Monitoring Employee’s E-mail: An E-privacy Concern

Monitoring employees is a standard practice in many workplaces, although the reasons for monitoring can vary greatly. Some company monitors to protect employees, for example, where they work in hazardous environments, and it is essential to ensure that safe working practices are being followed. Others may be under legal or regulatory obligations to monitor, for example, in the financial services sector. Most companies, however, primarily monitor to check their employees’ performance. Monitoring may also be specifically targeted, for example, to detect misconduct or to ensure compliance with certain company policies and procedures.

According to a most recent investigation involving 406 US and British companies which have more than 1,000 employees (Proofpoint, 2006), over 1/3 of such companies appointed personnel to monitor their employees’ e-mail. Although the advantages to the company may be obvious, the adverse impact of monitoring employees is perhaps less apparent. A company may view employee monitoring as essential to the effective and efficient running of its business. However, if employees are permitted to use telephones, e-mail and Internet for personal use, it may be difficult for companies to draw a distinction between work and private information and activity, and limit monitoring to the former. On the contrary, even though employees may expect and accept the monitoring of their work, monitoring of their private information and activity is likely to be much less welcome.

A company’s failure to consider the adverse impact of monitoring on employees can interfere with, or ultimately destroy, working relationships; it can also amount to a criminal offense. For instance, in May 2005, the former CEO and five other executives of Sonera, the Finnish telecom company, now TeliaSonera, were given fines or between 6 and 10 month suspended sentences by a Finnish court for illegally keeping logs on e-mails and telephone numbers dialed by employees, in an effort to identify who had leaked information about management disputes to mass media (Wugmeister et al. 2005).

Viewing from the protection of e-privacy in the workplace, this article discusses the notion of privacy and e-privacy at first, then examines law governing employee monitoring in various jurisdictions mainly in German, USA, and China as well. Finally, this article provides corporate operators some practical guidance on achieving compliance.

The notion of privacy was first postulated in a Harvard Law Review article (Warren and Brandeis 1890), which described privacy as “the right to be let alone” when they were offended by press coverage of their families, and by “recent inventions and business methods.” It took almost 20 years before the American courts issued judgments which adopted that principle.

Later on in another article (Prosser 1960), four different types of invasions of privacy were pointed out, including:

From an information technology (IT) perspective, a much better definition of privacy has been that of Alan Westin, where he described privacy as: “The claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.” This definition embodies the concept of “fair information practices” which forms the basis for many of the regulatory and voluntary data protection schemes.

In short, “privacy” is not just a matter of what is kept secret. In the context of e-commerce/e-business and e-government, the right to privacy, i.e., e-privacy is really “the right to control the use of personal information” that is disclosed to others.