Guidelines on Workplace E-mail, Web Browsing and Privacy (30/3/2000)

Introduction
Background
The Technical Realities of E-mail Use and Privacy
Jurisdiction and Legal Issues
Developing a Policy
Guidelines
Conclusion

Introduction

The use of the Internet by governments and organisations has raised concerns about the privacy of staff e-mail and web browsing activities. Despite the fact that they are using government or corporate equipment and networks staff may consider that their e-mails and web browsing activities are private. In some cases access controls and security features of a network (passwords etc) give the user an illusion of privacy and they may not be aware that their browsing activities and e-mail content can be scrutinised. It may not be understood that the purpose of access controls is to prevent unauthorised access.

The purpose of these Guidelines is to recommend steps that organisations can take to ensure that their staff understand the organisation's position on this issue through the development of clear policies.

Information and communications technology in the workplace raises questions about the supervision of its use. This technology includes e-mail and access to the Internet. The computers and internal network involved are controlled by the organisation and management has the responsibility for issuing instructions as to their proper use.

Without clear instructions the proper use of e-mail and web browsing may not be clear to many in the workplace. Good practice suggests that management spell out clearly their expectations and permitted practices to employees. These guidelines are designed to assist in the development of good practice. If you need further advice please contact our Office at privacy@privacy.gov.au or phone the Privacy Enquiries Line on 1300 363 992.

Background

Privacy Expectations in the Workplace

It is clear that most staff do not expect to completely sacrifice their privacy while at work. Their organisation may provide them with an office, a locker or filing cabinet to which they possess keys and also access to the computer network including storage space for their files. Typically their access to the network and computer systems will be by password control. They may be encouraged or required to use non-obvious passwords and to change them frequently. Their personal password gives them access to their files, e-mail account and to web browsing. This may give the impression that no-one can access their files or monitor their activities on the network. Some staff may not be aware that system administrators are usually able to access everything on the network.

The Technical Realities of E-mail Use and Privacy

Most e-mail is insecure. It should be regarded as insecure unless it has been encoded or encrypted. E-mail is often compared to a postcard in that anyone who receives it can read it. E-mail may also be read if it is stored on servers during transmission.

E-mails are hard to destroy. Many people think that if they delete their e-mail it is gone forever. This is not so as most electronic documents are backed up and recoverable.

Logging. Most software used to operate networks, including web servers, mail servers and gateways, logs transactions and communications. These logs will normally include the e-mail addresses of senders and recipients of e-mail and the time of transmission. The content of e-mails themselves would not normally be logged but may be stored on mail servers. Similarly, web server logs record information on the sites that people visit. The keeping of these logs is usually necessary for the routine maintenance and management of networks and systems. System administrators are also capable of reading the contents of e-mails sent and received by the corporate network.

Jurisdiction and Legal Issues

Private sector

The Office of the Privacy Commissioner receives many enquiries regarding the privacy of workplace e-mail and web-browsing activities. It is apparent from these calls that there is a general expectation, by staff, that law exists which protects their privacy in the workplace. There is no general constitutional or common law right to privacy in Australia. However, in December 2000 the Federal Government introduced "light touch" privacy legislation to cover the private sector which is based on the National Privacy Principles for the Fair Handling of Personal Information. This legislation applies to staff e-mails that contain personal information other than "employee records" in certain circumstances. The private sector legislation also applies to logs of staff web browsing activities.

Public sector

The Information Privacy Principles in the Privacy Act apply only to Commonwealth and ACT Government agencies. Within the Privacy Act jurisdiction, e-mails which contain personal information are records for the purposes of the Privacy Act. While Information Privacy Principles (IPPs) 1-3 cover the collection of personal information, IPPs 2 and 3 apply only to the collection of personal information where it is solicited and therefore do not apply to logging scenarios where information is logged automatically.

IPP 1 applies more generally to collection and can be applied to logging. It requires that personal information be collected for a lawful purpose that is directly related to a function or activity of the collector, that the collection is necessary for or directly related to that purpose and that collection shall not be by unlawful or unfair means. If staff were not made aware of the logging of their network activities, then this could be considered to be unfair. Therefore, network users should be made aware of the logging practices of the agency.

IPPs 10 and 11 may apply to e-mail that contains personal information. IPP 10 limits the use of records of personal information for purposes other than for which it was obtained. IPP 11 limits the disclosure of records of personal information. E-mails which contain personal information may only be disclosed where one of the exceptions in IPP 11.1 (a) to (e) apply.

Developing a Policy

Some enquiries to the Privacy Commissioner involve scenarios where management has announced that staff may only use e-mail and web browsing for work related purposes and that all e-mail and web access logs will be monitored for compliance with this position. As the organisation has responsibility for its computer systems and networks, it has the right to make directions as to its use.

