Email, Voicemail, and Privacy: What Policy is Ethical?

AUTHOR
Marsha Woodbury

ABSTRACT

“What should we do about our employees and their email?” That is the question that business people repeatedly asked Computer Professionals for Social Responsibility (CPSR). After many such requests to our organization, we attempted to construct guidelines that we could endorse. This paper will outline the guidelines that we proposed and will discuss the public reaction to them. Are they practical? Do they follow ethical strictures? What has happened since CPSR stepped into the fray? This paper will try to answer those questions.

There is obviously a tension between the employee’s right to privacy and the business’ right to control what goes on in the workplace. Also, before digging into the topic, I would like to emphasize that you as a company should endeavor to change your overall policy as little as possible. As Scott Adams has written, the person doing the work of the company-the hands-on person-is central to the company, and creating policies is one step removed. The policy, in short, should get out of the way of the worker. (The Dilbert Principle, Scott Adams, NY: Harper Business, 1996, p. 317) The average person is only mentally productive a few hours a day no matter how many hours are “worked,” and your email and voicemail policy should endeavor not to kill happiness and creativity.

And now, to the discussion of policy. The original guidelines that we proposed are: CPSR’s Sample Electronic Mail and Voice Mail Use Guideline

Email and Vmail are corporate assets and critical components of communication systems. The Email and Vmail systems are provided by the company for employees to facilitate the performance of company work and their contents are the property of. Although the company does not make a practice of monitoring these systems, management reserves the right to retrieve the contents for legitimate reasons, such as to find lost messages, to comply with investigations of wrongful acts or to recover from system failure.

Personal use of Email or Vmail by employees is allowable but should not interfere with or conflict with business use. Employees should exercise good judgment regarding the reasonableness of personal use. A junkmail group and other ad-hoc mail groups are available for employees to exchange information or post personal notices (i.e. “for sale”, “for rent”, “looking to buy”, etc.). Employees may sell items or post messages on junkmail or other ad-hoc mail groups as long as they do not violate the law or company policies.

Use of Email and Vmail is limited to employees and authorized vendors, temporaries, or contractors. Employees and authorized users are responsible to maintain the security of their account and their password. They should change their password quarterly and take precautions to prevent unauthorized access to their mailbox by logging off when possible if their terminal is unattended. (Unauthorized entry to an individual’s account or mailbox poses system security issues for other users.) Email and Vmail passwords should be at least 6 alphanumeric characters including at least one numeric character for Email.

  1. Efficient Usage
  2. Efficient use of the Email and Vmail systems suggests that messages should be concise and directed to individuals with an interest or need to know. General notice bulletins may be sent to public groups, news groups local to , junk mail, or specific work groups. Standards for global mailings can be found in (some location)

    Vmail messages which have been read will expire after seven days. This is a limitation of the disk storage capacity of the voicemail system.

  3. Misuses of Electronic mail and Voicemail Misuse of Email/Vmail can result in disciplinary action up to and including termination
  4. Examples of misuse includes the following:

    Prohibits obscene, profane or offensive material from being transmitted over any company communication system. This includes, for example, accessing erotic materials via news groups. Also, messages, jokes, or forms which violate our harassment policy or create an intimidating or hostile work environment are prohibited. Use of company communications systems to set up personal businesses or send chain letters is prohibited. Company confidential messages should be distributed to personnel only. Forwarding to locations outside is prohibited. Accessing copyrighted information in a way that violates the copyright is prohibited. Breaking into the system or unauthorized use of a password/mailbox is prohibited. Broadcasting unsolicited personal views on social, political, religious or other non-business related matters is prohibited. Solicitation to buy or sell goods or services is prohibited except on junkmail or ad-hoc mail groups.

  5. Responsibility for this policy
  6. “A specified department in the company” is responsible to ensure the efficient use of systems according to this policy. Where issues arise, the department will deal directly with the employee (and notify their manager where appropriate). The interpretation of appropriate use and future revisions of this policy are the responsibility of “a committee”or an appointed official.

    As soon as we published our guidelines electrically, our members proposed amendments. (David Levinger and Carl Page, http://www.cpsr.org/dox/program/emailpolicy.html, Sept. 19, 1997) Basically, they suggested three things:

    1. The level of email monitoring should be made clear. For example, the company ought to state that email will not be monitored or reviewed for the purposes of enforcing managerial authority.
    2. The language of “efficiency” bothered some of our members. They wanted companies to orient their policy to more human values and individual rights.
    3. Proper disclaimers on external postings are important.

    Also soon after our proposal was made public, we also received a post from a labor union representative, who urged that “prohibitions against political opinions should be amended to allow for messages of interest to the members of a unionized workforce.” (Gary E. Schoenfeldt, http://www.cpsr.org/dox/program/emailpolicy.html, Sept. 19, 1997)

    Had CPSR overlooked anything else? Indeed, we had neglected a rather large area concerning the nature of the communications themselves. As one respondent put it, “Its more important aspects are related to its role in recording the on-going business of the organization and legal risks associated with its use and abuse. One of the most important aspects of email, vmail and other electronic documents, is that they constitute organizational records in many if not most cases. Where I have done studies of email usage and policy in organizational settings, I have found that the large percentage of employees do not have a clue what is and is not a record, least of all with respect to email/vmail. And they have little or no understanding of what their responsibilities are in this respect.” (Rick Barry, http://www.cpsr.org/dox/program/addition.html, Sept. 19, 1997). Barry also recommended that the the policy should say that the author of any email be promptly notified after the fact if an email message has been accessed, and told why.

In sum, the subject of handling email and vmail in the workplace became a deeper and more complicated issue than our organization had initially appreciated. We wandered from privacy into freedom of information and from pornography to protest. We are still on this journey. My final paper will deal in more detail with each of these separate issues.