HRD chats with one legal expert about the laws relating to monitoring digital messages in the workplace
Last week, the European Court of Human Rights ruled that a firm had not breached privacy rights after reading an employee’s personal chat messages.
In response to this landmark case, HRD asked Dayne Ho, partner at Shook Lin & Bok, about what Singapore employers have to be aware of with regards to monitoring staff emails.
“In Singapore there are few legal barriers to employee monitoring in the workplace,” he said.
When a staff member accesses personal email through a company-issued computer or phone or via the internal company network, they will generally have no expectation of privacy, Ho added.
“In addition, employment contracts or company policies often contain clauses which expressly permit an employer to monitor an employee’s online behaviour in the office or when using office resources. This could include personal email if it was accessed in such a manner.”
This does not mean that HR has free reign to read emails sent by employees. In general, an employer should only read an employee’s personal messages if there is a reason to do so, he said.
“A company should have in place its own internal guidelines so as not to misuse such access and to prevent other issues from arising, such as allowing any information obtained to be used to harass or discriminate against an employee.”
There are two laws which are relevant to employee monitoring in the workplace that HR needs to be aware of, said Ho.
The first is the Personal Data Protection Act (PDPA) which states that the collection, use and disclosure of personal data requires the consent of the person whose personal data is being collected and used.
“Personal data itself is very generally defined and could include the information in an employee’s personal email account,” Ho said.
Exceptions in the PDPA allow for this consent within the employer-employee relationship whenever the data is used for the purpose of managing this relationship.
However, whether the reading of personal emails actually falls under this exemption has not been tested yet, Ho warned. Breaching the provisions of the PDPA can result in fines of up to S$1 million, he added.
“HR should ensure that the company’s employment contracts expressly provide for the monitoring of an employee’s personal matters online when office resources are used,” he said. “Without this, there is a possibility that the exemption under the PDPA is not applicable and would therefore result in an offence under the PDPA.”
Employers should also take care to follow the Computer Misuse and Cybersecurity Act. Guidelines should be implemented to ensure it is appropriate to read an employee’s email, for instance to check for a breach of company policy or intention to commit illegal acts.
“It is critical that the employer does not carry out any activity when monitoring such emails that can be construed as an offence under the Computer Misuse and Cybersecurity Act. This includes keylogging for passwords or accessing an email account when it is not logged on.”
For example, monitoring the employee’s internet history found stored on company servers should not be an issue, Ho said. However actually entering in an employee’s password to access their personal email account could have serious ramifications.
Those found guilty of violating the Computer Misuse and Cybersecurity Act can receive a fine of up to S$50,000 or seven years in jail.
Related stories:
When can you dismiss an employee for social media use?
Hi-tech glasses give employers big brother vision
Why Shell's electronic trackers aren’t a big deal
In response to this landmark case, HRD asked Dayne Ho, partner at Shook Lin & Bok, about what Singapore employers have to be aware of with regards to monitoring staff emails.
“In Singapore there are few legal barriers to employee monitoring in the workplace,” he said.
When a staff member accesses personal email through a company-issued computer or phone or via the internal company network, they will generally have no expectation of privacy, Ho added.
“In addition, employment contracts or company policies often contain clauses which expressly permit an employer to monitor an employee’s online behaviour in the office or when using office resources. This could include personal email if it was accessed in such a manner.”
This does not mean that HR has free reign to read emails sent by employees. In general, an employer should only read an employee’s personal messages if there is a reason to do so, he said.
“A company should have in place its own internal guidelines so as not to misuse such access and to prevent other issues from arising, such as allowing any information obtained to be used to harass or discriminate against an employee.”
There are two laws which are relevant to employee monitoring in the workplace that HR needs to be aware of, said Ho.
The first is the Personal Data Protection Act (PDPA) which states that the collection, use and disclosure of personal data requires the consent of the person whose personal data is being collected and used.
“Personal data itself is very generally defined and could include the information in an employee’s personal email account,” Ho said.
Exceptions in the PDPA allow for this consent within the employer-employee relationship whenever the data is used for the purpose of managing this relationship.
However, whether the reading of personal emails actually falls under this exemption has not been tested yet, Ho warned. Breaching the provisions of the PDPA can result in fines of up to S$1 million, he added.
“HR should ensure that the company’s employment contracts expressly provide for the monitoring of an employee’s personal matters online when office resources are used,” he said. “Without this, there is a possibility that the exemption under the PDPA is not applicable and would therefore result in an offence under the PDPA.”
Employers should also take care to follow the Computer Misuse and Cybersecurity Act. Guidelines should be implemented to ensure it is appropriate to read an employee’s email, for instance to check for a breach of company policy or intention to commit illegal acts.
“It is critical that the employer does not carry out any activity when monitoring such emails that can be construed as an offence under the Computer Misuse and Cybersecurity Act. This includes keylogging for passwords or accessing an email account when it is not logged on.”
For example, monitoring the employee’s internet history found stored on company servers should not be an issue, Ho said. However actually entering in an employee’s password to access their personal email account could have serious ramifications.
Those found guilty of violating the Computer Misuse and Cybersecurity Act can receive a fine of up to S$50,000 or seven years in jail.
Related stories:
When can you dismiss an employee for social media use?
Hi-tech glasses give employers big brother vision
Why Shell's electronic trackers aren’t a big deal