Formulating A Company Policy on Access to and Use and Disclosure of Electronic Mail on Company Computer Systems A White Paper Prepared by David R. Johnson and John Podesta for the Electronic Mail Association October 22, 1990 I. Introduction The Electronic Mail Association has requested the preparation of this White Paper as a means of helping companies to decide what policies they would adopt with respect to access to and use and disclosure of electronic mail sent and received by their employees on company electronic mail systems. There is no single, simple answer to the policy questions relating to company electronic mail privacy. Appropriate company policy will differ depending on the needs of the company, the reasonable expectations of employees, the rights of outsiders, and a balancing of various complex interests. The only policy that can vigorously endorsed for virtually all circumstances is this: A company should have a policy with regard to protection of its employees' privacy and it should tell employees what that policy is. Most employers should establish privacy policies that deal with all media of communication used by employees, rather than singling out electronic mail as if it posed some unique threat to employee privacy. The rise of electronic mail as an increasingly popular means of doing business presents all companies using this new medium with an opportunity to think through employee privacy protection in general and with a fresh view. While electronic mail has a few novel features that raise new issues, the basic principles involved in selecting a company privacy policy are not new. electronic mail may, infact, be more private than many more traditional means of communication or than paper files. And we are certain that enlightened companies will consider the impact on employee morale of respecting reasonable privacy interests, as well as an employer's undoubted right to gain access to the messages sent on its behalf by its employee agents. In order to facilitate a company's review of the issues and selection of a policy, we have outlined in this White Paper some of the key background issues, various alternative policies that might be adopted, and various criteria and procedures that could be used to evaluate and implement a policy that strikes an appropriate balance. II. Background Many different people have a stake in the establishment of a reasonable policy governing access to and disclosure of company electronic mail. The employer must ultimately control the use of its computer resources and must have access to its own business records, of course, but it also has a stake in establishing a secure workplace and an environment that respects employee rights. Employees want some privacy but they also want the employer to be able to cope with business matters in their absence. Third parties may have rights to access certain company records and to have some types of communications protected. Law enforcement officials may have certain needs for access and for certainty regarding who can give consent for access. Everyone using an electronic mail system has a stake in maintaining its security, preserving its operational status, and preventing its use for illegal purposes. Few legal principles set forth mandatory minimum baselines for either protection of employee privacy or for guaranteed access to company records by outsiders. The Electronic Communications Privacy Act, passed in 1986, was designed primarily to deal with the privacy of communications sent over systems used by the public (and with the threat of unauthorized access by outsiders). The Act does not address in detail the status of messages sent by employees on behalf of their employer -- at least with regard to key questions such as whether the employer can insist that the employee consent to access and disclosure by the employer. Some states may guarantee minimum privacy rights but, what expectations of privacy are reasonable in the workplace is neither clear nor in general mandated by law. The one principle most likely to gain consensus and legal support is that employers should not misrepresent their policies -- and have an affirmative obligation to disclose what those policies are. Electronic mail is not the only medium of communication that raises privacy questions. But it does provide a good opportunity to think through the extent to which an employee may reasonably expect that access to files and messages by other employees of the employer should be constrained in various ways. Electronic mail is somewhat more permanent in nature than a conversation over the phone or in the hallway. It is less formal than written memoranda. It may be sent to groups of people and may he readily forwarded to others. It may stay around in storage for a long time, even after the recipient has indicated a desire to delete it. It may include as attachments documents that form a critical part of an employer's business. Or it may constitute a clearly private message that does not even concern the employer's interests. The most complex policy issues posed by electronic mail concern whether an employee pursuing company business has a right to expect the company to obtain the employee's consent before accessing or disclosing the contents of company files that are normally under that employee's control. The separate question whether employees have the right to use company electronic mail systems to send personal messages, and to expect that such messages will not intentionally be accessed by the employer, is a somewhat different question -- more akin to the question whether an employer has the right to restrict the making of private phone calls, or to inspect all employees purses (and somewhat easier to answer in any given context). Employees may not leave all expectations of privacy behind when they go to work. But the communications they make on behalf of their employer are clearly subject to certain requirements that