It would be best to have an email monitoring policy regarding employees’ private and business use of emails contained in employment contracts. However, how extensive, and intrusive should the policy be?

Company policies and the POPI Act

Several South African companies have established an email monitoring policy in their employment contracts. This policy often covers both private and business use of emails, but there are often questions about how intrusive it should be, says Roy Bregman, director at Bregman Moodley Attorneys.

“Our Constitution respects a person’s right to privacy. The Protection of Personal Information Act (POPIA) further entrenches personal data protection rights,” he said. “An employer is entitled to expect that employees will not use their emails to violate company policies, use inappropriate language, break confidentiality, or run their own business on company time.”

Bregman added that employment contracts usually contain clauses dealing with the monitoring and interception of emails.

These clauses typically provide that employees should not expect privacy when sending, receiving, downloading, uploading, printing or otherwise transmitting emails. And that employees must use emails for bona fide business purposes only.

In terms of POPIA, an employer who processes an employee’s personal information must:

  • Do so reasonably and without negatively impacting their rights as data subjects.
  • Do so with the data subject’s informed, express, and voluntary consent.
  • Explain the purpose of such monitoring interception, to enable the employees to perform their duties and assist the employer in meeting its legal, business, administrative and management obligations.

WhatsApp and confidentiality 

These policies can also include other forms of communication – including messaging services such as WhatsApp and Slack.

An employer is typically responsible for the conduct of its employee where the employees are acting within the course and scope of their employment, said Karl Blom, senior associate at legal firm Webbers.

For that reason, if an employee is using WhatsApp to conduct the business of their employer, the employer must ensure that these activities are POPIA compliant, he said.

He added that there are several provisions that may apply under POPIA, including requirements pertaining to:

  • The transfer of data to third parties outside South Africa;
  • The retention of personal information;
  • The security of the personal information;
  • The purpose for which the personal information is being used.

“If an employer is making use of WhatsApp, it must treat these messages as it treats any other technology – such as emails, VOIP, regular mail etc.”

Employers should also be mindful of any contractual confidentiality provisions that may apply to it – including those that may restrict its use of certain technologies, such as WhatsApp, he said.

“Finally, it is important to remember that WhatsApp and other messaging tools are operated by third parties, so employers should always be mindful of any regulatory requirements that may restrict how they provide data to third parties.

“For example, employers in the legal, educational, medical or insurance industry should be mindful of the specific requirements that apply in those sectors.”


Source: Bregman Moodley Attorneys | By Roy Bregman