Privacy Law and Policy Reporter
As millions of people worldwide embrace communication via e-mail, concerns have been raised about inadequate levels of security both with e-mail used within organisations and with e-mail over the Internet. The Information and Privacy Commissioner of Ontario, Tom Wright, recently released guidelines to protect the privacy of communications via e-mail for provincial and municipal government organisations under the jurisdiction of Ontario's Freedom of Information and Protection of Privacy Act. These guidelines provide a model for all organisations developing a corporate policy on e-mail protection.
Two major developments are occurring in the use of e-mail communication. The first is its rapid growth both within and between organisations. At the same time, the technology of e-mail communications has developed to a point where sophisticated e-mail programs have become able to incorporate multimedia sources, including large blocks of text, spreadsheets, photographs, video clips, bar codes, and voice messages.
E-mail holds many advantages. It is speedy in preparation and transmission, and cheap. It enhances communication within organisations, and contributes to the democratisation of the workplace by flattening hierarchical communication structures.
But e-mail communications lack security. The confidentiality of communications can be breached. Communications can be monitored.
The Commissioner's guidelines for the security of e-mail system are based on seven principles.
E-mail offers substantial benefits to organisations but employees will only use it to the extent that they feel that what they transmit will remain confidential.
This policy should be developed through a process of consultation across the organisation and should set out:
(a) the purposes for which e-mail may be used;
(b) what third-party access to e-mail may be allowed; and
(c) consequences for a breach of the e-mail policy.
The Commissioner quotes Californian research which estimated that 60 per cent of e-mail communications are of a non-business nature. While employers might at first glance find such a high proportion of personal use alarming, e-mail may in fact improve efficiency within the firm because it is faster than the personal communications such as phone calls or personal visits which would generally occur in its absence.
Nevertheless, the disclosure of these personal communications involves a greater risk of privacy invasion than the disclosure of business communications because of their content. This might best be addressed through maintaining separate systems for business and non-business communications, with a higher set of security safeguards such as password protections on the latter system.
Policies relating to third-party access to e-mail communications should clearly establish the circumstances under which an employee's e-mail may be accessed, and which individuals have such authorisation. The procedures should, as much as possible, require third parties to gain approval from the employee prior to access, or to notify the employee as soon as possible after the access has occurred.
Simply including information relating to e-mail use in the corporate manual may not be adequate. Employees should be directly informed of the corporate e-mail policy. An ideal time for this process may be on joining the organisation or through notification each time the employee logs on to the system. Each employee should read and agree to comply with the policy.
Most employees assume that their communications are private. This is not necessarily true. In many circumstances the privacy of e-mail may be breached:
(a) employers, supervisors or systems staff may access personal communications - the report quotes a study showing 22 per cent of employers in a recent survey had accessed and searched staff e-mail;
(b) the message does not appear when it goes to someone else's screen - a record of this message may be stored elsewhere, for example, in an automatic backup;
(c) deleting the message from one's personal files may not destroy the record of the message because it is stored elsewhere;
(d) e-mail messages can be readily forwarded to others without the original author's permission;
(e) e-mail may be networked to other organisations or individuals, making information more vulnerable;
(f) third parties may access the e-mail recipient's files;
(g) hackers can break into e-mail systems with or without malicious intent;
(h) e-mail can be remotely monitored without any indication that the monitoring is being conducted;
(i) use of e-mail at remote sites may create records over which the organisation has little control; and
(j) not all e-mail systems automatically encrypt files and messages.
The ease of e-mail use may facilitate unnecessary data collection and unauthorised disclosure of information in breach of the principles of the Act. As personal information becomes more distant from the original source, it becomes more difficult to ensure compliance with privacy principles.
Simple measures include:
(a) access controls through requirements relating to identification or authorisation, such as a bar code, a smart card, a password, a personal identification number or some form of biometric identification;
(b) encryption measures can protect the content of communications by only allowing the recipient with the correct password to decrypt it;
(c) users can be automatically logged off the system after a time period if the computer is not in use; and
(d) the subject of a message can be concealed.
Security breaches can occur when it is possible to access computers easily, in particular when some messages have been archived on personal files which have no security safeguards. Passwords should be changed regularly. The number of systems administrators should be minimised. Employees should be aware of any backup files and the length of time for which such backups are retained.
The report concludes that protecting e-mail privacy through these practical measures will enhance the work environment and promote effective communication within organisations. While these general principles lay out a framework for e-mail privacy protection, the difficult decisions involving the balance between employee privacy and other employer interests will need to be made in the context of individual organisations.
The full text of the Commissioner's guidelines are available from the Information and Privacy Commissioner, 80 Bloor St West, Suite 1700, Toronto, Ontario M5S 2VI, Canada. Tel. +1 416 326 3333 Fax +1 416 965 2983.