be huge, but I disagree. Frankly, if this ruling stands it only means that employers will now make people sign a form that says this:

I consent to have my email archives scanned by my employer, in order to validate that I adhere to their email policy.

Done and done. If the prospective (or current) employee refuses to sign, then they either have something to hide, or they love liberty, dammit! Its just one more bogus piece of paper that everybody will sign before they can be hired. In previous jobs I had to sign something stating that I promise to abide by their network usage policy... this is just an addendum that says "and we're watching you, sucka!"

Whether that contract will stand up in court is matter for debate... especially if you use the word "sucka."

Comments

June 29, 2008 - 10:58pm — Ben Kepes (not verified)

Couldn't agree more - all

Couldn't agree more - all the "rights" in the world don't alter the fact that if an employee want a job, they'll have to meet the (reasonable) expectations of their employer.

So long as a consent form is signed, and the employer hasn't done anything dodgy with the inforamtion they uncover, you'd be hard pressed crying foul for simple archival purposes scanning

June 30, 2008 - 8:21am — Glenn (not verified)

Scanning Email

Don't most corporations already have this policy? I certainly expect none of my corporate email to be private and I think as a general rule people should expect any of their email correspondance (corporate or private) to be considered 'postcard mail'.

June 30, 2008 - 9:11am — bex

most companies have the policy...

BUT... they don't all have a signed consent form. It can be "policy" to give your employees a smack on the forehead every day, but that doesn't mean its legal ;-)

July 1, 2008 - 5:31am — James Blake (not verified)

We've faced these issues in the UK

The whole subject of e-mail monitoring and retention within the United Kingdom is subject to a whole host of conflicting legislation - the Data Protection Act (DPA), Regulation of Investigatory Powers Act (RIPA) and the Human Rights Act (HRA) are the most important.

Effectively exemptions to Regulation of Investigatory Powers Act outline that you can monitor employee's email, but the Human Rights Act states that employees have a right to privacy. The Data Protection Act states that you can only retain e-mails for as long as they need processing - that includes compliance to other legislation and protection from civil prosecution.

There is so much confusion that in 2005 the Information Commissioner issued the Employer Practices Code to which lays out what is expected of employers.

The generally accepted way to legally monitor employee's e-mail in the UK is to cover the following key areas:


  • Employers need to ensure that they have a clearly stated email Acceptable Use Policy which states e-mail is corporate property, lays out the monitoring undertaken and defines the retention period. This Acceptable Use Policy must be signed by the user.

  • Employers need to remove the expectation of privacy if they are to perform monitoring. This is normally written into the Acceptable Use Policy by defining why it is technically difficult to separate personal and corporate email.

  • The Acceptable Use Policy must be enforced, it is hard to see an dismissal through if the employee can say they have been victimised during an employee tribunal - enforcing the Acceptable Use Policy for them and not other users we be a grounds for unfair dismissal.

  • For e-mail to be considered corporate property, it must be on 'corporate stationary'. This effectively means that all the legally required details for any corporate stationary must be added to the disclaimer.

James

July 1, 2008 - 9:57am — bex

sounds fair...

if your email has a disclaimer at the bottom saying "property of company.com and subject to monitoring", that should make things pretty darn clear.

Unfortunately, that kind of disclaimer can make people nervous and less candid over email, and then use the phone or whispers in a crowded room to do business. Then you don't know what the heck they are doing...

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This form prevents comments spam...