August is Employment Privacy month
There is no question that one of the most use methods of communication nowadays is email. However, there are rules around the use of business email vs. personal email.
And it gets more complicated: some personal correspondence can be mixed with business emails, including – for example – family related activities, doctor appointments, teacher conferences, lawyer, bank appointments, etc.
Businesses typically allow a reasonable amount of email communication and internet browsing for occasional personal purposes, but that creates complications in the event the employee leaves, lodges a complaint about their privacy being invaded or is dismissed.
A recent case brought to the attention of the Canadian privacy regulator in Saskatchewan involved a powerplant employee whose computer electronic communications were legitimately monitored, for security reasons. Upon logging in, the employee was greeted by the following message: “This computer system including all related equipment is provided only for authorized use, by authorized users. Continuation beyond this logon is acknowledgement that you understand the policy and consent to abide by all terms of the policy. Users have NO expectation of privacy on this system, or any other related equipment, networked device or storage. Unauthorized use of the system is prohibited and may be subject to disciplinary, civil and/or criminal penalties which may include referral to law enforcement. By using this system and any related equipment, you are deemed to consent to being monitored, and to abide by all SaskPower policies and standards.”
In the case of email, organizations cannot expect that employees will never use their business email for personal issues, however rare these occurrences may be. Employees do have certain privacy rights from the use of technology, and those have been made official by many privacy regulators:
- Personal emails and occasional browsing are permitted as long as the time spent does not interfere with conducting effective and timely business activities in the employee role description
- Codes of Conduct are frequently a good mechanism to enforce employer rules, but these are not absolute
- Acceptable Use of Technology Policies should explain the acceptable use of email and email etiquette – setting the tone for how emails should be used, tone and do’s and don’t’s
- Employees should accept that traffic analysis and tech support may need to review any files, including emails for troubleshooting and verifying that no security vulnerabilities are introduced
One last but very important topic is the use of email for recruitment and employee onboarding purposes. Many organizations’ HR email and ask for sensitive documents in return from the selected candidate via their personal email: yahoo, hotmail, gmail – to name the most popular ones. We were all made aware of the massive Yahoo breach which also lowered the company valuation while in the midst of its sale. Sensitive personal information has no place being transmitted in clear text, with no encryption, via freely available email. In addition, should this unverified inbound email contain malware, it may infect the network of the organization receiving it. Human Resources have to be very transparent with IT, Info Security and the Privacy Office and find secure ways of collecting candidates’ personal information, until such information is securely housed and protected in HR systems.
Managed Privacy Canada has helped many clients navigate the very complex operations of talent recruitment and management with secure and privacy respectful processes and technical solutions.
Your employment agency or your HR department can benefit from this expertise by opting to adopt the MPC Practical Privacy Playbook(™) – available this month only at a discounted price. Review our social media posts for the discount code or contact us:
Email: [email protected]