A senior member of staff died in an accident recently and I am uncertain as to how to deal with his emails. He has several personal folders and thousands of emails relating to non-workplace matters. What should we do?
First of all, it is good practice for businesses to have an email usage policy in place that implements proportionate monitoring of employee emails. Before implementing any email usage policy, an impact assessment should be completed considering the reason why it is necessary to monitor staff emails: for example, to ensure that relevant business practices or regulations are being complied with. Make sure that the methods used to monitor emails are proportionate to meet the reason they are in place.
The now-deceased staff member should have been informed that his emails might be monitored, the reason for this and to whom the emails will be shown. He should also have been asked to sign a consent form confirming that he agreed to his emails being monitored in this way.
The emails should be held securely and access to them should be restricted to a limited number of staff - all of whom should have signed confidentiality and security agreements and received appropriate training. Responsibility for the emails should then be allocated to a specific individual, or two at the most, whose task it will be to review them.
Some emails might need to be retained, for example, in order to comply with health and safety obligations. Where that is the case, the relevant emails should be held securely for as long as they serve their purpose and then be deleted. The emails that contain purely personal information should be destroyed, although it would be sensible to consult the deceased staff member's next of kin before doing so.
When the time comes, it is important to make sure that the emails are disposed of securely. That means not simply pressing "delete" but having it professionally removed from all storage devices they have been saved on including, for example, a company Blackberry or laptop.
Although this is, fortunately, a rare dilemma, you should consider amending existing email policies so that in the future a particular member of staff has specific responsibility for confidentially and securely retaining all employee information after a member of staff's employment is terminated. It will then be his or her job to irretrievably delete it after a specified period of time.
To make reviewing staff emails more efficient in future, you may also want to include a requirement in your email usage policy for employees to clearly mark any non-work-related emails as "personal" and ask that third parties who contact them do the same. It is also good practice to include a statement that staff emails may be monitored in company email headers or footers so that third parties who contact employees are aware of this.
Emma Dickinson, solicitor, Simpson Millar LLP