legalites for email viewing
Discussion
One for the legal bods 
In the past i installed a pc network for a small family run company, and created a domain for them; which was registered in my company name.
I've been approached by a family member of the company (mr a), asking me to allow them access to see all the emails coming through for 1 particual employee (mr x), although i have not been told why they would like to see these emails. The request was sent to me by txt and mr a also sent me another txt telling me that as the company is owned as financed by mr a family, they would like this actioned.
so i am looking for advice on the following.
1. as the domain was setup in my company name, would i be leagally responsible for what happens to the emails? if mr x was to loose thier job and found out that i allowed mr a access to his emails, could i be held liable, even though mr a would send me an email that they would take full responsibility.
2. under the data protection act could this be allowed? i know that in a large corporation, the hr dept. would normally have to sign off a line managers request to see thier staffs emails. but given that this is a small family run company, there is no hr dept.
3. i no longer trade as the company name, that the domain was registered in. the company has since dissolved, who would be responsible for the emails and who would take libility?
4. am i legally required to setup their request or could i decline to do this as i don't feel comfortable with the idea, of what i feel, is snooping.
thanks in advance, i look forward to your views and input.
In the past i installed a pc network for a small family run company, and created a domain for them; which was registered in my company name.
I've been approached by a family member of the company (mr a), asking me to allow them access to see all the emails coming through for 1 particual employee (mr x), although i have not been told why they would like to see these emails. The request was sent to me by txt and mr a also sent me another txt telling me that as the company is owned as financed by mr a family, they would like this actioned.
so i am looking for advice on the following.
1. as the domain was setup in my company name, would i be leagally responsible for what happens to the emails? if mr x was to loose thier job and found out that i allowed mr a access to his emails, could i be held liable, even though mr a would send me an email that they would take full responsibility.
2. under the data protection act could this be allowed? i know that in a large corporation, the hr dept. would normally have to sign off a line managers request to see thier staffs emails. but given that this is a small family run company, there is no hr dept.
3. i no longer trade as the company name, that the domain was registered in. the company has since dissolved, who would be responsible for the emails and who would take libility?
4. am i legally required to setup their request or could i decline to do this as i don't feel comfortable with the idea, of what i feel, is snooping.
thanks in advance, i look forward to your views and input.
There are conflicting views on this and case law has changed a few times as I understand it.. The e-mails have been found to be private in the same way as your home mail and at times they have been deemed company property. Oh, and IIRC a couple of IT bods went to jail for accessing an e-mail address without consent a few years ago (though this is something which someone told me and I have taken their word for it) because it was interfering with communications.
Your first requirement would be to contact the Information Commission and ask for their views.
You also have concerns with Article 8 - Right to Privacy.
I believe that in general to permit another person access to an account would at the minimum require a risk assessment to be undertaken and that the employee has consented to someone looking at his e-mail i.e. in his contract of employment.
Your first requirement would be to contact the Information Commission and ask for their views.
You also have concerns with Article 8 - Right to Privacy.
I believe that in general to permit another person access to an account would at the minimum require a risk assessment to be undertaken and that the employee has consented to someone looking at his e-mail i.e. in his contract of employment.
Edited by Jasandjules on Thursday 25th February 13:07
1) You're not the employer here, so no problem there.
2) If they don't have a communications policy, or an equivalent in the staff handbook or employment contract, Mr A could be in a lot of trouble if he disciplines or fires Mr X over the content of emails, and Mr X is aware of his legal position.
3) This might cause a problem for Nominet, as business domain names should always have valid info on the WHOIS. Get that sorted - unless you have a reason otherwise, just transfer it to the company that's using it.
4) What relationship do you have with them now? Was the setup work a one-off, or are you providing ongoing support?
Personally I'd set up access for them and document how to get into the employee's mail, but get in writing that Mr A is aware of his responsibilities as an employer under the HRA and DPA. What he does with that access it up to him.
2) If they don't have a communications policy, or an equivalent in the staff handbook or employment contract, Mr A could be in a lot of trouble if he disciplines or fires Mr X over the content of emails, and Mr X is aware of his legal position.
3) This might cause a problem for Nominet, as business domain names should always have valid info on the WHOIS. Get that sorted - unless you have a reason otherwise, just transfer it to the company that's using it.
4) What relationship do you have with them now? Was the setup work a one-off, or are you providing ongoing support?
Personally I'd set up access for them and document how to get into the employee's mail, but get in writing that Mr A is aware of his responsibilities as an employer under the HRA and DPA. What he does with that access it up to him.
sjg said:
Personally I'd set up access for them and document how to get into the employee's mail, but get in writing that Mr A is aware of his responsibilities as an employer under the HRA and DPA. What he does with that access it up to him.
I believe that the issue is with the person WHO grants the access to e-mails, they are the one's obligated to undertake the risk assessment etc and who stands to be prosecuted if the employee finds out and speaks to someone who knows the law IIRC... I think exceptions exist such as if the employee is off and not contactable and whatnot (i.e. why not just ask the employee for his password so someone can look at the e-mails) but here it sounds like they suspect him of something and want to snoop around in his e-mail to see what they can dig up. thanks for all your replies. it would seem that my best route of action would be to pass the domain over to the company, so it belongs to them. i have no reason to keep it in my name. then give the family instructions on how to access thier email system. this would then leave me in the clear if mr x wants to sue mr a.
thanks again for your advice.
what is the normal going rate for selling domains these days?
thanks again for your advice.
what is the normal going rate for selling domains these days?
Perhaps suggest to Mr A that you are ethically uncomfortable with doing this. You will transfer teh domain name to their own company ownership but they will need to find another IT support person to tell them how to access the emails of Mr X.
Depending on the ethics of Mr A this could strengthen your relationship with them.
Depending on the ethics of Mr A this could strengthen your relationship with them.
Mr Overheads said:
Perhaps suggest to Mr A that you are ethically uncomfortable with doing this. You will transfer teh domain name to their own company ownership but they will need to find another IT support person to tell them how to access the emails of Mr X.
Depending on the ethics of Mr A this could strengthen your relationship with them.
This would be my preferred solution in your shoes.Depending on the ethics of Mr A this could strengthen your relationship with them.
Mr Overheads said:
Perhaps suggest to Mr A that you are ethically uncomfortable with doing this. You will transfer teh domain name to their own company ownership but they will need to find another IT support person to tell them how to access the emails of Mr X.
Depending on the ethics of Mr A this could strengthen your relationship with them.
My guess is that it will terminate the contract for his services... Just based upon their initial request...Depending on the ethics of Mr A this could strengthen your relationship with them.
Jasandjules said:
Mr Overheads said:
Perhaps suggest to Mr A that you are ethically uncomfortable with doing this. You will transfer teh domain name to their own company ownership but they will need to find another IT support person to tell them how to access the emails of Mr X.
Depending on the ethics of Mr A this could strengthen your relationship with them.
My guess is that it will terminate the contract for his services... Just based upon their initial request...Depending on the ethics of Mr A this could strengthen your relationship with them.
Last year a potential lucrative new client (£2k per month as a starter for 10) asked how much I would be willing ot bend the rules and gave some examples that I was uncomfortable with (but exploiting legal grey areas) and hence I declined to take them on as a client. My ethics and reputation are worth more than that.
Gassing Station | Business | Top of Page | What's New | My Stuff