Slashdot Mirror
Where is the Line on Email Privacy?
"It could be interpreted that the company is looking for evidence of impropriety or dishonesty on the part of the prior employee, but there was never a question before the sudden termination to suggest anything out of the ordinary was ongoing. I am such an admin. I am ready to allow access to the company requesting it. Several details are bugging me though. First, I have never been asked for access to any other terminated employees' email. Second, I recently inquired about preserving email for a different employee and got the short answer that all company ties had to be completely terminated. Third, the server is not owned by the company in question. I'm completely (other than the following item) independent of the company. Fourth, it's my relative's account.
I've simply not responded so far, but how far do I go? I'm not an ISP and I don't have agreements with the users. I'm also not the IT dept.
Has anyone else had anything remotely similar, and if so; how did you respond?"
If the email account in question is a work account provided to the employee by the company for work use, then the contents of the account are normally the property of the company, not the employee. Normally, the employee should not be using the account for personal use anyway, so any violations of his privacy are his own fault. Business email accounts generally contain a lot of valuable information pertaining to the job of the former employee which the company is perfectly entitled to recover.
If I seem short sighted, it is because I stand on the shoulders of midgets
I work for a shared website hosting company, our policy is that the entity paying for the site and the mailboxes owns them, in this case the company.
How they choose to use the mail boxes is their business. Trying to override your customers idea of correct policy towards their staff will only cost you their business and the resulting bad reputation will hurt you.
My sympathies if its your relative, you could always lie and say that the box was deleted when the employee left.
Hi,
As resident information officer for my little company, I've had both legal advice (in UK) and experience of similar situations.
First off, the paperwork you need to worry about is the stuff between you (3rd party email services provider) and your customer (the company). What the company did or didn't say to the employee isn't really your problem - although it is their problem.
Now, ideally, your contract, or your services schedule would contain something saying just what happens in this situation. If not - now's the time to add it!
I would think that if the company phoned up and said 'sorry to be thick but I've forgotten the password for account xyz can you reset it?' then you'd do that, because handling lost or forgotten passwords is what you as service provider do.
And that, basically is what has happened. Now, it _may be_ that the company actually promised the employee that it wouldn't read their old email once they'd left (a somewhat odd promise anyway). But, that's not your problem. You aren't helping the company break its promise, because you don't know about it's promise.
More importantly it's NOT YOUR PLACE to determine your customer's privacy policies. That's actually quite important because your customers are (under UK law) liable for YOUR decisions regarding privacy. In order to deal with that liability your customers need to know what you will do in a given situation, and simply turning round and saying 'sorry dude I'm not going to tell you that' isn't good enough. A privacy policy that's too strict is just as bad as one that's too loose.
That last sentence may seem odd, but consider this. Your customer is liable under the UK Data Protection Act for any personal information it holds. Now, just before Employee left the company, someone sent a copy of their CV to Employee on the off chance of getting a job. Now, that CV is sensitive personal information, and Company MUST be able to access it and/or remove it if the author of the CV so requests.
So, it's no good them saying 'sorry, we can't delete your CV from our mail server because our ISP won't let us, so I guess it'll just hang around on the hard disk for ages until some guy somewhere with a root password takes a look at it'.
No good at all, you see?
So, my advice is:
1) Don't play 'privacy hero' and decide what your customers can and can't do.
2) Get some data protection rules into your contracts asap.
3) Meanwhile act assuming that the customer is honest and decent - if they aren't it won't be your fault, but if you pre-judge them as evil spying people then it will be your fault
-----
no other way to check it out.
geez, why do people have to ask these things from slashdot?? ALL YOU GET IS OPINIONS ON HOW IT SHOULD BE, NOT THE CURRENT STATE OF THE LAWS IN THE COUNTRY YOU'RE IN.
for example there are countries in which you CAN NOT read employees email legally unless you have explicitly said&informed that you will read it when you gave that account to him/her(or along those lines anyways, and it must have been very clearly said/informed to the person in question that the mail isn't private despite being protected by a password and seeming to be for his/her eyes only, otherwise it's the same as receiving a letter with the employees name at the office, falling under 'letter secrecy'.). same goes for other 'private' material like tracking calls against the will of the employee(even if the business is paying for the line)..
one of the very good reasons for laws to exist is to make limits on what rights of yours you can give away... businesses don't come before people!
world was created 5 seconds before this post as it is.
