News Centre

Can You Monitor Your Employees Emails?

Article by Diogo Correa
September 10, 2019

There is no question that Email monitoring is a necessary evil in the modern workplace. Businesses across Australia face an increasing number of Cybersecurity threats as the world becomes more adapted to the internet and technology continues to evolve. Threats ranging from data theft to malicious software, which can slip through the cracks of a poorly monitored communication system. 

While it’s common for IT departments to focus on external attacks, a 2018 report from Cybersecurity Insiders showed that 90% of organisations also recognise they are vulnerable insider threats. 

Where are these threats coming from? 

Employees, contractors, partners, and IT personnel who may accidentally or even deliberately commit a breach through your email exchange. This gives a clear right for firms to keep a close watch on workplace communications to ensure the security of their business.

This is no longer looked at from a question of whether employers should have access to employee emails and chats – but of how and to what extent.

How Work emails are monitored:

Surveillance of work emails is usually done by reviewing server logs and monitoring user activity – this has always been the typical way of monitoring employee emails. 

There are employers that instruct IT personnel to perform audits manually by pulling up the “history” and, in some cases, even the contents of an individual mailbox. However, it should be noted that this is not something employers look to go out of their way to do, it’s something that is done once there is already a suspicious pattern of activity emerging from that employee’s actions. 

If you are strategic in your approach and have a good IT Managed partner then generally they will implement automated software that can do any of the following: 

  • Record the typing, attachment, and managers with the contents of all emails.
  • Measure the total number of outgoing and incoming emails from the team member.
  •  Save a copy of all messages and their attachments
  • Provide administrators and managers with the contents of all emails. 
  • Save a copy of all messages and their attachments.
  • Log keystrokes to determine suspicious activity even while the draft is being composed.
  • Send administrators and managers alerts based on the subject, content, sender, and recipient, especially when a user is communicating with external contacts and non-corporate accounts. 

Email monitoring in the GDPR era:

The General Data Protection Regulation (GDPR) was established on the 25th of May 2018. It is a Regulation in EU law regarding data protection and privacy for all individual citizens of the European Union and the European Economic Area. This impacts every business in Australia as the regulation also addresses the transfer of personal data outside the EU and into other countries in different continents. 

However, the regulation must first follow these steps before they are allowed to monitor employee communication: 

  • Conduct a data protection impact assessment or DPIA indicating the purpose of the monitoring and whether it is justified; the adverse impact on employees; and whether there are less intrusive methods of achieving the aim.
  • Examine and document legal grounds for monitoring employee data in the context of the employer’s legitimate business interests.
  • Notify employees that surveillance may be conducted, and clarify the nature and extent of the monitoring, including the possibility of content being accessed.
  • Only use the data obtained through surveillance – whose purpose should be specified in the beginning – unless new data emerges that an employer cannot reasonably ignore.
  • Safeguard all personal data and permanently destroy it once it is no longer needed. Also, limit the number of people who can access the data and provide them with proper GDPR training.

Can you do Monitoring without prior notice to employees?

Australia has different laws when it comes to Email monitoring scenarios, however. Most states and territories permit employers to access workers’ inbox without prior agreement, policy or notice. NSW and ACT are the only states where workplace surveillance is regulated. 

The reason why the employer can view employee communication is that they own the communication platform, along with the rest of the company’s IT systems, and thus has the right to survey every access point and every device connected to the network. 

But before monitoring can take place, employers must first:

  • Give workers a written notice of surveillance 14 days or less, if agreed, prior to the monitoring.
  • Specify in the notice how and when the monitoring will be conducted, including the duration and frequency.
  • Ensure the surveillance aligns with workplace policies that have already been communicated to and accepted by the employee.

As for ACT employers also have to clarify how computer data are actually logged, who has access to the logs, and how compliance will be audited. Once all this has been established, the company can then proceed with monitoring of their work emails and chats without their employees’ knowledge. 

There is also the question of employee termination from evidence found through this method. All companies in all states and territories should comply with employment law and prove the surveillance and methods used to compile the dismissal, clearly follows workplace policies from the start otherwise, you as the employer could be looking down the barrel of a claim. 

Are all personal emails off-limits for the employer or does the employer have all-access?

The ownership of the email exchange is of the business so employees need to understand that business emails should not be used for personal matters. Businesses can at any time scan this exchange for malicious or inappropriate activity. 

There needs to be a consideration for the number of investment companies make to the security of the IT infrastructure, to make sure not only that company data isnt leaked but also the employee’s details are safe at all times. Employees should always treat their mailbox as the property of the company and not their own personal space. 

There are instances where records of email correspondence can be subpoenaed by the courts. 

What happens, however, if employees open their personal inbox in the office?

Even if users are accessing personal email, they are still likely to fall within the same monitoring systems that regulate corporate emails if they open their email 1) on a company-issued device or 2) through the company Wi-Fi. As this is owned by the firm.

Employers or even employees, during the negotiations of their contractual agreement, should clearly state the extent of surveillance they will conduct be abided to and provide a valid reason for doing so from the start of the business relationship.

If you would like to learn more you can book a free lunch here.

Other Articles You May Enjoy:



Diogo Correa

Head of Sales

Diogo has a Bcom in International Business and has forged Technology deals for multiple Enterprise-Grade businesses along with government organisations, across Australia. He is passionate about technology and leading our clients into digital alignment through our innovative Technology Success Program that he has helped build from the ground up.

emotet trojan

New ‘Undetectable’ Email Virus Hits Australia

Compliance - Tech-Success

5 Ways To Stay Compliant With CLI Requirements

cyber liability deny claim

Top 5 Reasons Cyber Liability Companies Will Deny Your Claim

Tech Patrol - Computer Security

How to Assess the Value of Advanced Endpoint Security Solutions

Scroll to Top