All files are for educational and/or historic purposes only. [back to library]

Formulating A Company Policy on Access to and Use and Disclosure of
Electronic Mail on Company Computer Systems

A White Paper Prepared by David R. Johnson and John Podesta
for the Electronic Mail Association

October 22, 1990

I.    Introduction

The Electronic Mail Association has requested the preparation of this
White Paper as a means of helping companies to decide what policies
they would adopt with respect to access to and use and disclosure of
electronic mail sent and received by their employees on company
electronic mail systems.

There is no single, simple answer to the policy questions relating to
company electronic mail privacy.  Appropriate company policy will
differ depending on the needs of the company, the reasonable
expectations of employees, the rights of outsiders, and a balancing of
various complex interests.  The only policy that can vigorously
endorsed for virtually all circumstances is this:

        A company should have a policy with regard to protection of
        its employees' privacy and it should tell employees what that
        policy is.

        Most employers should establish privacy policies that deal
        with all media of communication used by employees, rather than
        singling out electronic mail as if it posed some unique threat
        to employee privacy.

The rise of electronic mail as an increasingly popular means of doing
business presents all companies using this new medium with an
opportunity to think through employee privacy protection in general
and with a fresh view.  While electronic mail has a few novel features
that raise new issues, the basic principles involved in selecting a
company privacy policy are not new. electronic mail may, infact, be
more private than many more traditional means of communication or than
paper files.  And we are certain that enlightened companies will
consider the impact on employee morale of respecting reasonable
privacy interests, as well as an employer's undoubted right to gain
access to the messages sent on its behalf by its employee agents.

In order to facilitate a company's review of the issues and selection
of a policy, we have outlined in this White Paper some of the key
background issues, various alternative policies that might be adopted,
and various criteria and procedures that could be used to evaluate and
implement a policy that strikes an appropriate balance.

II.    Background

Many different people have a stake in the establishment of a
reasonable policy governing access to and disclosure of company
electronic mail.  The employer must ultimately control the use of its
computer resources and must have access to its own business records,
of course, but it also has a stake in establishing a secure workplace
and an environment that respects employee rights.  Employees want some
privacy but they also want the employer to be able to cope with
business matters in their absence.  Third parties may have rights to
access certain company records and to have some types of
communications protected. Law enforcement officials may have certain
needs for access and for certainty regarding who can give consent for
access.  Everyone using an electronic mail system has a stake in
maintaining its security, preserving its operational status, and
preventing its use for illegal purposes.

Few legal principles set forth mandatory minimum baselines for either
protection of employee privacy or for guaranteed access to company
records by outsiders.  The Electronic Communications Privacy Act,
passed in 1986, was designed primarily to deal with the privacy of
communications sent over systems used by the public (and with the
threat of unauthorized access by outsiders). The Act does not address
in detail the status of messages sent by employees on behalf of their
employer -- at least with regard to key questions such as whether the
employer can insist that the employee consent to access and disclosure
by the employer.  Some states may guarantee minimum privacy rights
but, what expectations of privacy are reasonable in the workplace is
neither clear nor in general mandated by law.  The one principle most
likely to gain consensus and legal support is that employers should
not misrepresent their policies -- and have an affirmative obligation
to disclose what those policies are.

Electronic mail is not the only medium of communication that raises
privacy questions.  But it does provide a good opportunity to think
through the extent to which an employee may reasonably expect that
access to files and messages by other employees of the employer should
be constrained in various ways. Electronic mail is somewhat more
permanent in nature than a conversation over the phone or in the
hallway.  It is less formal than written memoranda.  It may be sent to
groups of people and may he readily forwarded to others.  It may stay
around in storage for a long time, even after the recipient has
indicated a desire to delete it.  It may include as attachments
documents that form a critical part of an employer's business.  Or it
may constitute a clearly private message that does not even concern
the employer's interests.

The most complex policy issues posed by electronic mail concern
whether an employee pursuing company business has a right to expect
the company to obtain the employee's consent before accessing or
disclosing the contents of company files that are normally under that
employee's control.  The separate question whether employees have the
right to use company electronic mail systems to send personal
messages, and to expect that such messages will not intentionally be
accessed by the employer, is a somewhat different question -- more
akin to the question whether an employer has the right to restrict the
making of private phone calls, or to inspect all employees purses (and
somewhat easier to answer in any given context).  Employees may not
leave all expectations of privacy behind when they go to work.  But
the communications they make on behalf of their employer are clearly
subject to certain requirements that simply do not apply to personal
phone conversations undertaken from home.

