2 minute read

Can we monitor emails and messages?

Workers base their expectations of privacy on practice as well as policy, so if you tolerate a number of personal calls, you cannot rely on the policy banning personal calls to justify carrying out monitoring.

Expectations of privacy are significantly higher at home or outside the workplace. You should factor this in to your DPIA.

Advertisement

Remember, monitoring calls also inevitably involves collecting information about people who make calls to or receive calls from the organisation as well as about workers themselves. These people should be told that monitoring is taking place and why. A recorded message is best practice. Where this is not possible, instruct workers to inform callers that calls may be recorded and to explain the reason why. You may provide the rest of the privacy information (retention periods, individual rights available, any data sharing) by other means – for example, emailing the caller a copy of your privacy notice or providing a link to it on your website. Any information collected is likely to be personal data and could be subject to external access requests, make sure workers know call recordings may be released to members of the public if requested. Read our guidance on the right of access for information about handling access requests.

As an employer you might consider monitoring emails and messages sent to and received by work accounts to protect corporate information, for data security (see our guidance on data loss prevention for more information on this), to identify suspicious activity, and enforce any acceptable usage policies you may have in place.

By messages, we mean instant messages available on some applications, and the chat functions in collaboration tools.

You must be clear about your purpose for monitoring emails and messages and make sure any monitoring is necessary and proportionate to your purpose. Make sure you inform workers of any monitoring.

If you are considering monitoring emails and messages, you should complete a DPIA as this poses a high risk to workers’ data protection rights and freedoms and is likely to capture special category data. You should complete a DPIA even where this is not obligatory, this is good practice and will help you to assess risk and plan, then evidence, accountability.

It would be difficult to justify monitoring the content of emails and messages where monitoring network data would meet your purpose. In exceptional circumstances where content is accessed, you must notify workers in advance that content may be monitored in relevant policy documents. Accessing content will not be appropriate unless there is a clear policy in place explaining the circumstances where such monitoring may take place.

This article is from: