When your boss is allowed to read your emails in the era of PoPIA
When the Protection of Personal Information Act (PoPIA) comes into effect fully from 1 July 2021, there are some areas of possible dispute that could arise between employers and employees, including the monitoring of employee emails.
In a recent Constitutional Court judgment in Turkey, the personal data protection rights of an employee were considered and could provide some guidance as to how a similar situation may be handled in a South African context.
In this matter, a private bank employee used his corporate email account during working hours to assist his spouse in the running of her business. This resulted in the employer terminating his employment. The employee challenged his termination on the basis that his employer had infringed his right to data protection and freedom of communication when the employer inspected his corporate email without his prior notice or consent.
The Turkish Constitutional Court held that in order to ensure that employees are conducting their work efficiently, and due to the nature of the employer’s business - the provision of financial services, the employer had a legitimate basis for inspecting employees’ corporate emails.
In addition, the employee’s signed contract of employment stipulated that the employee was required to utilise his corporate email for business purposes only. As such, the employer could inspect the account at any time without prior notification, and the Constitutional Court held that the notification and consent requirement was fulfilled.
The court also took note of the fact that the employer had only had regard to the information which supported the allegations that the employee had engaged in other business activities during working hours. Therefore, it found that the purpose of collecting the data, and the use thereof, was limited to proving the allegations of misconduct.
In the South African context, employment contracts usually contain clauses dealing with the monitoring and interception of communication on work devices and emails. These clauses usually provide that, as work devices and telecommunication systems are provided to promote the business’ objectives, they must be used for bona fide business purposes only and that the employer reserves the right to intercept and/or monitor any direct or indirect communication on their work devices and/or utilising the employer’s telecommunication systems.
In terms of PoPIA:
An employer who processes the personal information of an employee (data subject) must do so fairly and without negatively impacting the rights of the data subject;
Ideally, personal information should be processed with the data subject’s consent. Absent consent, there are other grounds that an employer can also rely on in order to process personal information, including where the processing is necessary for pursuing the legitimate interests of the responsible party (in this case the employer) or of a third party to whom the information is supplied;
In order to comply with PoPIA, employers should ensure that any clause in an employment contract allowing for the monitoring and interception of communications on the employer’s devices, or using the employer’s telecommunication systems, also clearly explains the purpose for such monitoring and interception. An employer may monitor and intercept communications on a company device and, if the employee is using their device, communications sent and/or received using the employer’s telecommunication systems. The reason for this is that these devices and/or systems are provided by the employer to enable the employee to perform their duties and to assist the employer to meet its legal, business, administrative and management obligations. This would constitute a legitimate reason for processing.
If such a clause was inserted into a contract of employment, an employer could use the argument raised in the Turkish Constitutional Court to justify the processing of information because the employee would have been notified of the reason and the purpose for such processing.
Cognisance must also be taken of the other processing conditions for lawful processing contained in PoPIA: an employer may only use personal information obtained from the employer’s devices or systems to ensure compliance with its obligations and not for any other purpose. An employee will be provided with an opportunity to object to the use of his/her personal information during an investigation and/or disciplinary process thereby ensuring compliance with the openness and data participation condition.