Looks like the courts in Finland just upheld a legislation barring an employer from reading employee e-mails. Couldn't find an announcement in English, nor are the translation tools too good, so you'll have to take my word for it. So they're faring well.
Marxist evolution is just N generations away!
1) Whatever you do will set a precedent, so keep that in mind. Saying "No" seems to your benefit, since saying "Yes" could set a pattern and they could expect more in the future.
2) Have you actually told them you still have the data? If so, this may not have been wise. As long as they don't know if the data still exists, they can push for it. If they don't know, they're reaching in the dark. This may be a good reason to start a policy of deleting accounts whenever you've received notice an employee is fired or whenever a client stops taking your services.
3) Get a lawyer. Why? This WILL be a precedent, if not for others, for this company. If they get what they want now, they may start asking to check everyone's email account and, eventually, they might go so far as to expect you to provide them with access to all accounts. You need to find out if you have a right to refuse the request. The best news that you could get would be a lawyer telling you that you either a) don't have to provide the data, or b) are not allowed to provide the data.
4) As said above (2 times), this will set a precedent, no matter what. In my experience, whenever someone asks for a special service, that isn't the end. It's not long before they ask for a repeat, and, once they've broken down that boundary, they ask for more and more. If you do decide to provide them access, or you find out you have to give them access, if possible you SHOULD charge for the service. Otherwise, they won't see this as as an item with value. By charging, you are setting a limit and taking steps to make sure they don't just keep asking for and expecting you to do more and more for them.
Seconded. He who pays for it, gets to play with it. Period.
If this company is paying for, say, five email accounts with you, and called up to say 'what is the password for account j.foobar?' then your response should have been 'Oh, of course! The password is: gorblat.'
Period. It's their accounts, you don't know what they do with them, you don't want to know what they do with them, you don't need to know what they do with them, and so on.
Vintage computer games and RPG books available. Email me if you're interested.
Traditional UNIX sysadmin ethics prohibit snooping in email for any reason. Snooping files and traffic is similarly verboten, except debateably (ulimit) in the case of excessive resource usage. This was done to increase user confidence and frank discussions in electronic media.
Current capitalist thinking is whoever pays, owns. This is pushed because email has proven to be very popular, frank and valuable. A victim of it's own success.
Personally, I did snoop in my wife's email. That's why she's now my ex. Neither qualms nor regrets.
That's really what it comes down to, I think. Whoever arranged for the service to be provoided to the employee and paid for it (or managed the relationship, if the service was free), is the owner of the data.
I really don't like it either, but a couple of times I have been required to provide people's email to my boss, including a Vice-President. I had to do a little bit of soul searcing on that, but not a whole lot.
Then I was, at another point, asked if I could archive all incoming and outgoing mail. I made a half-hearted effort, and eventually reported back that it wasn't possible. It was an ugly time all around in those days. At least I kept my job after 90% of the employees were layed off.
But then again, none of these people were my relatives. I hated them all.
I have misplaced my pants.
You simply wait for a court order. That's how things work. Don't hand anything over without a court order. Simple.
If they don't have a contract with you stating that their e-mails on your system are their property, then you don't have to give them anything -- unless some court feels you need to.
Phil
Fourth, it's my relative's account.
Even if for no other reason, you need to stand back and look at what you've done in the past. As a business providing a service for a fee, your company must treat this user's email the same as every other's. You're opening the company up for a justifiable lawsuit from the employer if you don't. Not only that, but you're establishing a precedent you'll have to follow in all future encounters with this employer and probably all others.
If you have no policies or past precedents to follow, you need to forget that this person is your relative and ask what you'd do with any other user. Then do the same. Your company may still get sued for making the wrong choice, but you'll eliminate the conflict of interest problem. Just make sure you immediate document this new policy, at least internally, and follow it in the future.
Even better, if you're not just a one-person company, recuse yourself. Give the employer's request to someone else to handle, and make it clear to that person that you have a conflict of interest and that they have the full authority to make whatever decision is consistent with past practice (and failing that, company philosophy and goals) without fear of reprisals. In writing, if possible.
As an ACM member I will ...
1.1 Contribute to society and human well-being.
1.2 Avoid harm to others.
1.3 Be honest and trustworthy.
1.4 Be fair and take action not to discriminate.
1.5 Honor property rights including copyrights and patents.
1.6 Give proper credit for intellectual property.
1.7 Respect the privacy of others.
1.8 Honor confidentiality.
Sounds like you should not turn over the email. I wouldn't.
Clearly, though, you can obtain consent from the original addressee and then disclose.