Email-related privacy issues usually fall into one of three categories:
- use of personal data;
Use of personal email data
Your emails contain a treasure trove of personal information about you. Under the Data Protection Act 1998, anyone collecting this data is required to tell you how it will be used and to use it only for that purpose.
If you know an organisation holds personal data about you, you can require they reveal what information they have (although they may charge you a fee to do this). If an organisation fails to comply, you can report them to the Information Commissioner.
What about organisations that keep sending you email marketing messages? Well, under the Privacy and Electronic Communications Regulations 2003, they should not send you such messages without first obtaining your express consent unless:
- they obtained your details through the “sale or negotiations for the sale” of a product or service;
- the messages relate to similar products or services offered by the sender; and
- you had a simple chance to refuse to the use of your personal data at the time it was collected and, if you did not refuse, you have a simple way to opt out in every subsequent communication.
Note also that under section 11 of the Data Protection Act, you can require anyone possessing your personal data to stop using it. If the person fails to comply, you can complain to the Information Commissioner and/or apply for a court order.
Section 13 also allows you to claim compensation for any contravention of the Act that causes you injury of distress.
Article 8 of the European Convention on Human Rights states that you have a right to private correspondence. No public authority may interfere with the right except “in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.
If your employer wants to monitor your emails, it must inform you it intends to do so. This could be done in your employment contract or employee handbook, or some other kind of workplace email policy. The policy should:
- set out clearly the circumstances in which you may or may not use work email and internet for private communications;
- make clear the extent and type of private use that is allowed;
- explain why your employer monitors emails, the extent of the monitoring, and the means used;
- outline how the policy is enforced and the penalties you can expect if you breach the policy;
- inform you of the extent to which information about your internet access and emails is retained in the system and for how long.
As a general rule, however, employers cannot read an email without the consent of both the sender and recipient. There are a number of exceptions to this rule, however, which include intercepting business emails to:
- ascertain regulatory compliance;
- detect unauthorised use; and
- prevent/detect criminal activity.
Note, however, that these exceptions do not apply to personal emails, which means your employer should take all reasonable measures to avoid opening them — even those sent from a workplace email account.
If you are allowed to access your personal email account at work, your employer may monitor such emails only in exceptional circumstances (e.g., to investigate criminal activity).
If you think that your employer has illegally monitored your emails or wants to discipline you for improper email use, you should seek expert legal advice as a matter of priority.
Identity theft and phishing scams are on the increase. Basically, the scams work like this: a criminal will send you an email pretending to come from a genuine company operating on the Internet to trick you into disclosing personal information. The email may claim that it is necessary to “update” or “verify” your customer account information and then urge you to click on a link from the email, which will take you to the bogus website. Any information entered on the bogus website will be captured by the criminals for their own fraudulent purposes.
Most seasoned computer users recognise these dodgy emails instantly, but children or those less experienced with the online world may be taken in.
You may also fall victim to a company’s lax email security standards. Under the Data Protection Act, organisations must handle customers’ personal data with appropriate care. This is especially important in financial services, law and healthcare. Businesses and public bodies in these and other fields should not transmit sensitive data via unsecured and unencrypted emails. This is because it is comparatively easy to read and/or modify such emails while they’re in transit. Moreover, since it’s relatively easy to intercept email in transit, criminals can access and then exploit sensitive personal and financial data.