Logo and page links

Main menu

Employers' access to emails and private files

An employer is entitled to access employees' emails or other private files when there is reason to believe that information in the individual's work email account is necessary for operational purposes.

An employer may also access such data when the employee is suspected of gross breach of duty.

In these types of situations, the employer is entitled to search through, open or read emails stored in the employee's work email account.

This is regulated in Chapter 9 of the Personal Data Regulations, which cover the right to access an employee's work email account and the deletion of such accounts when employment is terminated.

Need to safeguard operations

Access may be permitted when the employee has been or will be absent for a long period of time, if there is good reason to believe that business-related messages have been received in the employee's electronic mailbox, and these are needed by the employer for operational purposes (see Section 9-2a of the Personal Data Regulations).

There are no clear rules governing how long the employee must be absent before the employer may legitimately access the former's email account, though this will obviously be a factor when assessing the necessity of such access. Whether or not it is necessary for the employer to access an employee's work email account must be determined on a case-by-case basis.

The law states that in addition to access for operational purposes, there may be "other legitimate interests" that may justify access by the enterprise. Such an interest could, for example, be the need to safeguard the business's reputation.

When the employee is suspected of gross breach of duty

Access to an employee's work email account may be justified if the employer suspects the employee of using it in a way that constitutes a gross breach of the duties that follow from an employment relationship or that could give grounds for termination or dismissal. The employer must have grounds for any such suspicion, and the breach of duty must be gross (see Section 9-2b of the Personal Data Regulations, https://lovdata.no/forskrift/2000-12-15-1265/§9-2).

This requirement will normally be met if the work email account is being used for the commission of criminal offences, eg the downloading or forwarding of child pornography by the employee, or illegal file sharing.

The requirement will also be met if the employer has reasonable grounds for suspecting that an employee's use of their work email account may give grounds for termination or dismissal. This might be the case where it is suspected that the account is being used, for example, to harass co-workers or to distribute spam or emails containing harmful content.

In the event of illness, for example, employees may voluntarily grant their employer access to their work email account.

What do the rules apply to?

Work email account

The rules apply to an employer's right to access an employee's work email account. In other words, an email account that the employer has placed at the disposal of the employee for use in their work for the enterprise, and whose address links the employee's name to that of the enterprise.
().

Personal area on the computer network

The rules also apply to the employer's right to access and search through the employee's personal area on the enterprise's computer network. Furthermore, they apply to other electronic means of communication or electronic equipment that the employer has placed at the employee's disposal for use in their work for the enterprise, such as mobile phones or tablets. The provisions also apply to the employer's access to data which the employee has deleted from these areas, but which remain stored in backup copies, or similar locations, to which the employer has access. Employers that are entitled to access an employee's data are also entitled to access any reconstructed material.

However, the rules do not entitle employers to access equipment owned by the employee, even if such equipment is occasionally used for work on behalf of the enterprise. The employer will, in general, be precluded from accessing such privately owned equipment.

Nor do the rules entitle employers to access data which is stored in shared areas or email accounts that are shared by the entire operation, such as mailbox@business.no. Here, the employer will be entitled to access such areas without any particular conditions having to be met in advance.

Current and former employees, students and elected representatives

The rules regulate the employer's relations with both current and former employees, and with others who perform or have performed work for the employer. The rules therefore also apply to email accounts that are placed at the disposal of a data processor for use in their work. An example of this is an insurance broker who processes personal data on behalf of an insurance company.

The term "employer" refers to the party which the Personal Data Act defines as the data controller, and which is generally a legal person.

As far as is pertinent, the rules apply to universities and university colleges' access to students' email accounts, as well as to access by organisations and associations to the email accounts of volunteers and those holding elected office.

How to proceed when accessing emails and data

Insofar as this is possible, the employee should be notified in advance if an employer believes that the conditions for accessing their email account have been met (see Section 9-3 of the Personal Data Regulations). Any such notice must contain:

  • An explanation of why the email account/data are being accessed. In other words, why the employer feels that Section 9-2 of the Regulations has been met.
  • Information about the employee's rights.

Insofar as this is possible, the employee must be given the opportunity to respond before the employer starts accessing their data, and be present when such access takes place. These requirements mean that the employer must set deadlines which give the employee a real opportunity to exercise their rights. Furthermore, the employee is entitled to receive assistance from a union or other representative.

The use of the phrase "insofar as this is as possible" shows that the notification requirement is not absolute. It is, nevertheless, a fundamental principle of privacy that one should be informed when data relating to one's self is processed. The threshold for making an exception to this rule is therefore high. If an employer refuses to give such notice, the refusal must be justified in writing, with a precise reference to the statutory provision authorising exemption from this rule.