The resulting balancing act can be constrained in useful ways.
Particular sets of policies can be articulated for different work
environments, depending on the relative intensity of the employer's
need for access to (or to make disclosure of) the information, the
extent of any invasion of reasonable expectations of privacy on the
part of the employee, the degree to which either employer or employee
could have satisfied its needs by less intrusive (or less demanding)
means, and the degree to which close questions are thought
appropriately to be called in one direction or another or to be
resolved by special procedures.  The basic criteria for evaluating any
given policy are, at a general level, quite general and

        Does the policy comply with law and with duties to third parties?

        Does the policy unnecessarily compromise the interests of the
        employee, the employer or third parties?

        Is the policy workable as a practical matter and likely to be

        Does the policy deal appropriately with all different forms of
        communications and record keeping within the office?

        Has the policy been announced in advance and agreed to by all

III.  Policy Options

If a company does choose to articulate an express policy on the
privacy of company electronic mail, then it may want specific elements
of such a policy to address particular issues.  These include:

A. What are the permissible uses to which the company electronic mail
system mad be put, and by whom?

    1.  May the company electronic mail system be used incidentally
    for personal messages?

    2.  If so, must employees take special steps to protect such
    messages against inadvertent inspection by others?

B. Will the company monitor the contents or transactional records of
electronic mail as a matter of course, for any particular purposes?

    1.  If so, will the company refrain from further inspection of
    messages it determines are of a personal and private nature?

    2.  Will the nature of any routine monitoring be disclosed to

    3.  Will the company limit the use to which it may put information
    that is available only from electronic monitoring?

C. What grounds will be required to be shown, if any, to justify
obtaining access to the contents of electronic mail without the
consent of a sender or recipient?

    1.  Must the employee seeking access establish a valid business
    purpose for such access?

    2.  Will the company weigh the importance of the business purpose
    against the strength of any reasonable expectation of privacy?

    3.  Will the company consider the extent to which the information
    could be obtained by alternative, less intrusive means?

    4.  Will the company consider whether the employee could have
    taken steps to secure the privacy of personal matters?

    5.  How, and by whom, will close cases be decided?

D.  On what basis, if any, will the company defer to requests by
senders of electronic mail that the contents not be disclosed to
parties other than the intended recipient?

    1.  Will the company attempt to respect an objection to disclosure
    from the sender of the message based on a claim that disclosure
    will result in personal embarrassment?

    2.  Will the company attempt to respect an objection to disclosure
    from the sender of the message based on a claim that the
    disclosure would result in invasion of a privacy right?

E. Will the company impose any limitations on the internal uses to
which the contents of mail, or the results of transaction monitoring,
may be put?

    1.  Will the company policy provide that the contents of
    electronic mail messages should be disclosed to others within the
    company, without the consent of a sender or recipient, only to the
    extent necessary to serve an important business purpose?

    2.  Will company policy provide that employees should not be
    disciplined or terminated on the basis solely of information
    obtained from monitoring or inspection of company electronic mail

F. Will any special restrictions or limitations apply to disclosure of
the contents of electronic mail to law enforcement officials?

    1.  Does the company reserve the right to disclose electronic mail
    files sent to, received by or relating to an employee to law
    enforcement officials, without the consent of the employee and
    without giving prior notice to the employee?

    2.  Should the company policy provide that prior notice will be
    given to the employees involved, before disclosure of company
    electronic mail to law enforcement authorities, unless prior
    disclosure is prohibited by law or the company concludes that its
    security or property would be placed at risk by such disclosure.

G. Will any special procedural requirements or approvals be required
prior to access or disclosure in any particular kinds of cases?

    1.  Should a special committee review in advance any requests for
    authority to access electronic mail files without the consent of
    the employee.

    2.  Should a specified person have authority to approve external
    disclosures of electronic mail without the consent of a sender or

On any of these issues, it is possible to articulate a range of
different possible policies that impose greater or lesser burdens on
decisions to access or disclose the contents of electronic mail.  More
detailed additional materials designed to help a company review
alternative policies and select a combination of policies most
suitable to its own needs and the expectations of its employees will
be forthcoming from the Association.

IV.  Conclusion

Employers have an interest in minimizing confusion and disputes
regarding the handling of company records, including the handling of
communications that might involve some expectation of privacy on the
part of employees.  The Electronic Mail Association has performed a
significant service in seeking to articulate the various interests
involved and to formulate alternative policies and the criteria by
which such policies may be evaluated.

                            (end of file)