Here is a thought-provoking list of guidelines for defining your firm’s email policy. The guidelines hold true generally for Law, and other Professional Services firms: the list was defined in the context of protecting healthcare information.
If an organization does not clearly define limits and access to personal emails incidentally conveyed by the corporate system, there may be precedent for a reasonable expectation of employee privacy while using the corporate systems. Conversely, if the email policy is clear, then the personal emails are fully governed by the retention policies.
[Organizations] that have not already implemented an email policy should do so. The policy should include:
- email protocol (such as identifying recipients who need to act on the email, covering one topic per email, using clear and explicit subject lines, and who is to retain email between sender and recipient);
- the purposes for which the email system may be used including the extent of use for personal purposes;
- the types of information which should not be communicated via email;
- [administrative] access to, monitoring and auditing of email;
- the application of the … record retention policy to email; and
- consequences of breaches of the email policy.
- restrict personal use of the email system to incidental, limited use;
- monitor email for compliance with policies (acceptable use, privacy, confidentiality) and as required for system maintenance, management and security;
- give notice of monitoring and caution that the system should not be used for private communications;
- apply existing record management systems and classifications to email;
- review records retention policy and determine how it applies to emails;
- ensure that emails are organized so as to permit their efficient search and retrieval including retaining transmission and receipt data with the text;
- ensure emails carry a notice that they are intended only for the named recipient and a number to call if received by someone else;
- discourage the retention of duplicate messages, for example for ease of reference; and
- enforce compliance with email and related policies.
A growing line of cases affords protection to employees who may reasonably have expected privacy when using company IT systems. In Asia Global Crossing, the court set forth a four-factor test to assess the reasonableness of an employee’s privacy expectation in personal email transmitted over, and maintained on, a company server. The test poses four questions:
- Does the company maintain a policy banning personal or other objectionable use?
- Does the company monitor the use of the employee’s computer or email?
- Do third parties have a right of access to the computer or emails?
- Did the company notify the employee, or was the employee aware, of the use and monitoring policies?