The French CNIL has adopted and published a new set of guidelines that set forth “best practices” about privacy protection at work (the Guidelines).
As is often the case in France – in particular if connected to labor law regulations – the lector should bear in mind that the wording “best practices” encompasses in reality binding guidelines: in fact, these guidelines are supported by French Labor law and case law that protects the privacy of individuals and the secret of their correspondences, even at work. This blog has recently highlighted an example in that respect.
Many companies have provided their employees with a company email account as well as a professional computer.
However, employees can use these tools during their breaks and can create or use some personal documents on their computer. They can also have some personal email on their professional address.
Therefore, is everything that is saved on these professional tools to be automatically considered as professional?
The CNIL offers some responses showing that the answer is not that clear:
1. Can employers monitor Internet access?
Employers may want to monitor or control Internet usage, or use Internet filtering software to block access to specific sites. According to the Guidelines, employers can monitor Internet use such as web-surfing and electronic mail. They can keep track of the list of websites visited and of the amount of time an employee spends online. However, they cannot use “keyloggers” to track all activities on a computer.
Any monitoring must be declared by employers to the CNIL. Employers must inform their employees about the procedure in place, its aim and duration.
2. What can employers look at on their employee’s computer?
• Company email account
If a professional email system is used at the company, the employer is allowed to review its contents. However, even though the emails will be sent or received on a company email account, employers cannot have a totally free access to these emails.
Employers cannot access any email marked as “private” or “personal,” except during a trial, and based on a court order.
Employers cannot receive a copy of every email sent by employees.
Employers can in principle access any file on the professional computer.
However, if files or document folders are marked as “personal” or “confidential,” employers can only access these in the presence of the employee or after calling him, or in case of a risk or particular event. Even document seizures of personal files must be implemented in the employee’s presence.
3. What if an employee is on holiday?
If an employee is absent, the employer should try to access the researched documents through network access.
If this does not work, the employer can then request the network administrator to access these documents.
Finally if access is still impossible, then the employer can obtain the employee’s password, but this procedure has to remain exceptional, and only if there is no other choice and if it remains indispensable to overcome the employee’s privacy for the benefit of the company. The employer would be well advised to keep record of all these steps.
4. How can employers inform employees?
The CNIL recommends in that respect that employers set up policies in their companies to notify their employees of every rule, or monitoring procedure in place.
5. What are the consequences during a trial?
The first principle set forth by the Guidelines is that employers cannot use the result of illegal monitoring during a performance evaluation or against an employee under disciplinary procedure.
In the same way, documents that have been seized in breach of the Guidelines will not be considered as evidence in a trial and will be rejected by the judge.
Adequate collection of evidence is therefore key, since this can completely reverse the outcome of the procedure.