What you should know about accessing eCommunications data in the absence of an employee
eCommunications, such as email, are an indispensable part of the operations of modern organisations. In many cases, limited private use is allowed, which generates a certain expectation of privacy by employees - employers should normally not read their employees' emails, as they may contain private information as well.
However, problems arise when employees leave an organisation or are absent for prolonged periods when information stored only in their mailboxes is needed for business continuity.
To avoid such problems, organisations should require employees to ensure that relevant correspondence is stored in places that are accessible to those persons who need it such as case management systems, case files or provided in handover notes.
Where access to an employee mailbox is still necessary (for example if important information was missing from a handover file), the organisation should have defined procedures in place which employees are aware of. To protect their private messages, staff could for example be instructed to store them in a folder labelled accordingly, so that organisations know to avoid them.
What are the main data protection issues?
Data quality - An important aspect of data quality is data minimisation, i.e. only accessing and processing the personal data needed to carry out the task at hand. In order to reduce the need for accessing employee' mailboxes, staff should be instructed to store correspondence that may be needed in their absence in appropriate repositories. Examples would be case management systems or similar. This is not only a data protection issue, it is also relevant for organisations from a business continuity perspective.
Right of information - Employees should be aware of the rules in place in their organisations about accessing their eCommunications data, so they know what to expect and can act accordingly. The rules in place have to be documented and clearly communicated to staff.
Retention period - For persons leaving the organisation, it has to be made clear if and for how long their mailboxes will be kept. The general rule for retention periods is "as short as possible, as long as necessary". If relevant communication is stored in repositories (e.g. case management systems), then the retention period for the mailbox itself can be quite short.
Guidelines on personal data and electronic communications in the EU institutions (eCommunications guidelines), 16 December 2015
Letter of 18 May 2016 received from the European Investment Bank (EIB) concerning procedure on access to the professional/personal data, physical or electronic, of staff members in the event of absence, leaving the Bank or death