UK: Reasonable Monitoring of E-Mail May Not Infringe Worker Privacy

​A United Kingdom (U.K.) employer's review of a departing employee's e-mail was appropriate under the circumstances, the High Court of England and Wales ruled. The decision places workers on notice that they shouldn't rely on data privacy law to argue that a contract has been breached and they are thus freed from post-termination restrictions, legal experts say.

The case "is yet another example of the English court's being sympathetic to [employers] and acting to prevent the unlawful use of confidential information by employees or former employees," according to Nick Ashcroft, an attorney with Addleshaw Goddard in London.

Although this is a first-instance decision that will not be binding on other courts, "it may be persuasive in future cases where employers have similarly investigated their employees," said Carla Feakins, an attorney with Lewis Silkin in London.

The case of Argus Media Ltd v. Halim stems from a dispute between a price-reporting agency and a business development manager for its fertilizer business. The employee left the company in August 2018. During his notice period, or "garden leave"—when he was on the payroll but instructed to stay away from work— his manager became suspicious about the worker's activity and requested access to his e-mail.

Argus' electronic information and communications policy, contained in its employee handbook, gave the employer the right to access and inspect any materials created, sent, received or accessed using Argus' information technology (IT) systems without notifying the worker. Argus' policy also allowed it to monitor the use of its IT systems to investigate possible contract breaches.

The manager found e-mail containing confidential business information that the employee had sent to his personal account, as well as e-mail concerning work matters sent to his wife. Relying partially on the e-mail as evidence of the worker's misconduct, Argus alleged that during his notice period, the employee had launched a price-reporting agency to compete with Argus' fertilizer business and had offered fertilizer pricing reports to Argus' clients. The worker had misused confidential information, solicited clients and competed with Argus in breach of restrictive covenants, the company charged.

In response, the employee claimed that Argus' sweep of his e-mail had breached his privacy rights, thus freeing him from having to comply with any post-termination restrictions.

The court, however, held that the e-mail was work-related, and Argus' investigation was proportionate and appropriate. "The purpose of [Argus' review of the employee's e-mail] was to see electronic communications relating to work, and there is nothing to suggest that Argus was searching for personal material," the judge said. "It seems to me to be very dubious that a communication on the work e-mail to a spouse [that] on its face was about a work matter is protected private communication."

The judge further found that "[a]s a matter of construction of the policy, I find that this access was conferred upon Argus. … It is a broad power conferred upon the employer."

The worker was ordered to pay 90 percent of Argus' legal costs, which were over 500,000 pounds (more than $603,823).

Well-Drafted E-Mail Policies

"This decision should give employers reassurance that well-drafted policies will give protection against privacy arguments raised by employees," Feakins said. She cautioned, however, that whether a business can rely on a policy allowing access and inspection of business e-mail without notice to employees depends on the circumstances of the investigation.

"Investigations should be planned to take account of privacy rights and … conducted in accordance with the employer's policies. Consider whether a privacy impact assessment would be helpful, and ensure that as part of any monitoring, irrelevant personal material is not inspected."

Ashcroft said, "The contractual terms and policies often do make a real difference in terms of available remedies as well as what you can do to prevent theft of confidential information and unlawful competition by employees." He added that the case highlights the importance of careful drafting of employment documentation, not only of restrictive covenants in the contract but also of the electronic information and communications policy.

[SHRM members-only toolkit: Introduction to the Global Human Resources Discipline]

Ashcroft noted that the suspicion of employee misuse of confidential information isn't the only legitimate grounds for a U.K. employer to monitor workers' business e-mail. Other legitimate grounds include:

• Avoiding harassment or inappropriate behavior by an employee.
• Monitoring workers' performance and for training purposes.
• Protecting employees' personal data.
• Defending systems from being hacked.
• Controlling transmission of trade secrets and confidential information.
• Preventing departing workers from soliciting customers.
• Ensuring compliance with corporate policies and procedures.
• Complying with regulatory requirements.

Monitoring employee e-mail can amount to an offense under the Investigatory Powers Act 2016, except when the employer has a right to control the use of the system or has obtained a worker's consent, Ashcroft said. He emphasized that "this is where the importance of properly drafted policies come in," since, if an employee has consented to the internal communications policy, a company does not have to notify the employee again of the possibility of its intercepting his or her e-mail.

Tips for Employers

Ashcroft offered the following advice to employers on monitoring employee e-mail without infringing on employees' privacy rights:

• Have a clear and comprehensive written company policy about personal use of the company's phone and e-mail systems, plus its Internet access.
• Explain that any monitoring is necessary and not excessive.
• Ensure that any monitoring is carried out in the least intrusive manner possible.
• Bring the policy to the attention of workers and ensure that it is easily accessible.
• Explain that employee e-mail marked "personal/private" will not be accessed by employers unless they have a legitimate reason to do so.

Employers may consider other options, such as prohibiting access to Web-based e-mail accounts at work, monitoring e-mail containing attachments and not wiping devices when they are returned.

Rosemarie Lally, J.D., is a freelance legal writer based in Washington, D.C.