Needs some advice from the STW collective for my little brother. Where do you stand if you find out your employer is monitoring your emails. It doesn’t appear in term and conditions ref monitoring for training purposes etc, not part of any IT/communication policy. Only discovered today through slip up on employers part.

(not an expert)

My stance is that if I’m using my work email address then I won’t write anything I don’t want my employer to read. They have the ability and (presumably) the right to read them.

I’ve always taken the stance that work email exists on work infrastructure (even if located off-site) and they can do with it what they want.

Their email system, they can monitor its use as they see fit IMHO.

I don’t use my work email for personal stuff….

Company email is the property of the company. IANAL but I’m pretty sure they don’t have to tell you if they are checking the contents.

My understanding is that there are basically conflicting laws covering this. Human rights act still gives a right to privacy even if using company equipment and on company time.

iirc what it boils down to is that they cannot routinely monitor emails just because they are a bit nosey, but they can if they have a reason to do so.

My understanding is that there are basically conflicting laws covering this. Human rights act still gives a right to privacy even if using company equipment and on company time.

The Human Rights Act applies only to actions of the state, so unless the employer is the state is irrelevant. It is very unlikely that if the employer is the state that there isn’t a written policy in place. I’m not convinced even then that the HRA precludes a state employer from reading emails sent on their systems anyway.

I think the best policy is just keep your head down. It’s a bit of a grey area. Everyone uses email for personal use but you have to accept it’s not going to be secure and private. Which is a lesson everyone learns the hard way anyway when they reply-all by mistake or send to the wrong address!

also even when accessing email for a legitimate reason, they should not continue reading anything that is clearly of a personal nature.

ie if you are off sick and your company needs to access emails pertaining to a project then they can not read an email that talks about your aunties medical problems.

The Human Rights Act applies only to actions of the state

😯

I’ve always been under the impression that they can do pretty much what they want with your emails, and regardless of whether there are any obscure laws contradicting this, I would estimate that plenty of employers are operating under the same thoughts. I have certainly seen employers monitoring emails before. As such, I’d personally never send or knowingly receive any email that I didn’t want them to see.

http://findlaw.co.uk/law/employment/other_employment_law_topics/500160.html

I’m frequently asked this in work. Basically, privacy is nothing more than an illusion. End of, and don’t assume otherwise. On top of that, expect everything in work to be monitored, be it work email or hotmail accessed on work network etc.

Given email accounts are basically free, why would you use your work email for personal stuff? Much easier to have a personal email which stays with you for life rather than unravelling all your personal stuff every time you change job.

On top of that, expect everything in work to be monitored, be it work email or hotmail accessed on work network etc.

Good luck with your work IT trying to crack SSL, the NSA have a hard enough time trying to.

Don’t understand why you would use a work email for personal stuff anyway? Isn’t that what your personal email is for? I’ve always assumed that as my work email is V8ninety@crapbosses.co.uk, that said crap bosses pretty much own and can look at whatever I write. So, other than the odd amusing but SFW meme to a colleague, it’s just work stuff on there.

. I’ve always taken the stance that work email exists on work infrastructure (even if located off-site) and they can do with it what they want.

+1

My colleagues can all see my diary, my boss can access my remote desktop account.

Seems normal to me.

Personal emails on personal account.

Just spoke to my brother, he’s only uses work email for work related matters and never uses hotmail or similar on the firms network or even on mobile devices he has been issued with.

nealglover thanks for the link, I’ve sent it to him (not to his work email!!!)

It’s a fairly well known medium sized company that operates across the UK.

my boss can access my remote desktop account.

I would be fired if I gave a colleague any access to my named accounts, even my boss.

Like I said footflaps, nothing more than an illusion.

I don’t need to decrypt LAN traffic in order to monitor a staff member’s screen and/or record every keystroke etc etc.

Work in IT Support.

Always assume your boss / HR will read your work emails, it’s only a lack of interest that will stop them. Sometimes they’ll use a type of software that looks for key phrases and words – swear words will almost always red flag but the rest will depend who you work for.

Internet activity is not usually a closely monitored as you might think, small businesses often won’t bother with the expense and the hassle even some simple software that limits access to certain sites and reports back sites accessed and time etc like DNS umbrella is pretty expensive not only for the software but with writing the HR policy.

I personally don’t use my work email for private stuff at all, if nothing else it’s a PITA if you can’t access the mails out of work or you change jobs and you risk losing access to your eBay / Netflix etc. I’ve got an old rocketmail account I’ve had for decades I access via my phone, not that there’s much in there bar spam and notifications of shite I’ve bought from Superstar.

It’s been a long road but the legal aspect now is very simple. An employer is allowed to monitor emails, so long as they tell employees they’re doing it. They’re not allowed to do it surreptitiously.

In answer to the OP – as presented, they’ve broken the law unless they told him and he wasn’t listening.

Good luck with your work IT trying to crack SSL, the NSA have a hard enough time trying to

Irrelevant, we have a tool that intercepts hotmail etc at the browser before the encryption, used to stop data leakage through those sort of accounts. Also deals with data leakage through use of things like drop box…

@Cougar; can they tell the employees as a batch, kind of a tick here to agree that you understand we may well be listening type thing? Or if they intend to monitor do they have to inform the individual at that point?

