Emails and Confidentiality

Sean, do you have a union representative with knowledge of this sort of thing who could offer you advice on this subject? I feel that work contracts / labour law are a bit of a maze and good advice is worth more than it' weight in gold or indeed Euros. Failing advice from a union rep could the Citizens Advice Bureau or equivalent or even some department within the local council be of help?

Hope you get an answer although it may not be the one your are expecting.

Sean,

if you are in Germany then there are different labour laws and the best thing to do is ask the Betriebsrat, if you have one.

In the past, I have expereince where the Betriebsrat has managed to prevent proactive oversight of e-mail and internet use for the German entity of an American concern where such observation was regarded as SOP. This did not make it impossible for the company to do this, but they had to make a case for it. iirc this was coordinated via the Betriebsrat, but not with the knowledge of the individual or team under observation. I think the Company, even in the absence of a Betriebsrat has to make it clear that general observation occurs, if it occurs. Also, the contract of employment should give the terms of usage of company property, e.g. e-mail account, internet, etc. iirc my old contract explicity specified that the e-mail account could only be used for company business. Internet usage can be managed, in part, by a firewall preventing employees for accessing popular webmail sites. I know that some staff where I used to work complained about this and got very short shrift, along the lines that they shouldn't be using the internet for private things in the first place. The same response was handed to the person whose bank account details popped up to anyone from the company accessing the generic bank site address. This can't happen nowadays, but it did cause a few sniggers at the time.

If you are in the financial sector then the lack of privacy is par for the course, as is recording / monitoring of snail mail and phone calls - all to prevent insider trading and money laundering, allegedly.

Hope this helps.

If it applies to the UK then either your union or CAB, but don't forget to read the small print in your contract of employment, especially if it refers to an employee behaviour manual.

Huw

It is generally assumed that e-mails and internet activity that occurs on work supplied PC's through a company network ARE not to be treated as private. I do believe the company should make this clear in its IT policy document.

My company does allow me us my business address for 'occasional' messages. I don't do it!

If you must use business emails for personal use invest in an email encryption tool (e.g. PGP -Pretty Good Privacy which is a public key encryption system.)

A second approach is to ask friends to send e-mails to your personal e-mail address and if urgent have them send a 'prompt' message to you business account ('Please read your persoan e-mail')

Either of these will prevent personal private data appearing.

Thanks for the answers so far:

We don't have a Betriebsrat, and there is no company policy on the matter or anything in contracts, just an assumption by management that everyone should assume they can check as they like. Some recent events at work made a few of us wonder how we stand. Maybe we should get in touch with a CAB here.

Sean

the real question is, do you really want to work for a place that does any of the above?

quote:

Originally posted by Seanf:
Thanks for the answers so far:

We don't have a Betriebsrat, and there is no company policy on the matter or anything in contracts, just an assumption by management that everyone should assume they can check as they like. Some recent events at work made a few of us wonder how we stand. Maybe we should get in touch with a CAB here.

Sean

Your best bet is to talk to a lawyer that specialises in labour law, they should be easy to find in Berlin. I am not sure of your line of business, but if you have friends in a something similar where there is a Betriebsrat, they might be able to give some guidance.

Best,
Huw

csi

Turn that around - would you really want to work for a company that had no controls in place and allowed it's business systems to be used for the sending or receiving of pornographic/company confidential or other sensitive material?

Most companies have a policy (or should have) outlining acceptable use of business systems for personal use.

Jim

I can't believe people would not expect their employer to monitor their use of the employer's systems.

quote:

Originally posted by Seanf:
The following has come under some discusion at work: If a company has a staff email system, do they have a right to block a members account without warning and read that persons emails? If so, is the company obliged beforehand to inform staff members that they have this right.

Similarly, if the company installs tracking software that monitors staff computer/internet activity, are they obliged to inform staff that it is in use?

Any ideas?

Thanks

Sean

The correct answer is "Yes", to all of the above.

jim,

i think there is a profound difference between a company securing sensitive trade secrets and your boss snooping through your private gmail account. if one is forced to forego all rights to privacy while at the work place, i would argue that maybe there is a better place to work.

My company makes it very clear in our work contract and our privacy & IT policy that the company's e-mail system can and will be monitored and any correspondence on it is property of the company.

I don't have any problem with it. If I want to send something really private I use my private e-mail account.

I have a friend who does the same, company computer for company business. Cell and email account for personal stuff. He packs 2 laptops when he travels.

csl

I don't think you have any privacy rights when using company computers, running on company LAN's/WAN's, through company gateways, using company software for company work.

Why would you think that anything you do on their systems would be confidential? If they can't check on what you are using the system for how do they know it is secure? What's to stop me downloading company confidential files and then sending them via my "private" email that you claim they shouldn't be able to check while still accepting they have the right to secure their intellectual property.

This doesn't even get into the discussion about doing personal email while being paid to work.

I suspect we aren't going I agree on this one.

Cheers

Jim

Jim,

so if your doctor emails you and tells you you have cancer, or the mortgage broker calls and tells you your loan is approved for x. or your wife calls to discuss your divorce, your fine with the IT guy jotting all that down?

No thanks.

quote:

your fine with the IT guy jotting all that down?

I expect it is done in a lot of places as a matter of course at the behest of the company lawyers. Now is it examined in real time by a human or stored and examined when something suspicious comes to light is the real question. I expect machine trawling is the tool of choice and only then if something catches the eye of the monitoring system will a human be brought into the loop.

quote:

Originally posted by csl:
Jim,

so if your doctor emails you and tells you you have cancer, or the mortgage broker calls and tells you your loan is approved for x. or your wife calls to discuss your divorce, your fine with the IT guy jotting all that down?

No thanks.

It is your employer's system and they are entitled to monitor the use, or misuse, to which it is put. If you conduct personal business on it, that is your look out.

Cancer, personal loan, child porn...

This is an extract of our ICT Usage Policy which is signed by all staff requiring network access:

"It should be noted that all e-mails transmitted using the College’s facilities are xxxxxx’s business records over which the member of staff does not have rights of privacy or confidentiality . Accordingly, staff should send personal communications, which they wish to remain private, by some other means."

This was checked for legal correctness before publishing and I don't imagine the legal situation in other countries would be that much different. To be honest this seems quite obvious to me. I can't see why anybody would expect anything else.

And from our Accptable Use policy (on Monitoring):

"Use of IT and network resources is monitored and logged in sufficient detail to identify defaulters where this is technically possible. Monitoring and logging is used only to assist investigation of a security breach or suspected unacceptable use, and not for determining the routine nature or contents of personal communications." I signed accptance of this prior to joining so no surprises for me there.

BTW, if my doctor emailed me to tell me I had cancer or my mortgage broker that I was approved and did this through unecrypted email I would fire both of them for stupidity!

Cheers

Jim

I have no problem with management having this right, I just think they should be obliged to inform staff of this, without just assuming everyone knows and expects it. Something similar to the the last two posters would be adequate I think.

Thanks for all your opinions, I will get back with any developments.

Sean

I think you should make the assumption using company PC's, company email and company internet access that there is a possibility that they then would have access to everything transmitted or recieved via such medium.

Now, how you choose to act depends really on what you are doing and the company culture.

Every IT organisation I have ever worked for has had the ability and inclination to look at all of the above. Now, I use my PC for personal use and browsing Naim websites, sending email to friends is never a problem. Most companies have very little interested, time, to be bothered with this.

However, porn, trade secrets, illegal file sharing are a different matter.

Though, saying that, doesn't stop them looking in my email now and again just to be nosey.

If I cared, I'd use PGP.

Roy.