Communicating with staff about email privacy
In the course of an investigation of an alleged cheating incident, Harvard University administrators apparently accessed (without notice) and reviewed the contents of the email inboxes of several resident deans, triggering criticism by the deans and by the public at large.
If you are a law firm manager, are you legally entitled to snoop through staff inboxes? And if you are so entitled, is it ever a good idea?
Most employers are, in fact, legally entitled to access all the information stored on their servers, and most larger employers ensure that employees have notice of this entitlement: usually by setting it out in a privacy, technology, or information management policy. If you do not have such a term in an appropriate workplace policy, you should stop reading now, and go insert one. There are legitimate reasons for reserving yourself this right; facilitating the prompt investigation of employee fraud is at the top of the list.
But presuming you do have the right to snoop through email, and you’ve communicated it in a policy, it’s a good idea from an internal PR perspective to think carefully before exercising your right. One of the criticisms being levelled at the Harvard administration is a proportionality argument: the deans have argued that the intrusiveness of the search was out of proportion to its investigative purpose (to prove that someone had inappropriately forwarded a document). Consider the impact on morale in your office if it were revealed that you searched everyone’s email not because you’d been alerted to a potential fraud, but because you were suspicious that someone had breached internet usage policy by booking a restaurant reservation online.
You would also do well to ensure that before rushing to snoop, you have appropriate procedures in place. For example, you may want to consider carefully whether a search without notice is essential to preserve the evidence you are looking for. You should also conduct as limited a search as possible, for example, searching within a narrow date or time window, searching a limited number of computers, or searching based on specific keywords rather than open-ended snooping. Finally, you should have safeguards in place to protect the privacy of the information accessed, and to maximize discretion. For example, consider who will be permitted to access the information: Would employees feel more comfortable if the individual doing the search were a third party with instructions to provide specific results, for example, “which user authorized a transfer of $8,000 from X to Y on March 22nd?” While you may be of the view that innocent employees should have nothing to hide, consider how you would feel if, for example, your supervisor had just learned the date and time of your colonoscopy appointment. Legal? Probably. But neither necessary, nor nice. It’s worth the time to consider, in advance, how you would proceed (and communicate) if the need to review employee email ever arose.