Manager accessing employee emails while away from work on annual leave

Hi,

I'm not sure if this is the correct section to be posting this question but said I would post here, feel free to move if it's the incorrect section.

So my question is whether or not your manager can log into your email account and send emails from your account in your absence?

It's not me that this has happened to, but my friend arrived back from annual leave this week to find that while they were away that their manager had got the IT guy in the office to log her into the friends computer to access emails. Before leaving the office to head away on annual leave my friend had put an out of office response on her emails which said to contact said manager in her absence? The manager replied to emails on the account signing off with my friends name.

Is this kind of thing allowed? I know personally working in the pharma industry that this type of thing would never happen!!

Cheers for replies in advance!

Gravelly

tolow wrote: »

Hi,

I'm not sure if this is the correct section to be posting this question but said I would post here, feel free to move if it's the incorrect section.

So my question is whether or not your manager can log into your email account and send emails from your account in your absence?

It's not me that this has happened to, but my friend arrived back from annual leave this week to find that while they were away that their manager had got the IT guy in the office to log her into the friends computer to access emails. Before leaving the office to head away on annual leave my friend had put an out of office response on her emails which said to contact said manager in her absence? The manager replied to emails on the account signing off with my friends name.

Is this kind of thing allowed? I know personally working in the pharma industry that this type of thing would never happen!!

Cheers for replies in advance!

Whether it's "allowed" or not is down to the management of the company involved, but I would consider it, at the very least, bad practice, at more likely outright dishonesty on the managers part.

TallGlass

Accessing email account is a common thing from an IT point of view.

But sending an email as someone else, doesn't sound to ethical.

Lmklad

As far as I’m aware the company retains control of its own email system and can access it at anytime. The issue here as I see it is using your friends name without their knowledge or permission.

Vetch

tolow wrote: »

Hi,

I'm not sure if this is the correct section to be posting this question but said I would post here, feel free to move if it's the incorrect section.

So my question is whether or not your manager can log into your email account and send emails from your account in your absence?

It's not me that this has happened to, but my friend arrived back from annual leave this week to find that while they were away that their manager had got the IT guy in the office to log her into the friends computer to access emails. Before leaving the office to head away on annual leave my friend had put an out of office response on her emails which said to contact said manager in her absence? The manager replied to emails on the account signing off with my friends name.

Is this kind of thing allowed? I know personally working in the pharma industry that this type of thing would never happen!!

Cheers for replies in advance!

I think that the answer is that it depends on a number of things. It's a data protection issue. Employees are entitled to a certain amount of privacy at work. So says this: https://www.algoodbody.com/media/Opinion22017ondataprocessingatwork-wp2491.pdf. On the other hand, employers can cite 'legitimate interests' in accessing work-related records, and the email account is provided to your friend to do her job.

Best practice is that how the email system is managed should be described in a policy. Is there a written policy and what does it say? Has your friend been told her email can be accessed anytime? Are employees allowed to use the email system for personal purposes or is it strictly work? A policy might set down in what circumstances email may be accessed and that it should be authorised in writing.

Access should also be proportionate. It wouldn't usually be proportionate to access someone's email if they were only out for a day. If someone is on leave but amenable to being contacted, this route could be followed. They should also be told that the account was accessed on return to work.

Signing off on emails as someone else is prohibited in any policy I've ever read.

lifeandtimes

It's a breach of data protection.

My company drill it into us to never share passwords or let people use log ins under our usernames.

The fact an IT guy had to technically hack into your friends email account says it all.

What's to stop a disgruntled manager sending a disgracefull email to staff or clients from your friends email account and signing off as them

I'd be telling your friend to contact hr and data controller of the company

seamus

It's nothing to do with data protection.

There's a privacy issue. Employers cannot routinely snoop, but they are permitted to use automated systems to scan for offensive content, and they have a right to access the account where there's a legitimate business need.

If the employee has customer data that's stored nowhere else but the email account, then yes an employer is allowed to access the email to retrieve that data. And only that data.

There would be no specific thing dealing with impersonation, but again it could fall under privacy. If the recipient believes they are communicating with someone else then they may send information which is only intended for that person.

So the manager signs off the email as the employee and the person responds, "Oh, I thought you were on holiday, great, I didn't want to have to deal with your manager, he's an awful bollox".

The client's privacy has been breached and if the manager were to lost the plot, the client could sue for that breach.

HR should definitely be involved, and the CIO should be informed. But I wouldnt make a data protection complaint.

Vetch

seamus wrote: »

It's nothing to do with data protection.

There's a privacy issue. Employers cannot routinely snoop, but they are permitted to use automated systems to scan for offensive content, and they have a right to access the account where there's a legitimate business need.

