IF an employee accesses their personal e-mail on a company laptop or smartphone, do they lose their right to keep those communications private?

The emerging jurisprudence suggests that an employee’s expectation of privacy is neither absolute nor automatically extinguished by the use of company-issued equipment. The critical principle that emerges is that determining an employee’s expectation of privacy is dependent on a range of factors, including the purpose for which the device was issued, the employer’s policies, the nature of the communications accessed, and the manner in which the employer obtains and retains the data.

Employment contracts or company handbooks typically contain provisions that deal with confidentiality and the use of company-issued devices. It is customary for employers to have policies that state that the company’s e-mail addresses, as well as their mobile devices, are to be used for work purposes only. Some go further by stating that no personal e-mail or
WhatsApp accounts are to be installed on work devices. By accepting employment on those terms, an employee’s autonomy over the personal use of those devices is substantially reduced. For example, if an employee applies for a new job using a personal e-mail account on a company-issued laptop, then it should be anticipated that those communications could come to their employer’s attention. This is because the device remains company property, and the employer has a legitimate interest in monitoring the data on its equipment and preventing the misuse of its resources.

This issue arose in the 2018 industrial dispute between University College of the Caribbean (UCC) & Dr Paul Thompson, its then vice-president for academic & student affairs. In that matter, Dr Thompson set up a personal e-mail account on UCC’s mobile device, which he neglected to remove from the device before returning it to UCC, allowing them to see certain unflattering e-mail about them that had been sent from his personal e-mail address. Dr Thompson sought to argue that his account had been hacked and that UCC needed to prove that it was he who had pressed “Send”. The Industrial Disputes Tribunal ruled that, on the facts before them, they were satisfied that Dr Thompson had sent the e-mail maligning the leadership of the university and that his dismissal was justifiable in all respects. Issues of privacy of the emails in question did not arise before the tribunal.

This dispute was heard before the Data Protection Act, 2020, came into force. The Data Protection Act provides a framework that individuals can use to safeguard their constitutional right to privacy. Now that the Act is in force, it makes it even more important for employers to establish policies that govern the use of company e-mail accounts and devices that set appropriate expectations for the privacy of communications stored thereon.

This issue was highlighted in the 2023 English case of FKJ v RVT. There, a law firm accessed and retained 18,000 private
WhatsApp messages belonging to a former solicitor that had been synchronised with her work laptop. There was no explicit prohibition on personal use of the laptop, nor was there any warning that messages on that device may be monitored. These messages were used by the firm to defend itself against the solicitor’s claim before the Employment Tribunal regarding sexual harassment and unfair dismissal. The firm succeeded, as the messages showed that the sexual advances complained of were either consensual, exaggerated or never occurred. After her loss, the solicitor sued the firm in court for misuse of her private information. The law firm contended that, because the laptop was company property, the employee could have had no reasonable expectation of privacy or confidentiality in messages that were saved or downloaded to the device during work hours. The court rejected this argument and held that an employee does not automatically lose their right to privacy simply because personal communications are stored on a work device. The court further found that even where there are messages found on company property that are relevant to legal proceedings, the employer’s unauthorised retention of these private communications, rather than returning them to the employee for her to fulfil disclosure obligations, was an impermissible form of self-help ie taking the law into their own hands.

The emerging legal position seems to be that neither the employer’s control over data nor the employee’s right to privacy operates in absolute terms. The law is heading in a direction informed by the Data Protection Act, requiring that an employer’s access to personal information is exercised only where it is necessary, proportionate, and consistent with an employee’s reasonable expectation of privacy.

Drew Wheatley is an associate at Myers, Fletcher and Gordon, and is a member of the firm’s Litigation Department (Labour and Employment Law Practice Group). She may be contacted at drew.wheatley@mfg.com.jm or through the firm’s website www.myersfletcher.com. This article is for general information purposes only and does not constitute legal advice.

Drew Wheatley .