Informing people about the personal information that is collected, held and what is done with it is an important privacy principle. The Privacy Commissioner encourages organisations to develop in consultation with staff a clear privacy policy in relation to staff use of computer networks, particularly with regard to the use of e-mail and the Internet. It is recommended that the policy clearly set out the proper and permitted use of the network, including Internet e-mail and web browsing. This policy may form part of a general IT usage policy or a separate privacy policy dealing with e-mail and Internet use. Such an approach is likely to result in a policy that staff understand and accept.

Guidelines

The following Guidelines are provided to assist organisations to develop policies or improve their existing policies.

The policy should be promulgated to staff and management should ensure that it is known and understood by staff. Ideally the policy should be linked from a screen that the user sees when they log on to the network.
Consultation with staff may also be useful. A consultative process can engender an understanding by management of the sorts of legitimate activities staff are using e-mail and web browsing for and increase the understanding by staff of the possible risk to the organisation associated with improper e-mail and Internet use.
The policy should be explicit as to what activities are permitted and forbidden.
While it is for each organisation to determine what it considers to be appropriate usage of its system, to simply say that all activity must be "work-related" may not be clear. There may be scope for guidelines outlining what personal use of e-mail both within the organisation and externally, to other organisations, is appropriate. Other activities may be specifically prohibited, eg. the use of e-mail to harass, flame (to send abusive e-mail) or defame or disclose information, or to transmit pornography.

The issue of appropriate usage may be harder to define in respect to web browsing. It may not be possible to tell if a web page is relevant until it has been read. The operation of web search engines can result in surprising and irrelevant search results. Links on websites may also be misleading. Discussion with staff on the issue of work related web use might help to clarify this issue. Where an organisation determines that usage is to be work related only, it should clearly spell out what it considers to be work-related.

The policy should refer to any relevant legislation. In the Commonwealth public sector this would include the Privacy Act, the Archives Act, the Freedom of Information Act, the Crimes Act, the Public Service Act , Regulations and the Australian Public Service (APS) Code of Conduct. APS Regulations provide that employees must use Commonwealth resources in a proper manner and behave in a way that upholds the APS values and the integrity and good reputation of the APS. For more information on the Public Service Act 1999 please visit the Public Service and Merit Protection Commission website.

The Sex, Race and Disability Discrimination Acts and workplace relations law apply in both the public and private sectors. In particular, employers (please refer to the "Employers' Page on the Human Rights and Equal Opportunity Commission website".) should be aware of their obligations under these Acts to protect their employees against sexual harassment, racial vilification and other forms of unlawful discrimination which could occur through e-mail and Internet use. The Corporations Law may also be relevant as well as state and territory statutes.
The policy should clearly set out what information is logged and who in the organisation has rights to access the logs and content of staff e-mail and browsing activities.
Staff e-mail boxes will normally contain the e-mails they have sent and received. Back-ups and archives may also contain copies of e-mails that have been deleted by the user. As well as the actual content of messages, the date and time the message was transmitted, received and opened and the e-mail addresses of the sender and recipients will normally be recorded.

With web browsing the URLs (Uniform Resource Locaters or website addresses) of sites visited, the date and time they were visited and the duration of site visits may be logged. Normally, access rights to staff mail boxes and logs would be restricted to those with the responsibility for administering the system. Such access should be as limited as possible and who has access rights should be clearly set out in the policy. The policy should outline in what circumstances IT staff can legitimately access staff e-mails and browsing logs.

The policy should also indicate, in general terms, under what circumstances an organisation will disclose the contents of e-mails and logs. Many organisations will only do this on the production of a legal authority.
The policy should refer to the organisation's computer security policy. Improper use of e-mail may pose a threat to system security, the privacy of staff and others and the legal liability of the organisation.
The policy should outline, in plain English, how the organisation intends to monitor or audit staff compliance with its rules relating to acceptable usage of e-mail and web browsing.
The policy should be reviewed on a regular basis in order to keep up with the accelerating development of the Internet and Information Technology. The policy should be re-issued whenever significant change is made. This would help to reinforce the message to staff.

Conclusion

While it is acknowledged that access to staff e-mails and browsing logs by system administrators may be required in certain circumstances, it is unlikely that pervasive, systematic and ongoing surveillance of staff e-mails and logs should be necessary.

Organisations are encouraged to foster an environment where staff are assured that the privacy of their communications will be respected as long as they abide by the organisation's stated policy.

Balancing the legitimate interests of organisations and staff may be difficult and this balance may vary in different organisations. Policy or practice which leads staff to believe that their privacy in the workplace is not respected may be regarded as intrusive and oppressive and have a negative impact on morale and productivity.

Return