simply do not apply to personal phone conversations undertaken from home. The resulting balancing act can be constrained in useful ways. Particular sets of policies can be articulated for different work environments, depending on the relative intensity of the employer's need for access to (or to make disclosure of) the information, the extent of any invasion of reasonable expectations of privacy on the part of the employee, the degree to which either employer or employee could have satisfied its needs by less intrusive (or less demanding) means, and the degree to which close questions are thought appropriately to be called in one direction or another or to be resolved by special procedures. The basic criteria for evaluating any given policy are, at a general level, quite general and straightforward. Does the policy comply with law and with duties to third parties? Does the policy unnecessarily compromise the interests of the employee, the employer or third parties? Is the policy workable as a practical matter and likely to be enforced? Does the policy deal appropriately with all different forms of communications and record keeping within the office? Has the policy been announced in advance and agreed to by all concerned? III. Policy Options If a company does choose to articulate an express policy on the privacy of company electronic mail, then it may want specific elements of such a policy to address particular issues. These include: A. What are the permissible uses to which the company electronic mail system mad be put, and by whom? 1. May the company electronic mail system be used incidentally for personal messages? 2. If so, must employees take special steps to protect such messages against inadvertent inspection by others? B. Will the company monitor the contents or transactional records of electronic mail as a matter of course, for any particular purposes? 1. If so, will the company refrain from further inspection of messages it determines are of a personal and private nature? 2. Will the nature of any routine monitoring be disclosed to employees? 3. Will the company limit the use to which it may put information that is available only from electronic monitoring? C. What grounds will be required to be shown, if any, to justify obtaining access to the contents of electronic mail without the consent of a sender or recipient? 1. Must the employee seeking access establish a valid business purpose for such access? 2. Will the company weigh the importance of the business purpose against the strength of any reasonable expectation of privacy? 3. Will the company consider the extent to which the information could be obtained by alternative, less intrusive means? 4. Will the company consider whether the employee could have taken steps to secure the privacy of personal matters? 5. How, and by whom, will close cases be decided? D. On what basis, if any, will the company defer to requests by senders of electronic mail that the contents not be disclosed to parties other than the intended recipient? 1. Will the company attempt to respect an objection to disclosure from the sender of the message based on a claim that disclosure will result in personal embarrassment? 2. Will the company attempt to respect an objection to disclosure from the sender of the message based on a claim that the disclosure would result in invasion of a privacy right? E. Will the company impose any limitations on the internal uses to which the contents of mail, or the results of transaction monitoring, may be put? 1. Will the company policy provide that the contents of electronic mail messages should be disclosed to others within the company, without the consent of a sender or recipient, only to the extent necessary to serve an important business purpose? 2. Will company policy provide that employees should not be disciplined or terminated on the basis solely of information obtained from monitoring or inspection of company electronic mail files. F. Will any special restrictions or limitations apply to disclosure of the contents of electronic mail to law enforcement officials? 1. Does the company reserve the right to disclose electronic mail files sent to, received by or relating to an employee to law enforcement officials, without the consent of the employee and without giving prior notice to the employee? 2. Should the company policy provide that prior notice will be given to the employees involved, before disclosure of company electronic mail to law enforcement authorities, unless prior disclosure is prohibited by law or the company concludes that its security or property would be placed at risk by such disclosure. G. Will any special procedural requirements or approvals be required prior to access or disclosure in any particular kinds of cases? 1. Should a special committee review in advance any requests for authority to access electronic mail files without the consent of the employee. 2. Should a specified person have authority to approve external disclosures of electronic mail without the consent of a sender or recipient. On any of these issues, it is possible to articulate a range of different possible policies that impose greater or lesser burdens on decisions to access or disclose the contents of electronic mail. More detailed additional materials designed to help a company review alternative policies and select a combination of policies most suitable to its own needs and the expectations of its employees will be forthcoming from the Association. IV. Conclusion Employers have an interest in minimizing confusion and disputes regarding the handling of company records, including the handling of communications that might involve some expectation of privacy on the part of employees. The Electronic Mail Association has performed a significant service in seeking to articulate the various interests involved and to formulate alternative policies and the criteria by which such policies may be evaluated. (end of file)