If the employee has customer data that's stored nowhere else but the email account, then yes an employer is allowed to access the email to retrieve that data. And only that data.

There would be no specific thing dealing with impersonation, but again it could fall under privacy. If the recipient believes they are communicating with someone else then they may send information which is only intended for that person.

So the manager signs off the email as the employee and the person responds, "Oh, I thought you were on holiday, great, I didn't want to have to deal with your manager, he's an awful bollox".

The client's privacy has been breached and if the manager were to lost the plot, the client could sue for that breach.

HR should definitely be involved, and the CIO should be informed. But I wouldnt make a data protection complaint.

You say that employers cannot routinely swoop but that's because of the data protection rights of employees, so this is a data protection issue. We don't have enough information to know if there's been a 'breach' of some sort. That depends on company policy and what employees have been told. Privacy and data protection are interlinked - you can't have privacy without data protection.

davo10

Are email accounts associated with the business of the company not the property of the company and therefore accessible by management or with the permission of management?

In the business I own, this is covered in an "IT and Business Facilities Use Policy" which forms part of employment contract. The email accounts belong to the company.

hullaballoo

I don't know why anyone would think they have any privacy rights over a work email account.

Mrs OBumble

It is routine for managers to delegate signing authority to their employees. I would have expected that the inverse of this automatically lets managers sign as their employees.

CeilingFly

Assuming its a work email account under the work domain, then the company and it's officers may access the emails.

Where there could be an issue is if the manager is just another employee and is not a director of the company nor has permission from a director either explicitly or via job description to access other staff's emails.

It would be good to also check via browser history as to what other things/Pages were accessed.

wonski

Mrs OBumble wrote: »

It is routine for managers to delegate signing authority to their employees. I would have expected that the inverse of this automatically lets managers sign as their employees.

It would be rather strange practice to sign an email as Paul when your name is John...

While work email can be accessed, emails should not be sent out this way.

When you sign something on behalf you still use your own signature, not pretend to be your manager.

lifeandtimes

wonski wrote: »

It would be rather strange practice to sign an email as Paul when your name is John...

While work email can be accessed, emails should not be sent out this way.

When you sign something on behalf you still use your own signature, not pretend to be your manager.

This is the issue. If they signed off as the absent employee then they are putting that employee at risk during and after their emplyment with the company based on what might have been said

davo10

wonski wrote: »

It would be rather strange practice to sign an email as Paul when your name is John...

While work email can be accessed, emails should not be sent out this way.

When you sign something on behalf you still use your own signature, not pretend to be your manager.

I have to occasionally reply to emails on behalf of my administration staff because I am better placed to do so. I don't want the customer to think I am cutting the legs from under my staff by stepping in, particularly when they are away on holiday. There is also a continuity of communication, if I step in as the owner, it may give the impression that my employee is unable to deal with the query/problem.

wonski

davo10 wrote: »

I have to occasionally reply to emails on behalf of my administration staff because I am better placed to do so. I don't want the customer to think I am cutting the legs from under my staff by stepping in, particularly when they are away on holiday. There is also a continuity of communication, if I step in as the owner, it may give the impression that my employee is unable to deal with the query/problem.

We use a general account that has no name associated with it and everyone has access to it. We still put our name down or use a signature.

Nothing wrong with taking over a case while another person is away, but signing it with their name???

CeilingFly

Just for anyone just looking at this - companies will have a mail server which is accessible online and once they have the passwords (which they probably do) they can look in real time at emails coming in and going out at anytime and anywhere.

However, most people have more important things to do, but if there was an issue, deleting emails on your pc does not delete them off the server.

So for bitching about the boss, always use your private Gmail or Hotmail

Lazarus2.0

tolow wrote: »

Hi,

I'm not sure if this is the correct section to be posting this question but said I would post here, feel free to move if it's the incorrect section.

So my question is whether or not your manager can log into your email account and send emails from your account in your absence?

It's not me that this has happened to, but my friend arrived back from annual leave this week to find that while they were away that their manager had got the IT guy in the office to log her into the friends computer to access emails. Before leaving the office to head away on annual leave my friend had put an out of office response on her emails which said to contact said manager in her absence? The manager replied to emails on the account signing off with my friends name.

Is this kind of thing allowed? I know personally working in the pharma industry that this type of thing would never happen!!

Cheers for replies in advance!

