Investigating misdirection of data, establishing the facts of an employee dispute, understanding the route of poor performance – all reasons to monitor an employee’s work emails.
Before you take a look, check your contractual rights, your lawful basis and carry out an impact assessment. Damage to reputation, loss of trust, inadmissible evidence, ICO investigation and 4% of turnover fines might all be the outcome of getting it wrong.
Think carefully about your reasons for monitoring. If it is a good enough reason then you’re likely to have a ‘legitimate business interest’ to do so (but take advice). Generally it’s best not to rely on consent as it’s easy for the employee to withdraw. Carry out a separate ‘impact assessment’ to show you’ve considered the potential privacy risks and put measures in place to minimise those risks.
• Contracts – update your lawful basis from consent to the more robust ‘legitimate business interest’
• Policy – set out the circumstances under which monitoring may occur and what you’ll do with any information you find
• Assess the impact – use an impact assessment to ensure monitoring is kept to a minimum and the individual’s privacy rights are balanced with your interests
• Paper trail – document all searches and data retrieved as a result for your audit trail
• Afterwards – follow through on the measures you’ve identified to minimise the impact to the individual