Pass. But I’d be surprised if it wasn’t the former TBH. Like, at a staff induction.

This could be done in your employment contract or employee handbook, or some other kind of workplace email policy.

Everyone reads their Employee Handbook, yeah?

Probably not, but that’s their own fault if so, they’ve been notified right there and it ticks the legal requirement box.

My point precisely 🙂

Msp – I think the actual phrase is public authority rather than “the state” but it’s the same thing. Obviously the state are involved in many aspects of life like education, welfare, justice, health etc. But normal private sector employers are not bound by the HRA.

But normal private sector employers are not bound by the HRA.

The HRA is about the rights of people, neither state or private entities (including private companies or other people) can infringe those rights.

my last employer used to put embarrassing emails people had sent up on the big screen at the office xmas party!

Our place puts up a set of rules every time you log into your PC – essentially saying “this is our computer, only use it for work as we will be watching all activities”

To be fair there is a secondary wifi network that we can access and use within reason for personal use.

Kind of makes sense – but it was something brought in over time

msp, except that’s not what the legislation says at all. It is quite clear only public authorities are prevented from breaching the convention rights…

If you don’t want to actually read the act then here is a quick summary from a reputable source: http://www.equalityhumanrights.com/your-rights/human-rights/what-are-human-rights/human-rights-act

However if you insist that as a mainstream employer there is anything in the act which directly precludes a private employer from breaching a convention act, then please provide the relevant section.

the HRA is oft misquoted which feeds a frenzy of dislike against it; in reality it just makes it easier to enforce rights we’ve all had for over fifty years.

In answer to the OP – as presented, they’ve broken the law unless they told him and he wasn’t listening.

Our place puts up a set of rules every time you log into your PC – essentially saying “this is our computer, only use it for work as we will be watching all activities”

I’ve been informed in every job and expect it, you could be accepting the IT policy by logging in or when you received your induction or when you got your log on details.

In the end of the day always assume your company has access to what you are doing, it’s the grown up way of dealing with things, if there is stuff you would rather the company don’t see keep it out of work.

Even if its work related, work email can and does get used against people. Never use it for personal email, never send anything in a work capacity without thinking carefully of how it can be used against you in the future, and never press send when you write a rant about someone.

Formal, polite and pure business only.

I’d even go so far as to not use work computers for anything personal, even if others do. Use your phone, or a tablet etc, and not via work wifi. Even activity on bike forums, Facebook etc can be logged, even when accessing the work wifi. “hey, this guy spend all his time on XYZ site”.

Keep work life and personal separate.

However if you insist that as a mainstream employer there is anything in the act which directly precludes a private employer from breaching a convention act, then please provide the relevant section.

OK how about this, I think this section is particularly clear that the rules don’t only apply only to the mechanisms of government, but are about protecting individuals from all entities private and state.

http://www.equalityhumanrights.com/your-rights/human-rights/what-are-human-rights%3F/the-human-rights-act/protection-from-slavery-and-forced-labour

I think your misunderstanding comes from the statement

All public bodies (such as courts, police, local governments, hospitals, publicly funded schools, and others) and other bodies carrying out public functions have to comply with the Convention rights.

Which is rather badly worded and misleading by the inclusion of schools and hospitals, however that does not mean that the HRA only applies to public bodies, but that public bodies are responsible for the “enforcement” of the laws that derive from the act.

As previous, assume everything can be and is monitored. I sat with a client last week who was tracking all employee locations via their company supplied iphones. Think about that next time your replying to emails on a cheeky afternoon ride 🙂

Like I said footflaps, nothing more than an illusion.

I don’t need to decrypt LAN traffic in order to monitor a staff member’s screen and/or record every keystroke etc etc.

Which only works if you have root access to their machine / phone, which isn’t always the case eg you can’t use that to monitor their use of hotmail via their own smartphone etc.

Personally, I wouldn’t work anywhere where I didn’t have full admin rights to my PCs.

as Cougar. employer can monitor, but must advise if they are doing so, ‘if’ the kit is within the UK. if mail is hosted overseas they can do what they like without telling you.
this stuck in my mind because I work for a firm where our mail is hosted in the US.

Taken from another site that explains it well:

The Regulation of Investigatory Powers Act 2000 prohibits intentional “interception” of emails without “lawful authority”. As a general rule, this means employers cannot read an email without the consent of both the sender and recipient.

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 lists a number of exceptions to this general rule, however, which include intercepting business emails to:

ascertain regulatory compliance;
detect unauthorised use; and
prevent/detect criminal activity.

Note, however, these exceptions do not apply to personal emails, which means your employer should take all reasonable measures to avoid opening them — even those sent from a workplace email account.

Your employer should confine itself to looking solely at the address/heading of your business emails unless it is absolutely essential for a valid and defined reason to examine the content (e.g., to prevent a crime). Moreover, to minimise intrusion, employers should as far as practicable utilise automated systems to monitor email.

But as others don’t use work email for private use, if for no other reason you won’t keep your work email address as you move around, and you certainly won’t keep it past retirement even if you only ever intend to work at one place your entire life.

If it’s not private email, assume you are shouting it across the office – if it’s contents would deter you in this context, you shouldn’t send the email. Don’t put it down so that it can be used against you at a later date.

Assume everything you send/write/store on company kit, is processed, logged and kept.