Slashdot Mirror
Where is the Line on Email Privacy?
"It could be interpreted that the company is looking for evidence of impropriety or dishonesty on the part of the prior employee, but there was never a question before the sudden termination to suggest anything out of the ordinary was ongoing. I am such an admin. I am ready to allow access to the company requesting it. Several details are bugging me though. First, I have never been asked for access to any other terminated employees' email. Second, I recently inquired about preserving email for a different employee and got the short answer that all company ties had to be completely terminated. Third, the server is not owned by the company in question. I'm completely (other than the following item) independent of the company. Fourth, it's my relative's account.
I've simply not responded so far, but how far do I go? I'm not an ISP and I don't have agreements with the users. I'm also not the IT dept.
Has anyone else had anything remotely similar, and if so; how did you respond?"
Hi,
As resident information officer for my little company, I've had both legal advice (in UK) and experience of similar situations.
First off, the paperwork you need to worry about is the stuff between you (3rd party email services provider) and your customer (the company). What the company did or didn't say to the employee isn't really your problem - although it is their problem.
Now, ideally, your contract, or your services schedule would contain something saying just what happens in this situation. If not - now's the time to add it!
I would think that if the company phoned up and said 'sorry to be thick but I've forgotten the password for account xyz can you reset it?' then you'd do that, because handling lost or forgotten passwords is what you as service provider do.
And that, basically is what has happened. Now, it _may be_ that the company actually promised the employee that it wouldn't read their old email once they'd left (a somewhat odd promise anyway). But, that's not your problem. You aren't helping the company break its promise, because you don't know about it's promise.
More importantly it's NOT YOUR PLACE to determine your customer's privacy policies. That's actually quite important because your customers are (under UK law) liable for YOUR decisions regarding privacy. In order to deal with that liability your customers need to know what you will do in a given situation, and simply turning round and saying 'sorry dude I'm not going to tell you that' isn't good enough. A privacy policy that's too strict is just as bad as one that's too loose.
That last sentence may seem odd, but consider this. Your customer is liable under the UK Data Protection Act for any personal information it holds. Now, just before Employee left the company, someone sent a copy of their CV to Employee on the off chance of getting a job. Now, that CV is sensitive personal information, and Company MUST be able to access it and/or remove it if the author of the CV so requests.
So, it's no good them saying 'sorry, we can't delete your CV from our mail server because our ISP won't let us, so I guess it'll just hang around on the hard disk for ages until some guy somewhere with a root password takes a look at it'.
No good at all, you see?
So, my advice is:
1) Don't play 'privacy hero' and decide what your customers can and can't do.
2) Get some data protection rules into your contracts asap.
3) Meanwhile act assuming that the customer is honest and decent - if they aren't it won't be your fault, but if you pre-judge them as evil spying people then it will be your fault
-----
Traditional UNIX sysadmin ethics prohibit snooping in email for any reason. Snooping files and traffic is similarly verboten, except debateably (ulimit) in the case of excessive resource usage. This was done to increase user confidence and frank discussions in electronic media.
Current capitalist thinking is whoever pays, owns. This is pushed because email has proven to be very popular, frank and valuable. A victim of it's own success.
Personally, I did snoop in my wife's email. That's why she's now my ex. Neither qualms nor regrets.
That's really what it comes down to, I think. Whoever arranged for the service to be provoided to the employee and paid for it (or managed the relationship, if the service was free), is the owner of the data.
I really don't like it either, but a couple of times I have been required to provide people's email to my boss, including a Vice-President. I had to do a little bit of soul searcing on that, but not a whole lot.
Then I was, at another point, asked if I could archive all incoming and outgoing mail. I made a half-hearted effort, and eventually reported back that it wasn't possible. It was an ugly time all around in those days. At least I kept my job after 90% of the employees were layed off.
But then again, none of these people were my relatives. I hated them all.
I have misplaced my pants.
You simply wait for a court order. That's how things work. Don't hand anything over without a court order. Simple.
If they don't have a contract with you stating that their e-mails on your system are their property, then you don't have to give them anything -- unless some court feels you need to.
Phil
Clearly, though, you can obtain consent from the original addressee and then disclose.