Formulating A Company Policy on Access to and Use and Disclos, Komputer, More Hacking
[ Pobierz całość w formacie PDF ]
Formulating A Company Policy on Access to and Use and Disclosure ofElectronic Mail on Company Computer SystemsA White Paper Prepared by David R. Johnson and John Podestafor the Electronic Mail AssociationOctober 22, 1990I. IntroductionThe Electronic Mail Association has requested the preparation of thisWhite Paper as a means of helping companies to decide what policiesthey would adopt with respect to access to and use and disclosure ofelectronic mail sent and received by their employees on companyelectronic mail systems.There is no single, simple answer to the policy questions relating tocompany electronic mail privacy. Appropriate company policy willdiffer depending on the needs of the company, the reasonableexpectations of employees, the rights of outsiders, and a balancing ofvarious complex interests. The only policy that can vigorouslyendorsed for virtually all circumstances is this:A company should have a policy with regard to protection ofits employees' privacy and it should tell employees what thatpolicy is.Most employers should establish privacy policies that dealwith all media of communication used by employees, rather thansingling out electronic mail as if it posed some unique threatto employee privacy.The rise of electronic mail as an increasingly popular means of doingbusiness presents all companies using this new medium with anopportunity to think through employee privacy protection in generaland with a fresh view. While electronic mail has a few novel featuresthat raise new issues, the basic principles involved in selecting acompany privacy policy are not new. electronic mail may, infact, bemore private than many more traditional means of communication or thanpaper files. And we are certain that enlightened companies willconsider the impact on employee morale of respecting reasonableprivacy interests, as well as an employer's undoubted right to gainaccess to the messages sent on its behalf by its employee agents.In order to facilitate a company's review of the issues and selectionof a policy, we have outlined in this White Paper some of the keybackground issues, various alternative policies that might be adopted,and various criteria and procedures that could be used to evaluate andimplement a policy that strikes an appropriate balance.II. BackgroundMany different people have a stake in the establishment of areasonable policy governing access to and disclosure of companyelectronic mail. The employer must ultimately control the use of itscomputer resources and must have access to its own business records,of course, but it also has a stake in establishing a secure workplaceand an environment that respects employee rights. Employees want someprivacy but they also want the employer to be able to cope withbusiness matters in their absence. Third parties may have rights toaccess certain company records and to have some types ofcommunications protected. Law enforcement officials may have certainneeds for access and for certainty regarding who can give consent foraccess. Everyone using an electronic mail system has a stake inmaintaining its security, preserving its operational status, andpreventing its use for illegal purposes.Few legal principles set forth mandatory minimum baselines for eitherprotection of employee privacy or for guaranteed access to companyrecords by outsiders. The Electronic Communications Privacy Act,passed in 1986, was designed primarily to deal with the privacy ofcommunications sent over systems used by the public (and with thethreat of unauthorized access by outsiders). The Act does not addressin detail the status of messages sent by employees on behalf of theiremployer -- at least with regard to key questions such as whether theemployer can insist that the employee consent to access and disclosureby the employer. Some states may guarantee minimum privacy rightsbut, what expectations of privacy are reasonable in the workplace isneither clear nor in general mandated by law. The one principle mostlikely to gain consensus and legal support is that employers shouldnot misrepresent their policies -- and have an affirmative obligationto disclose what those policies are.Electronic mail is not the only medium of communication that raisesprivacy questions. But it does provide a good opportunity to thinkthrough the extent to which an employee may reasonably expect thataccess to files and messages by other employees of the employer shouldbe constrained in various ways. Electronic mail is somewhat morepermanent in nature than a conversation over the phone or in thehallway. It is less formal than written memoranda. It may be sent togroups of people and may he readily forwarded to others. It may stayaround in storage for a long time, even after the recipient hasindicated a desire to delete it. It may include as attachmentsdocuments that form a critical part of an employer's business. Or itmay constitute a clearly private message that does not even concernthe employer's interests.The most complex policy issues posed by electronic mail concernwhether an employee pursuing company business has a right to expectthe company to obtain the employee's consent before accessing ordisclosing the contents of company files that are normally under thatemployee's control. The separate question whether employees have theright to use company electronic mail systems to send personalmessages, and to expect that such messages will not intentionally beaccessed by the employer, is a somewhat different question -- moreakin to the question whether an employer has the right to restrict themaking of private phone calls, or to inspect all employees purses (andsomewhat easier to answer in any given context). Employees may notleave all expectations of privacy behind when they go to work. Butthe communications they make on behalf of their employer are clearlysubject to certain requirements that simply do not apply to personalphone conversations undertaken from home.The resulting balancing act can be constrained in useful ways.Particular sets of policies can be articulated for different workenvironments, depending on the relative intensity of the employer'sneed for access to (or to make disclosure of) the information, theextent of any invasion of reasonable expectations of privacy on thepart of the employee, the degree to which either employer or employeecould have satisfied its needs by less intrusive (or less demanding)means, and the degree to which close questions are thoughtappropriately to be called in one direction or another or to beresolved by special procedures. The basic criteria for evaluating anygiven policy are, at a general level, quite general andstraightforward.Does the policy comply with law and with duties to third parties?Does the policy unnecessarily compromise the interests of theemployee, the employer or third parties?Is the policy workable as a practical matter and likely to beenforced?Does the policy deal appropriately with all different forms ofcommunications and record keeping within the office?Has the policy been announced in advance and agreed to by allconcerned?III. Policy OptionsIf a company does choose to articulate an express policy on theprivacy of company electronic mail, then it may want specific elementsof such a policy to address particular issues. These include:A. What are the permissible uses to which the company electronic mailsystem mad be put, and by whom?1. May the company electronic mail system be used incidentallyfor personal messages?2. If so, must employees take special steps to protect suchmessages against inadvertent inspection by others?B. Will the company monitor the contents or transactional records ofelectronic mail as a matter of course, for any particular purposes?1. If so, will the company refrain from further inspection ofmessages it determines are of a personal and private nature?2. Will the nature of any routine monitoring be disclosed toemployees?3. Will the company limit the use to which it may put informationthat is available only from electronic monitoring?C. What grounds will be required to be shown, if any, to justifyobtaining access to the contents of electronic mail without theconsent of a sender or recipient?1. Must the employee seeking access establish a valid businesspurpose for such access?2. Will the company weigh the importance of the business purposeagainst the strength of any reasonable expectation of privacy?3. Will the company consider the extent to which the informationcould be obtained by alternative, less intrusive means?4. Will the company consider whether the employee could havetaken steps to secure the privacy of personal matters?5. How, and by whom, will close cases be decided?D. On what basis, if any, will the company defer to requests bysenders of electronic mail that the contents not be disclosed toparties other than the intended recipient?1. Will the company attempt to respect an objection to disclosurefrom the sender of the message based on a claim that disclosurewill result in personal embarrassment?2. Will the company attempt to respect an objection to disclosurefrom the sender of the message based on a claim that thedisclosure would result in invasion of a privacy right?E. Will the company impose any limitations on the internal uses towhich the contents of mail, or the results of transaction monitoring,may be put?1. Will the company policy provide that the contents ofelectronic mail messages should be disclosed to others within thecompany, wi...
[ Pobierz całość w formacie PDF ]