How to carry out workplace email surveillance

email symbols over a man's hands

If your business provides corporate email accounts for its staff, you might be tempted to keep tabs on exactly what it is they're using them for. There are numerous problems email surveillance can help with, including thwarting potential phishing attacks, monitoring employee behaviour and catching any data leaks (both accidental and otherwise) before it's too late.

However, if you're going to go poking around in people's private communications, you'll need to do it carefully. Not only is it considerd rather impolite, but failing to abide by regualtions governing employees' data privacy could land you in some serious hot water with industry watchdogs. Fear not, though; we've answered some of the burning questions to ensure you're surveilling responsibly.

We already use CCTV to enhance our physical security. Shouldn't we also be monitoring employee email to protect data security?

Perhaps, but it's important to be clear about exactly what benefit you hope to bring to the business. You need to be certain that it's worth the likely negative impact on staff morale. Right off the bat you should consider an impact assessment, and give serious thought to alternatives to email snooping.

Why don't I just not tell employees that their email is being monitored? Then there won't be a problem.

There certainly will be a problem if you get caught secretly monitoring communications. There are very few circumstances in which the law would allow you to do this without first telling employees what you're monitoring and why.

Exactly how upfront do I have to be?

You don't need to sit down and talk to each employee individually, but you must make every reasonable effort to alert them to what you're doing. Set out what's being monitored, how long it will be retained, how it will be used and who will have access to it. You must be able to give business-related reasons for monitoring, such as detecting criminal activity or unauthorised personal use of business resources.

The same applies if you want to monitor the web or other online resources - assuming that the equipment and the network connection are provided for work purposes. If employees are using their own hardware, other concerns may apply.

Surely if we disclose everything about our monitoring then that will tip off any employees who might be up to no good?

If the aim of the monitoring is to prevent breaches of trust then surely that's a good thing? However, you're allowed to monitor a specific employee covertly in order to investigate a suspicion of specific criminal activity. You can't go on a fishing expedition, but monitoring without notification is allowable under that rather narrow and limited exclusion.

Alright, I've warned everyone about surveillance. That's that then? Job's a good 'un?

Not quite. You ought to have an acceptable-use policy in place that forms part of everyone's contract of employment and covers what's acceptable online behaviour and what isn't. This policy can also set out the measures that may be taken, including email and web monitoring, so everyone knows where they stand.

What about the employees' right to privacy?

It's about time you asked about that! Everyone has the right to an expectation of privacy, although this is diluted when using work-provided resources. If your surveillance measures include the collection, storage and use of personal information (and it's hard to see how email monitoring would avoid this) then it isn't allowed to be excessive or routine, nor should it be unnecessarily intrusive.

If you cross any of these lines then you could well be in breach of data protection laws, and face a hefty fine from the Information Commissioner. That's why it's vital to do your homework: you should be able to show that you're using surveillance only where there's a clear need to do so; where less-intrusive measures couldn't be implemented instead.

It all sounds like a legal minefield.

You'll find more guidance in the ICO's Quick Guide to the Employment Practices Code. It's full of useful advice such as "Be particularly careful when monitoring communications, such as emails, that are clearly personal. Avoid wherever possible opening emails, especially those that clearly show they're private or personal. Monitor the message's address or heading only."

Can we be less intrusive by using automated monitoring software?

Automated software is fine for blocking or flagging inappropriate websites, but if you start building a database of everyone's emails then you're in danger of falling foul of the rules on excessive collection of personal data. Often the best solution is to set boundaries that are acceptable to everyone, such as letting employees use the web and access personal email accounts - as long as it doesn't interfere with their work.

The BYOD challenge

When employees access the internet via work-provided computers, your right to monitor them is quite clear-cut. Things become muddier when they bring their own devices to work - but if they're connecting to your corporate network then you can argue that you're monitoring the use of a company resource.

Other considerations also come into play, however. It's important to beef up your network security so you can decide which devices can connect, and how much access they get. You may even insist on installing some sort of Mobile Device Management (MDM) software on the device itself before it's allowed to connect.

This will help prevent outside devices from breaking your acceptable-use policy. You should, of course, also update this to include a section on BYOD that sets out what is and isn't allowed.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.