Employee rights and privacy protection
Here, we discuss employees’ rights in employment, particularly from the perspective of privacy protection. An understanding of the employer’s and employee’s rights and obligations creates a firm basis for working together.
Both the employee’s fundamental rights and privacy protection, and the employer’s rights are important. The employer’s rights do not override the protection given by fundamental rights to secrecy of correspondence or privacy protection related to data processing.
Advice for members by phone on legal questions
Work email enjoys the same constitutional protection as other correspondence.
When an employer provides and employee with email, it is a work tool, and the employer can require it only to be used for work matters. Nevertheless, work email enjoys the same constitutional protection as other correspondence.
An employer does not have the right to establish the contents of an employee’s work email without specific grounds. The Act on the Protection of Privacy in Working Life sets out special grounds on which an employer has the right to read an employee’s emails when the employee is not present.
Sections 19 and 20 of the Act lay down the special grounds on which an employer can retrieve emails concerning relevant to the company and open them. To obtain and open emails, an employer must also have first fulfilled his or her duties of care under Section 18 of the Act on the Protection of Privacy in Working Life.
If the employee is absent or unable to come to work, the employer must give the employee one or more of the following options before retrieving or opening the employee’s incoming or outgoing emails:
Duty of care 1
An employee can set up an automatic out of office reply containing information about the duration of his or her absence and who to contact instead.
An employee can forward emails to another person the employer has approved to perform the duties or to another email address he or she uses which the employer has approved.
Duty of care 2
An employee may consent to someone else opening his or her incoming emails to find out whether he or she has been sent any emails clearly intended for the employer and which the employer must know about for the appropriate running of operations or performance of duties.
Duty of care 3
The duty of care is fulfilled when the employer has offered the employee one of the options. Thus, to retrieve and open emails, the employee does not have to have used any of the options offered under a duty of care. As an employer, you can also offer an employee several of the above options.
After fulfilling your duties of care, you have as an employer the right to search for emails intended for you in your employee’s emails when your employee is temporarily unable to work, and you cannot retrieve the contents of the emails via your duties of care. Situations like this include sick leave and annual leave.
The admin user(s) of the system uses his or her credentials to retrieve emails.
Retrieving emails means the employer has the right to establish, based on the sender, recipient or subject of the email, whether the employee was sent while absent, or whether he or she sent or received, immediately prior to an absence, emails about which the employer must know to conclude negotiations related to the business, serve customers or secure operations. In addition, the following requirements must be met:
- The employee does the work independently for the employer, and the employer does not use a system which can otherwise be used to record and establish what the employee does or record the processing stages.
- The work done and the matters processed by the employee make it clear that emails intended for the employer have been sent or received.
- The employee is temporarily prevented from performing his or her duties, and the employer cannot access emails intended for him or her, in spite of the employer having met his or her obligations under Section 18 of the Act.
- You cannot obtain the employee’s consent in a reasonable time, and you cannot afford delays in the matter.
If an employee is deceased or permanently prevented from performing his or her duties, and his or her consent cannot be obtained, the employer has the right to establish which messages are intended for the employer on the basis of the sender, recipient or subject of the email, unless it is possible to establish what matters the employee was dealing with and secure the employer’s operations by other means.
This situation also requires for the employee to work independently for the employer, and for the employer to not use a system which can otherwise be used to record and establish what the employee does or record the processing stages. Furthermore, it must be clear from the work done and the matters processed by the employee that emails intended for the employer have been sent or received.
If emails are retrieved but not opened, a report must be compiled and signed by the people who retrieved the emails. The report must show why the emails were retrieved, when, and by whom. The report must be immediately delivered to the employee. A statement is naturally unnecessary if the employee is deceased or permanently incapacitated.
You may not process data about the senders, recipients or subjects of work emails more than is necessary for the purpose of retrieving the emails, nor may the people who took part in the retrieval disclose this information to third parties during or after employment.
If you have retrieved an email and it is clearly intended for you as an employer, you have the right to open it on certain conditions. You can establish whether the email is intended for you as an employer on the basis of the sender, recipient or subject. The email may be either sent or received by your employee.
In addition, to open the email, it must be essential for you as an employer to obtain information from the contents of the email to conclude negotiations related to the business, serve customers or secure operations, and it is not possible to reach the message sender or recipient to establish the contents of the email or have it forwarded to an email address of your choice.
When these conditions are met, you can open the email using admin credentials with another person present.
You must compile a report about opening the email, signed by those present, which shows which email was opened, why, when, by whom, and who received information about the contents of the email. You must deliver this report to the employee without delay, unless he or she is deceased or permanently incapacitated.
You must store the opened email, nor can you process its contents or sender data more broadly than is needed for the purpose the email was opened for, nor can the people who processed the data disclose the email contents to third parties during or after employment.
Companies with more than 30 employees must discuss the principles for email and data network use in cooperation negotiations. In companies with fewer than 30 employees, the employees must be given the chance to be heard about the principles of email and data network use.
The obligation to hold negotiations and hear employees concern general email use principles, such as whether work email may be used for private matters. By contrast, you do not need to negotiate with or hear out employees in individual cases. You should negotiate or hear out employees before starting to abide by any principles. Even though you are as an employer obligated to negotiate or hear your employees, you make the final decision about email matters if you do not reach a mutual understanding with your employees.
We recommend agreeing on principles for email use in writing with your employees even if you employ fewer than 30. In this case, it is good to agree on how absences are notified and what procedure is used during an employee’s absence. We also recommend ensuring you have performed your duties of care and have the relevant consent from your employees at the start of employment.
The biggest practical problems with email arise when things are not agreed in advance.