It seems like poor practice at first glance but perhaps it was necessary for the manager to access the previous email string(s) in order to understand the issue(s) at hand and respond appropriately? The company's clients may well have assumed their 'tickets' were being merged so the new addressee (the manager) would be aware of any previous exchange with your friend but as a regular recipient/target for out of office colleagues the emails I might receive would often be as clear as mud and if there's only a barebones email system (i.e. no third party software and only a myriad of @thecompanyname.ie addresses) I'd have no hope of knowing what the client was on about. It may simply have been practical for the manager to respond directly from your friend's account while the matter at hand was in front of them and an auto-signature on the account would do the rest.
I guess that's the most benign interpretation and I make that interpretation on the assumption your friend is on a company email domain. I'd also be assuming your friend's computer is actually the company's computer.
If those assumptions are correct it's a given that her manager can indeed do that and I can't see there would be any privacy issue on your friend's part. However, the issue should be raised for reasons already stated in this thread (1) the client's privacy is at risk (2) if the manager messes up your friend doesn't want to be judged on their mistake (3) it's just plain incompetent and the company may quite like to be aware of and fix the cause.
If your friend is on a personal email address the rules are different, for sure, and that would likely bring a complexity beyond my ken

Apologies, OP, you haven't raised data protection at all but seeing as I'm here and typing and it's been raised on thread .... there is a huge difference between privacy and data protection. Data processing (Data Protection Act 1988 and amendments blah blah) governs how and when data provided by a subject is processed by an organisation. Unless in this instance the manager is disseminating or otherwise processing information that was provided by OP's friend for a different purpose (e.g. signing off with a name and address that were only provided on a CV or giving a phone number that was given privately for work purposes, let's say) there is no breach of DPA.

GM228

The ECHR Copland vs The UK - 62617/00 [2007] case held that that emails sent from business premises and information derived from the monitoring of internet use could be a part of an employee’s private life and correspondence, and that the collection and storage of that information without the knowledge of the employee would amount to an interference with the employee’s rights. However note the more controversial and more recent Bărbulescu case, which involved a private messenger account as opposed to a company account.

The Bărbulescu vs Romania 61496/08 [2016] ECHR case is also worth looking at is it held that an employer’s monitoring of their employee’s instant messenger account and the disclosure of these communications (to the Applicant’s colleagues) containing highly private, sensitive information was justified and therefore not a breach of Article 8 of the European Convention of Human Rights. To note however is that an ECHR decision is not binding.

I think you will find "legitimate interests" allow for monitoring of such, see the DPCs guidance on the matter and an opinion supported by the EUs Article 29 Working Party and the ECHR.

https://www.dataprotection.ie/docs/Guidance-Notes-Monitoring-of-Staff/m/208.htm

The Data Protection Commissioner accepts that organisations have a legitimate interest to protect their business, reputation, resources and equipment. To achieve this, organisations may wish to monitor staff's use of email, the internet, and the telephone. However, it should be noted that the collection, use or storage of information about workers, the monitoring of their email or internet access or their surveillance by video cameras (which process images) involves the processing of personal data and, as such, data protection law applies to such processing. The processing of sound and image data in the employment context falls within the scope of the Data Protection Laws...........

C.O.Y.B.I.B

GM228 wrote: »

The ECHR Copland vs The UK - 62617/00 [2007] case held that that emails sent from business premises and information derived from the monitoring of internet use could be a part of an employee’s private life and correspondence, and that the collection and storage of that information without the knowledge of the employee would amount to an interference with the employee’s rights. However note the more controversial and more recent Bărbulescu case, which involved a private messenger account as opposed to a company account.

The Bărbulescu vs Romania 61496/08 [2016] ECHR case is also worth looking at is it held that an employer’s monitoring of their employee’s instant messenger account and the disclosure of these communications (to the Applicant’s colleagues) containing highly private, sensitive information was justified and therefore not a breach of Article 8 of the European Convention of Human Rights. To note however is that an ECHR decision is not binding.

I think you will find "legitimate interests" allow for monitoring of such, see the DPCs guidance on the matter and an opinion supported by the EUs Article 29 Working Party and the ECHR.

https://www.dataprotection.ie/docs/Guidance-Notes-Monitoring-of-Staff/m/208.htm

I had a similar issue in a large organisation I worked in and I sought guidance from DPC and the gist of the answer was that it's OK to access an employee s email once you can back this up with a good business case . The other thing they said was to make sure there was a sound policy in relation to this i.e. if you say email is for work purposes only , then you are well covered .
This raises its head regularly when deciding how to handle email accounts of users who leave an organisation . If a person has personal information on there , they should delete it on leaving however it should be noted in the policy how long this information is retained for on the servers oand backup's.

Yawns

If it was strictly a work email, they can be accessed with good reason, but the manager shouldn't be signing as the employee. They should be signing their own name on behalf of the employee with say a pp in front of theirs.

