Employee email privacy regulations - what you need to know banner

Employee email privacy regulations - what you need to know

Jul 17, 2020 Tech blog

Let's face it, computer technology is crucial for operating a business these days, but have you considered how the laws around employee privacy rights vs ownership of corporate data held in things like email accounts might affect your business? It's actually really important to understand; if policies are not properly set in advance, you could find yourself losing legal access to data in the event of an employee leaving the company, for example.

In New South Wales, the Act that regulates the surveillance of workplace computer systems is the Workplace Surveillance Act 2005 (NSW). While it deals with obvious biggies like prohibiting employers from using surveillance in bathrooms and change rooms, it also covers the sending and receipt of emails.

In a nutshell, here’s what you need to know:

  • if you as the employer wants to be able to access the business email account of any of your employees, whether during an employee’s holiday or after they leave the company, this has to be agreed to in writing by the employee either in their initial contract or in a separate document with at least 14 days notice before the surveillance occurs.

    This means if an employee leaves and you ask us as your IT supplier to provide access to the person’s work email account, we are legally unable to do so unless you can show the correct policy permissions have been in place.

  • These email privacy policies apply to any business email account that uses the employee’s name in the address - for example, sue@companyname.com. If the email address is generic, such as admin@companyname.com or marketing@companyname.com there are not the same privacy restrictions.

Help me with my email management

Retaining email data when an employee leaves

Assuming the surveillance laws have been adhered to, the technical aspects of accessing ex-employee email accounts depends on which mail platform you’re using:


When a Google mail account is suspended/becomes unlicensed it is marked for deletion in 30 days. After this 30-day period, the account and all its contents is erased by Google and cannot be retrieved. Use the Google Takeout tool before suspending the account to create a copy of all associated content, including emails, to be stored in a separate folder.


With Microsoft 365 (previously O365), the best approach is to turn the account into a shared mailbox before removing the licence. Shared mailboxes don’t require a licence - this means the content of the account is protected from deletion and another employee can be granted access to the email history through their own mailbox. If you don’t go through this conversion and simply unlicence the account then, like Google, Microsoft marks the account for permanent deletion after 30-days.

Establishing notice and workplace policies

Notice is required before surveillance and monitoring of email can commence. This notice must be in writing and provided to the employees at least 14 days before the surveillance commences. If surveillance is due to commence less than 14 days after an employee is first employed, they must be given the notice before the employee starts work.

Such a notice should include the following:

  • What kind of surveillance device or system is to be used;
  • The manner in which the surveillance will be conducted;
  • Who will be subject to surveillance;
  • When the surveillance will start and end;
  • Whether the surveillance will be continuous or intermittent;
  • Whether the surveillance will be for a specific period or ongoing; and
  • The purpose for which the employer may use and disclose surveillance records.

In addition to the notice requirements before surveillance can be lawfully conducted, surveillance of a computer, email or workplace internet usage must be carried out in accordance with a workplace policy regarding computer surveillance of the employees at work, and the employees must have been notified in advance about this policy. The employer must be able to reasonably assume that the employees impacted by the policy are both aware of and understand the policy before surveillance can occur.

Minimum inclusions for a successful policy are as follows:

  • What the employer considers to be appropriate and inappropriate use of social media, internet and email systems
  • Prohibition on illegal materials, offensive jokes, photographs and pornography
  • A warning regarding the potential for such material and inappropriate use to be regarded as misconduct
  • A confirmation by the employer that the computer and email communications remain the property of the employer

If these policies are in place and notice has been given, record, emails and computers may be accessed in accordance with the workplace policy.

When implementing new policies that could have an impact on the business into the future it is best to work in conjunction with your lawyer and/or HR consultant. For help with the technical aspects of managing email accounts, privacy, data security and backups please get in touch.

Get in touch