IT / Domain Administration Laws against user privacy

uncapped_shady

Well-Known Member
Joined
Nov 29, 2010
Messages
213
Good Day

I just need some advice on what the laws are with regards to accessing email accounts and data on users that has left a company by order of Management or Directors of the company.

Example: I am the IT Administrator that was instructed to get certain information from a user's email account that has left the company (Company Email Account) as well as data that was stored on company pc / servers.

Technically that would be invasion of privacy not true? And if i were to follow their orders would the company be to blame at the end of the day or me myself or the company as well as myself?

Any information regarding this would be greatly appreciated.

Thanks guys.
 

TheGrove

Expert Member
Joined
Jan 4, 2013
Messages
1,314
We have to sign all sorts of documents stating that any data stored on company servers belongs to the company.

So pretty sure it is legal, we have to do it often and it passes through legal.
 

spiderz

Honorary Master
Joined
Mar 24, 2006
Messages
35,106
Make sure in the contract the employee signs that it states that all information on company servers/hardware is company property and can be monitored / viewed at anything.
If they want to keep something private, don't use company resources.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
48,685
I can tell you a long and deep story on this topic. Our own company policy prevents this under conditions and circumstances, our own policies are also mutual to our SLA’s, thus we treat our internal environment the very same as with our customer’s ICT environment. This is but one ethical business standard we implemented.

There is various laws, stating privacy, the domain and e-mail address may belong to your company, but not the personal content to a certain degree. They will need legal obtained access to their employee’s personal data. I’m not about to go into depth with laws, policies and their clauses, but someone with a law background can check this, ask Michalsons on MyBB. Remember, the employees also utilises the company paid internet in regard with their personal activities, so they should not be doing anything personal at all, time to look into the group policies.

Back in the day when I was still a network administrator, the company let me go due to me not providing the personal details they requested on a certain employee.
 

Batista

Executive Member
Joined
Sep 2, 2011
Messages
7,909
Good Day

I just need some advice on what the laws are with regards to accessing email accounts and data on users that has left a company by order of Management or Directors of the company.

Example: I am the IT Administrator that was instructed to get certain information from a user's email account that has left the company (Company Email Account) as well as data that was stored on company pc / servers.

Technically that would be invasion of privacy not true? And if i were to follow their orders would the company be to blame at the end of the day or me myself or the company as well as myself?

Any information regarding this would be greatly appreciated.

Thanks guys.
Nowadays almost everything you do on the works pc, belongs to the company,and they can get access to that data anytime they want.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
48,685
Nowadays almost everything you do on the works pc, belongs to the company,and they can get access to that data anytime they want.

There is enough polices protecting employee details, now with POPI:

Rights Granted in Terms of the Protection of Personal Information Bill

The section 5 of the Protection of Personal Information Bill briefly sets out the rights granted in terms of the bill which are elaborated and expanded on in further chapters. The rights granted in terms of the bill include:

  • the right to be notified that personal information is being collected;
  • the right to be notified if there has been any security compromises and if personal information has been unlawfully accessed;
  • the right to establish if a person or entity holds any personal information and if so request access to the personal information;
  • the right to know the identity of third parties who have had access to the personal information;
  • the right to request the correction, destruction or deletion of personal information;
  • the right to object to the processing of personal information;
  • the right to submit a complaint to the Information Regulator, which is to be established in terms of the bill; and
  • the right to institute civil law suits to claim damages suffered as a result of a contravention of the bill.

Nowadays, like last month?
 

uncapped_shady

Well-Known Member
Joined
Nov 29, 2010
Messages
213
Back in the day when I was still a network administrator, the company let me go due to me not providing the personal details they requested on a certain employee.
You see this is the kind of thing that I am worried about.... If I refuse to get the info they require due to the Protection of Personal Information Bill ,does the company have the right to fire me? Talk about being stuck between a rock and a hard place :crying:
 

crackersa

Honorary Master
Joined
May 31, 2011
Messages
29,028
There is enough polices protecting employee details, now with POPI:

Rights Granted in Terms of the Protection of Personal Information Bill

The section 5 of the Protection of Personal Information Bill briefly sets out the rights granted in terms of the bill which are elaborated and expanded on in further chapters. The rights granted in terms of the bill include:

  • the right to be notified that personal information is being collected;
  • the right to be notified if there has been any security compromises and if personal information has been unlawfully accessed;
  • the right to establish if a person or entity holds any personal information and if so request access to the personal information;
  • the right to know the identity of third parties who have had access to the personal information;
  • the right to request the correction, destruction or deletion of personal information;
  • the right to object to the processing of personal information;
  • the right to submit a complaint to the Information Regulator, which is to be established in terms of the bill; and
  • the right to institute civil law suits to claim damages suffered as a result of a contravention of the bill.

Nowadays, like last month?

i don't believe this relates to the company one will work for but more in relation to the company that one is doing business with. if you want privacy, then use your cell on a 3g network, not company assets. they weren't bought and paid for an employee to facebook with their mates for half the day.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
48,685
You see this is the kind of thing that I am worried about.... If I refuse to get the info they require due to the Protection of Personal Information Bill ,does the company have the right to fire me? Talk about being stuck between a rock and a hard place :crying:

This incident happened to me years ago, my reasoning in not providing the details was due to the nature in the content the company seeked... The thing is, their CFO scanned all incoming spam and well picked something up which had nothing to do with him. They asked me to basically dump his inbox… No warning and bye. We actually service this company today with the very same management as they had back in the day.
 

grim

Expert Member
Joined
Jan 6, 2006
Messages
3,733
The data belongs to the company, they can do with it what they want.

