Last week, I provided some training to a clients HR team on conducting investigations. As we were working through some hypothetical situations, the discussion turned to accessing employees emails. The group knew that their company’s policy addressed accessing the emails of current employees, clearly warning company email is not private and that it could be accessed or monitored by the company. That being said, one individual raised concerns about accessing a recently departed employees emails. She was concerned about who should have access to the email, and for what purpose and time frame the email should be accessed. These were all good questions and ones that your company should give some thought to in advance.
Depending on the circumstances surrounding an employees departure, a review of the departing employees email could reveal important and useful information. For example, you may discover that your departing employee began operating a competing business before he or she left. Alternatively, it could be critical to your ongoing business operations for you to be aware of recent communications with customers, vendors, or even other employees. In order for your business to have the ability to access these emails without inviting a viable invasion of privacy claim, there are a few important steps that your company should take.
First, adopt and disseminate a well-drafted technology policy that clearly outlines that email is not private, and that it can be accessed and monitored by the company with or without notice to the author or recipient of the email. Although your company will generally want to have a good reason for accessing an employees emails, be sure that your written policy doesn’t overly restrict the circumstances under which you can access an employees email.
Second, consider adopting procedures (not to be included in the handbook) for requesting and granting access to a departed employees email. I recommend that those requests be filtered through your HR department and address issues such as: who is requesting access, for what purpose and for what period of time. Consider whether it might be appropriate to have a disinterested individual (not the employees coworker or manager), perhaps someone from HR, do an initial review of the emails to flag those emails that might be relevant. If, for one reason or another, it isn’t practical to have someone from HR do an initial review, then consider limiting who will have access to the emails. Additionally, be sure that the individual reviewing the emails is advised that although the company has the right to review these emails, he or she should treat any personal emails as confidential. For example, if the reviewer reads an email that discloses the former employees HIV status, you want the reviewer to be aware that he or she should not share that information with others. Even though the initial access to the email was proper under the company’s policy, if the individual reviewing the personal email shares that information with others, the company’s policy will do little to protect the individual and the company from a claim of invasion of privacy or infliction of emotional distress. Giving some careful thought to these issues and implementing a policy and procedures in advance can help your company reduce the risk of facing such claims.