In several cases that the Norwegian Data Protection Authority has adjudicated, the employer has claimed that the risk of evidence tampering justified their failure to inform the employee that access to data was going to be enforced. An important element in this assessment is whether manipulation of the data could be prevented by the employer first making a copy of the material before the employee was notified of the employer's intention to access the data. In that case, the employee is able to safeguard their private material and their privacy is better protected.

If the employer accesses the data without the employee being notified, eg in cases where time constraints prevent such notification or it is impossible to get hold of the employee, the employee must be notified as soon as the data has been accessed. Furthermore, the Norwegian Data Protection Authority recommends that the employer minutes the process along with the employee at the same time as the data is being accessed, since disagreements about what actually transpired will often arise at a later date.

The requirement to give notice as soon as access has been carried out is a strict requirement. The employer shall inform the employee of the fact as quickly as they are able.

The employee must be notified of 

  1. why the conditions for access are deemed to have been met
  2. what rights the employee has under the Personal Data Regulations
  3. which methods have been used in connection with the access
  4. which emails or other documents were opened
  5. the result of the access process

The point relating to the methods used in connection with access means that the employer must, for example, disclose whether the employee's actual email account was accesses, whether a search for particular words and phrases was carried out on the employee's machine, whether deleted material was restored, etc. If the employer has used a data processor, for example to reconstruct files, notice of this must be given. The requirement to disclose which emails or documents were opened means that a list of the documents accessed must be provided. Had the employee had the opportunity to be present during this access process, they would have seen all the documents that were examined, and the same must therefore apply when the employee is notified after the fact.

Precautions in connection with employer access

There will always be a risk that documents not encompassed by the right of access will become known to the employer when access is enforced. Efforts may nevertheless be made to avoid gaining access to private emails, trades union correspondence, etc. The establishment of guidelines and precautions ahead of the access process can also reduce the level of conflict, since both parties will be aware of the rules and what they can expect:

  • Search words must be quality assured ahead of the access process.
  • Searches for relevant documents must be performed in such a way that all documents containing the employee's private email addresses are excluded from the material.
  • Consideration can be given to whether the employer or others who know the employee should be excluded from the actual performance of the access process.
  • The employer or their representative should not read more of the document than that which is necessary to determine whether the document is relevant to the case, and thereby whether it should be deleted or not.
  • The employee should, as far as possible, have the opportunity to transfer private emails to a separate folder which is not, a priori, subject to access.

Deletion at the end of the employment relationship

The employee's work email account must be closed when the employment relationship comes to an end (see Section 9-4 of the Personal Data Regulations). Content not necessary to the day-to-day operation of the business must be deleted within a reasonable period of time.

The general rule relating to deletion follows from s 28 of the Personal Data Act, which states that personal data may not be stored for longer than is necessary for the purpose for which they are being processed.

In practice, however, situations have arisen in which the Norwegian Data Protection Authority has allowed an email account to be kept open for a brief period after the employment relationship has concluded. One example was a high-ranking employee who walked off the job. The enterprise's contacts and customers were required to be notified of who would be their new contact, and an automated reply, informing correspondents that the person had left the company, had to be created. Access to previously received emails was prohibited as a condition for keeping the account open.

The requirement to close the email account means that the actual email account is deactivated at the latest on the last day of the employment relationship, and that the contents of the email account are deleted within a reasonable period of time, not exceeding six months.

Advice to employers

  • Establish clear guidelines for use of the enterprise's computer systems. Most employers will permit work email accounts to be used for a certain amount of private correspondence. Any restrictions should be clearly stated. Place particular emphasis on measures that may prevent the need for access. In the event of planned absences, for example, an automatic "Out of Office" reply can be used.
  • Define what constitutes a gross breach of duty that could lead to the employer accessing an employee's email account.
  • Define when an email account may be accessed, who can decide that access shall take place and what procedures will be used in such cases.
  • Create separate email addresses for elected representatives or company officers to be used in connection with their work.

Advice to employees

  • Restrict private activities on your employer's computer systems. These are meant for work-related tasks.
  • Try to avoid correspondence that is not work related.
  • Demand clear guidelines for what constitutes acceptable/unacceptable use of the employer's computer systems, and whether it is permitted to use them for private purposes.
  • Mark private emails as "private" in the subject heading, and store them in a folder that clearly shows its contents are private. The same applies to emails to and from elected representatives.
  • Remember that everything you do online and all emails you send and receive can be traced back to you.

Question and answer