Is it legal to monitor staff emails and phones?

The question popped up amid Hong Kong’s crisis — but is checking employees’ personal messages allowed in Singapore?

Is it legal to monitor staff emails and phones?

The latest feature of the ongoing Hong Kong crisis is ‘white terror’, where anonymous acts like random sackings take place and create a climate of fear among employees.

The sudden dismissal of Rebecca Sy, a union leader at Cathay Dragon airlines, was allegedly due to white terror.

She said she was fired without explanation, after managers saw and confirmed her Facebook account. She had a 17-year career with Cathay's budget airline.

White terror has spread beyond Cathay and into other industries — employees are saying they’re scared to even talk about the protests, let alone on private messaging platforms, for fear they’ll get reported to HR or management and lose their jobs.

The phenomenon has pushed some to question if monitoring employees’ phones or social media accounts is legal.

READ MORE: Businesses jittery over prolonged HK crisis

Is it legal in Singapore?
Over in Singapore, besides the European GDPR and local PDPA, what should employers be aware of when monitoring staff communications?

A local employment lawyer told HRD that “there are few legal barriers” to monitoring employees in the workplace.

“When a staff member accesses personal email through a company-issued computer or phone or via the internal company network, they will generally have no expectation of privacy,” he said.

“In addition, employment contracts or company policies often contain clauses which expressly permit an employer to monitor an employee’s online behaviour in the office or when using office resources.”

This does not mean that HR has free reign to read emails sent by employees, he said. In general, an employer should only read an employee’s personal messages if there is a reason to do so.

He recommends that HR put in place internal guidelines to avoid the misuse of such access, such as using employee information to harass or discriminate against them.

READ MORE: Chief data officer reveals the importance of HR in data

Laws to comply with
When drawing up company guidelines, HR should consider several laws: Personal Data Protection Act (PDPA), EU’s General Data Protection Regulation (GDPR), and Singapore’s Computer Misuse and Cybersecurity Act.

  • PDPA: Prior notification and consent for use of personal data is obligatory. Individuals can withdraw consent with reasonable notice — the organisation thus has to cease collection or use of personal information.

Exceptions in the PDPA allow for this consent within the employer-employee relationship whenever the data is used for the purpose of managing this relationship, said the lawyer.

However, whether the reading of personal messages actually falls under this exemption has not been tested yet. Breaching the provisions of the PDPA can result in fines of up to $1 million.

  • GDPR: Use of personal data is only lawful if consent is given and used for an agreed specific purpose. This law applies to your company if it works with EU organisations, has customers in the EU, or monitors behaviour in the EU.

Do note that compliance with the PDPA does not necessarily mean the organisation is in compliance with the EU GDPR as there are differing requirements under the two regimes, according to local authorities.

  • Computer Misuse and Cybersecurity Act: ‘Computer’ refers to any electronic device, used for communications for example. Guidelines should be implemented to ensure it is appropriate to read an employee’s email, for instance to check for a breach of company policy or intention to commit illegal acts.

When monitoring emails, it is critical that the employer does not carry out any activity that can be seen as an offence under the Act, warned the lawyer. This includes keylogging for passwords or accessing an email account when it is not logged on.

For example, monitoring the employee’s internet history found stored on company servers should not be an issue, said the lawyer. However, actually entering in an employee’s password to access their personal email account could have serious ramifications.

Those found guilty of violating the Computer Misuse and Cybersecurity Act can receive a fine of up to $50,000 or seven years in jail.

“Personal data itself is very generally defined and could include the information in an employee’s personal email account,” the lawyer said.

“HR should ensure that the company’s employment contracts expressly provide for the monitoring of an employee’s personal matters online when office resources are used.”