Let's face it, computer technology is crucial for operating a business these days, but have you considered how the laws around employee privacy rights vs ownership of corporate data held in things like email accounts might affect your business? It's actually really important to understand; if policies are not properly set in advance, you could find yourself losing legal access to data in the event of an employee leaving the company, for example.
In New South Wales, the Act that regulates the surveillance of workplace computer systems is the Workplace Surveillance Act 2005 (NSW). While it deals with obvious biggies like prohibiting employers from using surveillance in bathrooms and change rooms, it also covers the sending and receipt of emails.
In a nutshell, here’s what you need to know:
Assuming the surveillance laws have been adhered to, the technical aspects of accessing ex-employee email accounts depends on which mail platform you’re using:
When a Google mail account is suspended/becomes unlicensed it is marked for deletion in 30 days. After this 30-day period, the account and all its contents is erased by Google and cannot be retrieved. Use the Google Takeout tool before suspending the account to create a copy of all associated content, including emails, to be stored in a separate folder.
With Microsoft 365 (previously O365), the best approach is to turn the account into a shared mailbox before removing the licence. Shared mailboxes don’t require a licence - this means the content of the account is protected from deletion and another employee can be granted access to the email history through their own mailbox. If you don’t go through this conversion and simply unlicence the account then, like Google, Microsoft marks the account for permanent deletion after 30-days.
Notice is required before surveillance and monitoring of email can commence. This notice must be in writing and provided to the employees at least 14 days before the surveillance commences. If surveillance is due to commence less than 14 days after an employee is first employed, they must be given the notice before the employee starts work.
Such a notice should include the following:
In addition to the notice requirements before surveillance can be lawfully conducted, surveillance of a computer, email or workplace internet usage must be carried out in accordance with a workplace policy regarding computer surveillance of the employees at work, and the employees must have been notified in advance about this policy. The employer must be able to reasonably assume that the employees impacted by the policy are both aware of and understand the policy before surveillance can occur.
Minimum inclusions for a successful policy are as follows:
If these policies are in place and notice has been given, record, emails and computers may be accessed in accordance with the workplace policy.
When implementing new policies that could have an impact on the business into the future it is best to work in conjunction with your lawyer and/or HR consultant. For help with the technical aspects of managing email accounts, privacy, data security and backups please get in touch.