If an employee has set up forwarding of his or her emails during an absence (duty of care 2), or an employee has given his or her consent for another person to receive his or her emails during an absence (duty of care 3), these people may retrieve and open the incoming work-related work emails using the process described above.
However, if an employee has given specific written consent for these people to read his or her emails and perform the duties in the emails without observance of the procedures laid down by law, these people may retrieve and open the absent employee’s emails, which concern the employer, without following the relatively complicated procedures laid down by law. However, an employee may withdraw his or her specific consent of this kind at any time.
Email consent form
We have drawn up a template form for agreeing with a single employee on email use in an exceptional case that departs from the procedures laid down by law. Before using the template, we recommend agreeing in writing about the ground rules for email use in the company. Suomen Yrittäjät member counselling services will help you in filling in the email consent form.
Data protection of electronic communications
The aims of the Information Society Code include securing the confidentiality of electronic communications and ensuring the protection of privacy. The regulations aim to clarify the businesses’ operating requirements and right to process email messaging data in cases of misuse. “Messaging data” means data which can be linked to a legal or natural person which is processed to transmit a message. Examples of messaging data are the transferred data volumes and data about the receiving network.
Messaging data are not data about the contents of the email itself. The rules of the Information Society Code do not entitle you to examine the contents of emails.
A business may process email messaging data in other situations than cases of misuse. For example, it may do so on the basis of employee consent, the provision or use of services, invoicing, a technical fault or data security.
Under the Information Society Code, a “corporate subscriber” (such as a business) may process messaging data in its own systems in two different cases of misuse. The first case of misuse concerns unauthorized use and the second concerns disclosure of company secrets.
It is important to note that even in cases of misuse you must consider the general processing procedures regarding communications providers in the Information Society Code. They stipulate that processing identification data is only permitted to the extent required by processing, and it must be done without needlessly damaging the protection of confidential communications and the protection of privacy. It is also important to note that identification data may only be processed in the case of work emails (such as firstname.lastname@example.org).
Under the Information Society Code, a business has the right to process messaging data to investigate or prevent unauthorized use of a fee-based information society service, communications network or communications service.
Unauthorized use of a communications network or service may mean installation of a device, software or service in an employer’s communications network. Unauthorized use may also mean an employee giving a third party access to the business’s communications network or services. It may also mean any other comparable use of a communications network or service if it contradicts the existing instructions.
Identification data may be processed using an automatic search function or manually. An automatic search function may be based on the size, aggregate size, type, number, connection mode or target addresses of the messages. When identification data are processed with an automatic search function, the search engine looks for abnormalities in the communication network using certain predefined criteria without anyone in the company gaining access to employee email identification data. In manual processing, the identification data of an individual employee’s emails may be revealed to the company.
Under the Information Society Code, to process identification data automatically and manually, the event or act concerned needs to be the probable cause of significant hindrance or damage to the company. A further requirement for manual processing is that the data are necessary for investigating the unauthorized use and the parties responsible for it and for ending the unauthorized use.
In addition, a company can process identification data manually if there are reasonable grounds to suspect that a communications network, communications service or a fee-based information society service is used against written instructions in the following situations:
- The automatic search has detected a deviation in communications.
- The costs of using a fee-based information society service have become unusually high.
- An unlawfully installed device, software or service is detected on a communications network.
- In individual cases, some identifiable circumstance comparable to the above leads to the conclusion that a communications network, communications service or fee-based information society service has been used against written instructions. That may occur when traffic of an unconventional nature with regard to the communication services’ specifications is detected from a company email address.
A business may process identification data to prevent or investigate the disclosure of business secrets on the conditions specified in greater detail in the Information Society Code. To a large extent, they correspond to the unauthorized use discussed above. A business may only process the identification data of employees who have been given access to business secrets or who have access to them in another approved way.
“Business secret” means a trade or professional secret which, if leaked, could cause the company financial damage. Under the Act on the Protection of Privacy in Electronic Communications, processing identification data means a higher than usual level of business secrecy is involved.
When identification data are processed to protect business secrets, those business secrets must be crucial to the commercial operations of the company or its cooperation partner. A business may also process identification data to protect the results of technological or other development work.
A business may process identification data manually if there are reasonable grounds to suspect that a communications network or communications service was used to disclose a business secret to a third party without authorization. Further requirements are
- an automatic search has detected a deviation in communications
- a business secret has been publicized or used without permission
- in an individual case, an identifiable circumstance comparable to the above leads to the conclusion that access to a business secret has been disclosed to a third party without permission.
A business also has other means for protecting its business secrets. In principle, a business can also use systems to help track who has saved or printed data. Businesses can also use other monitoring methods, such as access control or camera surveillance. Non-disclosure agreements with employees are another way of protecting the company’s business secrets.
When a business has made the decision to start combating unauthorized use, it must take the appropriate data security measures to secure the network and service use before it starts processing identification data. It must also define which emails may be transmitted and retrieved, how the communication network and service may be used, and to which addresses emails may not be sent. The company must provide written instructions to the network and service users.
The company must designate data security officers who are entitled to process identification data and conduct cooperation negotiations on the theory and practice behind the procedures applied when processing identification data. In a company not subject to the Act on Cooperation within Undertakings, the company must hear employees and inform them about procedures and practices. In addition, the company must notify the Data Protection Ombudsman in advance about the start of identification data processing.
When a company has decided to start protecting its business secrets online, it must take appropriate data protection measures to secure the use and data of its network and service. The company must limit access to business secrets and define how business secrets may be processed and to what kinds of addresses emails may not be sent. The company must provide written instructions to the network or service users.
When a business processes identification data to protect its business secrets, it must designate data protection officers, conduct cooperation negotiations and notify the Data Protection Ombudsman in the same way as when processing identification data when it combats unauthorized use.