Good reason would be the employee away for a month a deadline is next week with crucial information stored only on that employee's email. It's terrible practice but happens I guess. However I'd imagine the email would be pulled from the server rather than the employee's terminal. Also if done properly a written request to IT for it signed by the manager or email to IT from the manager's account. Just so a record is there and the reason for doing so.

OP I'd defo have your friend take it up with HR and see what the response is.

hullaballoo

hullaballoo wrote: »

I don't know why anyone would think they have any privacy rights over a work email account.

They don't based in company official business but you can't send a mail using that account

aligator_am

wonski wrote: »

It would be rather strange practice to sign an email as Paul when your name is John...

While work email can be accessed, emails should not be sent out this way.

When you sign something on behalf you still use your own signature, not pretend to be your manager.

I've setup mail accounts for users where, say for example a manager's mail is delegated to their PA or admin staff but any time I've set it up I was told the signature must contain the PA's name, sending on behalf of manager.

It does happen where management need to access an employee's emails but as others have said, they shouldn't be impersonating the person, just send the mail with modified signature if possible.

Also I keep hearing people in work banging on about this GDPR thing, I'm unsure how this scenario would fit in to it? not sure if it would make a difference at all but would be curious to learn more from others who are more clued in on it.

0ph0rce0

We are told to lock all computers and no one can access any other computer but your own.

No passwords to be given out to any other employee be it colleague, manager, director etc... for computer, email or any other software account.

IT are also not allowed to access any mail accounts unless that person has left the company and something needs to be pulled from it if nothing is needed it's shut down.

Pharma company and its down in the policy section under GMP/GDP failure to comply results in immeadiate dismissal.

That's just us though.

Yawns

0ph0rce0 wrote: »

We are told to lock all computers and no one can access any other computer but your own.

No passwords to be given out to any other employee be it colleague, manager, director etc... for computer, email or any other software account.

IT are also not allowed to access any mail accounts unless that person has left the company and something needs to be pulled from it if nothing is needed it's shut down.

Pharma company and its down in the policy section under GMP/GDP failure to comply results in immeadiate dismissal.

That's just us though.

That'd be a company policy rather than law. Which is great and clear from the start.

Vetch

GM228 wrote: »

The ECHR Copland vs The UK - 62617/00 [2007] case held that that emails sent from business premises and information derived from the monitoring of internet use could be a part of an employee’s private life and correspondence, and that the collection and storage of that information without the knowledge of the employee would amount to an interference with the employee’s rights. However note the more controversial and more recent Bărbulescu case, which involved a private messenger account as opposed to a company account.

The Bărbulescu vs Romania 61496/08 [2016] ECHR case is also worth looking at is it held that an employer’s monitoring of their employee’s instant messenger account and the disclosure of these communications (to the Applicant’s colleagues) containing highly private, sensitive information was justified and therefore not a breach of Article 8 of the European Convention of Human Rights. To note however is that an ECHR decision is not binding.

I think you will find "legitimate interests" allow for monitoring of such, see the DPCs guidance on the matter and an opinion supported by the EUs Article 29 Working Party and the ECHR.

https://www.dataprotection.ie/docs/Guidance-Notes-Monitoring-of-Staff/m/208.htm

An important point in the Barbulescu case is that the employer had a written policy, which was communicated to staff, that personal use of the IT systems was forbidden. The employee breached the policy.

the_pen_turner

surely all the data is owned by the company and the employee is only accesing it for their job.
how could it be wrong that a company can access its own data

the_pen_turner

the_pen_turner wrote: »

surely all the data is owned by the company and the employee is only accesing it for their job.
how could it be wrong that a company can access its own data

Because not all official email is business related. There could be HR/Payroll/Performance related mails in there also which are not for onward circulation outside the involved parties. There could also be legally sensitive mails from customers/vendors which can only be accessed be certain individuals/teams, which a manager may not actually have authorisation to read.

I was involved in mails relating to Oracle which involved a project team lead by our CFO and I was under strict instructions that everything to do with that project was only for circulation within the team. That team excluded my manager.

Vetch

the_pen_turner wrote: »

surely all the data is owned by the company and the employee is only accesing it for their job.
how could it be wrong that a company can access its own data

Some employers permit 'limited personal use' of IT systems in their IT policies. So some emails and documents might have nothing to do with the employing organisation and are the employee's personal data.

Marcusm

hullaballoo wrote: »

I don't know why anyone would think they have any privacy rights over a work email account.

I agree 100% with this but I thinknit’s Highly inappropriate to send emails purporting to derive from a fellow employee without their knowledge or approval. Irrespective of the manager-managed relationship, misrepresenting yourself as one of your colleagues irrespective of how benign the intentions are would lead to unnecessary HR/grievance issues.