You aren't accessing any personal information that the company doesn't already have on record of the employee.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
48,685
i don't believe this relates to the company one will work for but more in relation to the company that one is doing business with. if you want privacy, then use your cell on a 3g network, not company assets. they weren't bought and paid for an employee to facebook with their mates for half the day.

A company policy should state the limitation towards personal activities on a company network and/or inside the work environment, standard discipline procedures should be engaged when an employee breach a policy.

There is no law stating that a company may have access or own your personal property, this is not within the same role as the purpose in employment, such as intellectual property in regard with the nature in your employer and employee roles and responsibilities like in the whole Please Call Me lawsuit when it comes to a mutual understanding and clash of interest.

POPI is not only limited to the consumer, it is but mere the protection of your personal information.

Our own company invest in workshops, ethical organisations and law-abiding procedures to not only conduct ethical business and procedures within the law and applicable guidelines, but also to stay on good standing terms.
 

PsyWulf

Honorary Master
Joined
Nov 22, 2006
Messages
13,645
RICA requires written permission to access data,which in most companies is in the form of a Computer Usage Policy which you signed and accepted. Once that right is granted the company is within rights to access any communication/data on their systems

As for POPI
Employers should be aware that most information collected from an employee will constitute ‘personal information’ as the term includes the race, age, gender, sex, pregnancy status, marital status, nationality, ethnic or social origin, sexual orientation, physical or mental health, disability, religion, culture and language of the employee. The term also includes information relating to the educational, medical, financial, criminal or employment history of the employee. Location information also falls under this term and would include e-mail and physical addresses, or telephone and cellular phone numbers of the employee. As the use of fingerprint and retina scanners becomes more common in the workplace, employers should take note that biometric information of employees such as fingerprints and retinal data will also constitute personal information. Personal information would also include correspondence sent by the employee that is implicitly or explicitly of a private or confidential nature such as a personal email.

Now when reviewing the bolded section the following must be taken into consideration:
An employer may only process personal information if there is sufficient justification for such processing. Sufficient justification would include instances where the employee gave fully informed and proper consent to the processing. The employer bears the onus to prove that such consent was provided. The employee may withdraw consent at any time.
Which much like RICA would likely fall under the Computer Use Policy and Employment Contracts

Neither _prevents_ access to the information unless it's explicitly marked as "Personal" and the company does not suspect it to be mislabeled (if you hide company documents in your PERSONAL folder they are allowed to review the documents if they have legitimate concern that business data is kept there)
 

Bobbin

Executive Member
Joined
Oct 22, 2009
Messages
9,109
This is an HR concern not an IT concern. Get a written request from the HR director, they should handle the due diligence not you. If it comes back to you in any way you will have the written request from HR, just keep it handy always.
 

uncapped_shady

Well-Known Member
Joined
Nov 29, 2010
Messages
213
Thank you all for your input. I think I will take Bobbin's advice and get a written request from HR just to cover myself in case anything happens. Just one last question: wouldn't getting permission from HR to retrieve the data be much like getting written permission from HR to stab someone?
In the sense that i am still punishable due to the fact that I should have known that it was invasion of privacy in the first place?
 
Last edited:

PsyWulf

Honorary Master
Joined
Nov 22, 2006
Messages
13,645
If they confirm consent was given to access the data there is no other law overriding this consent - unlike murder ;)
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
48,685
Thank you all for your input. I think I will take Bobbin's advice and get a written request from HR just to cover myself in case anything happens. Just one last question: wouldn't getting permission from HR to retrieve the data be much like getting written permission from HR to stab someone?
In the sense that i am still punishable due to the fact that I should have known that it was invasion of privacy in the first place?

HR must abide to the labour rules and laws, to which many other personal and privacy policies are attached. This is the correct procedure, when it comes to ethics you will do the right thing according to Bobbin's advice.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
48,685
If they confirm consent was given to access the data there is no other law overriding this consent - unlike murder ;)

I however see it strange how many people are differently opinionated when it comes to the law in regard with the right and wrong.
 

wombling

Senior Member
Joined
Nov 24, 2012
Messages
555
A lot of this hinges on the employment agreement between said employee and business. There is usually a clause which the employee will waive their expectation of privacy with regards to business systems (email) and internet use (through monitoring etc.)

Sort answer: Take it up with HR.
 

PsyWulf

Honorary Master
Joined
Nov 22, 2006
Messages
13,645
I however see it strange how many people are differently opinionated when it comes to the law in regard with the right and wrong.

Acts like POPI and RICA are written very widely and very much interpretive in nature - till somebody actually pushes it in the courts and we have an exact example to compare against. So till that happens most opinions will be conjecture and opinions can differ. I have yet to see any challenge to this access made (successfully) using these acts,and am pretty confident that the "consent" requirement of both is satisfied well enough
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
48,685
If they confirm consent was given to access the data there is no other law overriding this consent - unlike murder ;)

Things what must be taken within consideration:

  • A company policy may not overwrite the law, but must abide to the guidelines within the law.
  • A person (or in this case employee) may withdraw consent at any given time, even when signed on contract as per the agreements.

The rule state, the employee must provide the permission on request, but then again legal access can be obtained to overwrite this consent which is applicable to the case.
 
Top