When investigating policy violations and other issues, is IT allowed to monitor employees’ personal email activity if the messages are sent and read at work? That’s the question at the heart of a recently filed lawsuit.
A group of scientists and doctors currently and formerly employed by the Food and Drug Administration recently filed a lawsuit claiming the FDA violated their privacy rights and illegally monitored their personal email accounts.
The surveillance took place over two years and allegedly began after the staffers warned Congress the agency was approving medical devices they believed were risky, The Washington Post reports.
Information learned via the monitoring was eventually used to harass or dismiss all six staffers, the lawsuit claims. In addition to monitoring activity on personal Gmail accounts, the FDA took snapshots of the staffers’ work desktops and read documents saved on their computers.
Though the complaint centers around personal email accounts, all the monitoring took place on government-owned computers and the FDA’s network. Also, FDA computers display a notice when employees log in stating that they should have “no reasonable expectation of privacy” when using government-owned equipment.
However, the staffers counter that the email accounts in question were personal and password-protected, so they expected those messages to stay private.
Did the FDA violate the law when it monitored employees’ personal email accounts? Similar cases in the past have left legal waters murky on this issue.
In one case, a court ruled that an employee had a reasonable expectation of privacy when using a personal email account while at work, even though the company had a policy stating that any computer activity in the office could be monitored.
However, a different company won its court case after firing an employee when personal emails revealed he was breaking the company’s non-compete policy. A judge ruled that the monitoring was OK because the company was watching activity on its own equipment and because it took place as part of an investigation into a serious policy violation.
We’ll keep you posted as the FDA case progresses. In the meantime, here are some tips experts give IT to help their companies avoid problems in this confusing legal area:
- Think about who owns the email – It’s accepted that companies can monitor messages sent through their own email system. But things get questionable in cases involving private, third-party accounts that store messages on a server outside the company.
- Have a clear-cut computer use policy – Employees can win in court when they show they have a “reasonable expectation” of privacy. So inform all employees that their web use at work will be monitored — and think twice before conducting any monitoring that isn’t clearly mentioned in the policy.
- Train managers – Some supervisors will go to great lengths when they suspect an employee of wrongdoing. But they should be warned that an investigation could become an invasion of privacy.