How to carry out workplace email surveillance

Want to monitor employee communications? Davey Winder explains your rights and obligations

Email surveillance

If your business provides corporate email accounts for its staff, you might be tempted to keep tabs on exactly what it is they're using them for. There are numerous problems email surveillance can help with, including thwarting potential phishing attacks, monitoring employee behaviour and catching any data leaks (both accidental and otherwise) before it's too late.

However, if you're going to go poking around in people's private communications, you'll need to do it carefully. Not only is it considerd rather impolite, but failing to abide by regualtions governing employees' data privacy could land you in some serious hot water with industry watchdogs. Fear not, though; we've answered some of the burning questions to ensure you're surveilling responsibly.

We already use CCTV to enhance our physical security. Shouldn't we also be monitoring employee email to protect data security?

Perhaps, but it's important to be clear about exactly what benefit you hope to bring to the business. You need to be certain that it's worth the likely negative impact on staff morale. Right off the bat you should consider an impact assessment, and give serious thought to alternatives to email snooping.

Advertisement - Article continues below
Advertisement - Article continues below

Why don't I just not tell employees that their email is being monitored? Then there won't be a problem.

There certainly will be a problem if you get caught secretly monitoring communications. There are very few circumstances in which the law would allow you to do this without first telling employees what you're monitoring and why.

Exactly how upfront do I have to be?

You don't need to sit down and talk to each employee individually, but you must make every reasonable effort to alert them to what you're doing. Set out what's being monitored, how long it will be retained, how it will be used and who will have access to it. You must be able to give business-related reasons for monitoring, such as detecting criminal activity or unauthorised personal use of business resources.

The same applies if you want to monitor the web or other online resources - assuming that the equipment and the network connection are provided for work purposes. If employees are using their own hardware, other concerns may apply.

Surely if we disclose everything about our monitoring then that will tip off any employees who might be up to no good?

Advertisement - Article continues below

If the aim of the monitoring is to prevent breaches of trust then surely that's a good thing? However, you're allowed to monitor a specific employee covertly in order to investigate a suspicion of specific criminal activity. You can't go on a fishing expedition, but monitoring without notification is allowable under that rather narrow and limited exclusion.

Alright, I've warned everyone about surveillance. That's that then? Job's a good 'un?

Not quite. You ought to have an acceptable-use policy in place that forms part of everyone's contract of employment and covers what's acceptable online behaviour and what isn't. This policy can also set out the measures that may be taken, including email and web monitoring, so everyone knows where they stand.

What about the employees' right to privacy?

Advertisement - Article continues below

It's about time you asked about that! Everyone has the right to an expectation of privacy, although this is diluted when using work-provided resources. If your surveillance measures include the collection, storage and use of personal information (and it's hard to see how email monitoring would avoid this) then it isn't allowed to be excessive or routine, nor should it be unnecessarily intrusive.

If you cross any of these lines then you could well be in breach of data protection laws, and face a hefty fine from the Information Commissioner. That's why it's vital to do your homework: you should be able to show that you're using surveillance only where there's a clear need to do so; where less-intrusive measures couldn't be implemented instead.

Advertisement - Article continues below

It all sounds like a legal minefield.

You'll find more guidance in the ICO's Quick Guide to the Employment Practices Code. It's full of useful advice such as "Be particularly careful when monitoring communications, such as emails, that are clearly personal. Avoid wherever possible opening emails, especially those that clearly show they're private or personal. Monitor the message's address or heading only."

Can we be less intrusive by using automated monitoring software?

Automated software is fine for blocking or flagging inappropriate websites, but if you start building a database of everyone's emails then you're in danger of falling foul of the rules on excessive collection of personal data. Often the best solution is to set boundaries that are acceptable to everyone, such as letting employees use the web and access personal email accounts - as long as it doesn't interfere with their work.

The BYOD challenge

When employees access the internet via work-provided computers, your right to monitor them is quite clear-cut. Things become muddier when they bring their own devices to work - but if they're connecting to your corporate network then you can argue that you're monitoring the use of a company resource.

Advertisement - Article continues below

Other considerations also come into play, however. It's important to beef up your network security so you can decide which devices can connect, and how much access they get. You may even insist on installing some sort of Mobile Device Management (MDM) software on the device itself before it's allowed to connect.

This will help prevent outside devices from breaking your acceptable-use policy. You should, of course, also update this to include a section on BYOD that sets out what is and isn't allowed.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Business strategy

Benefits of flexible working (including for parents)

10 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019
Careers & training

What does the future of work look like?

13 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020