Electronic Privacy at Workplace

By: Sonny Zulhuda

Introduction

The massive use of internet and other appliances of information and communications technologies (ICT) at the workplace has intensified productivity through intensive communications between employers and employees as well as between a company and external parties including customers, clients, regulators, etc. Most workplace has now installed Internet and email system by which the employees and employers build their networks and communications both internally and externally. Electronic mail, or e-mail, is a boon to office communications. All employees can be notified instantaneously of important office matters. Phone messages can be logged on the computer and sent via e-mail. A message for someone in a meeting can be e-mailed.

However, what most employees fail to realize with respect to e-mail is that:

• They are probably not the only person who has access to their e-mail, despite the password protection;
• Electronic mail, even if deleted from their personal databases, can be saved in numerous forms by the computer’s own internal backup systems, or by the person to whom the e-mail is being sent.

There is arising concern on employees’ email surveillance that has been widely practiced by employers. This practice, while seen important for maintaining ‘due diligence’ of a company, gives rise to questions of intrusion to privacy.

Latest Survey on Email Surveillance

There are so far no figures reported on the email surveillance at the workplace in Malaysia. Nevertheless, a study of this in the U.S. would be very helpful in describing the trend that may arise and challenge us in the future. The American Management Association (AMA) conducts an annual survey of large organizations in the United States to determine the extent to which of these organizations monitor employee communications. The results of the 2001 survey reveal some interesting trends:

• More than three-quarters of major U.S. firms (77.7%) record and review employee communications and activities on the job, including their phone calls, email, Internet connections, and computer files. The figure has doubled since 1997, when first survey of this kind was conducted by AMA.
• The storage and review of employees’ e-mail messages has increased dramatically over the past four years. In 1997, 14.9% of organizations conducted such reviews, while the 2001 survey reveals that 46.5% of organizations do so.
• The number of companies conducting e-mail monitoring has increased significantly faster over the past four years than the number of companies that monitor other forms of communication, such as telephone conversations, voice mail, computer usage and overall telephone use.
• The only employee activities monitored more closely than e-mail communications are Internet use and telephone use. Sixty-two percent of companies monitor Internet use, while 43% monitor telephone use, looking at numbers that are called and time spent on the phone.
• More than 10% of the companies that conduct e-mail monitoring do not inform employees that they do so.
• Companies in the manufacturing and financial services industries, as a category, monitor e-mail with the greatest frequency, the survey found, while nonprofit organizations in the nonprofit sector monitored e-mail less often.

Reasons behind E-mail Monitoring

• Legal compliance

In regulated industries, taping telemarketing activities gives both the company and the consumer some degree of legal protection. Also, electronic recording and storage may be considered part of a company’s “due diligence” in keeping adequate records and files.

• Legal liability

Employees who are unwittingly exposed to offensive graphic material on colleagues’ computer screens may charge a hostile workplace environment.

• Performance review

Customer service and consumer relations personnel are frequently taped as they field calls, and tapes are reviewed with supervisors to evaluate and improve job performance.

• Productivity measures

Net surfing, personal uses of office emails, and/or dialing up numbers expend time and assets on non-business related activities.

• Security concerns

Protecting the value of proprietary corporate information is a primary concern in an age when email and internet connections continue to expand.

Implications

What are the implications of employee e-mail monitoring? For some employees, it will obviously be regarded as an intrusion of privacy. Given the good economy and the difficulty of finding and retaining qualified people, this could pose a problem for some employers. However, e-mail monitoring will likely end up being about as controversial as employee drug testing. The early reaction is anger, followed by compromise on the extent of its use, followed by its adoption as a standard business practice.

Email Surveillance and the PDP Law

By virtue of the proposed law on personal data protection (PDP), email communication can be aptly categorized as personal information by which a living individual can be identified either directly or with the help of other information. There are some practices involving email that falls under the scope of application of the PDP law:

• Email address may constitute a ‘personal data’ as described by the PDP law. The proposed law defines ‘personal data’ as “any information recorded… which relates directly or indirectly to a living individual who is identified or identifiable from that information.”

With this in mind, anyone communicate by email should know that they must not disclose other’s email address without consent or authorization of the data subject. This normally occurs when a person send a message to several persons at different email addresses at one time. In this case, each person will usually receive the message containing the addresses of other recipients. This has somehow constituted disclosure of a personal data of others. And the sender may be made liable under the PDP law.

In the U.S. this incident had once occurred in 2002 (Ely Lili’s case). In this case, the defendant is an online medical service company that regularly emails its customers on the information regarding the way to cure depression. One day one of its employees has sent an e-mail to the all customers revealing others’ email addresses that make them known to every single customer.

This is the subject of the complaint, that such revelation is a breach of the defendant’s own privacy policy protection. And, since the message is in connection with sensitive medical information, even an unintentional disclosure is a breach. As a result, the Company agreed to accept the settlement with the FTC.

• Email has been used by companies as a tool of collecting, processing and transferring personal data from customers, investors or even employees.

The PDP law requires any personal data collected, held, processed or used by a data user shall comply with all the data protection principles as set out in the first schedule of the draft law.

Thus, by virtue of this requirement, anyone who is using email to collect… etc., will need to ensure the nine principles of data protection, as well as preserving the rights of data subjects such as right to access and right to correct the data retained by data user.

• Email is often used for marketing and commercial purposes.

Commercial emails have been one of the most efficient tool relied upon in doing business at this e-commerce era. This is because commercial email can efficiently cut the cost of sending at the shortest time they could have, and it can reach worldwide market.

The problems would arise that many businesses do send their commercial emails without the consent of the target people. This is called unsolicited commercial email (UCE) a.k.a. spamming.The proposed PDP Act requires the marketers to acknowledge their targets that their emails were collected for specific purpose like marketing. And, once the commercial emails are sent, the sender should always notify the recipients that they can always request the sender to cease sending such emails.

Email Policy at Workplace

In summary, it can be noted that the use of email at workplace can give rise to many consequences, be they legal, reputational, or financial. For these reasons, it is suggested that every company or business and government entities should develop their own email and privacy policies. These policies should be written and notified to every individual at the workplace.

Here are some steps that can be taken as guidance:

• Develop company’s policy regarding the email use at the office. This can be done with the help of existing email and privacy policies of different entities, as well as consulting the provisions of law related, especially that of personal data protection law.

• It is useful to develop the policy that specifically prohibits email transactions for personal messages.

• The company may choose to consider monitoring system for the email that will enable the management to bypass the password setup and review employees’ messages in the event the need arises.

• The company is to inform employees of the email procedures in simple policy statement, as follows: “It is the policy of the Company that all electronic mail is for business purposes only and not to be used for personal, private messages of the employees. Furthermore, all electronic mail is considered by the Company to be work-related documentation produced within the course of normal business and may be reviewed at any time.”

• In order to maintain the system’s security, it is best to contract or outsource an outside computer consultant rather than have one of the employees set up the network and email system.

Bibliography:

Abu Bakar Munir & Siti Hajar, Privacy & Data Protection, Sweet & Maxwell Asia, 2002

American Management Association, 2001 AMA Survey on Workplace Monitoring & Surveillance, at www.amanet.org/research/pdfs/ems_short2001.pdf

Federal Trade Commissioner, at http://www.ftc.gov/opa/2002/01/elilily.htm

Frances Lynch, ‘Why your company needs written e-mail policy,’ at http://www.bcbr.com/jun96/mailcol2.htm

Tim McDonald, ‘U.S. Seeks Workplace E-Snooping Limits’, E-Commerce Times, July 21, 2000, at http://www.ecommercetimes.com/perl/story/3839.html