Is Your Email Being Watched? Here's How To Tell

If you're concerned about your emails being monitored, it's important to understand that email monitoring is common, especially in corporate settings. Work emails, in particular, are often accessible to employers and administrators, who can view both sent and received emails without your knowledge. This is because the company owns the email domain and the servers that host the emails. As a result, it's generally advisable to avoid using work emails for personal communication and to assume that anything you send or receive on a work email can be viewed by your employer.

Assume work emails are monitored

It is a good idea to assume that your work emails are monitored in some way by your employer. Emails sent or received through a company email account are generally not considered private, and employers are free to monitor these communications, as long as there is a valid business purpose for doing so. Many companies reinforce this right by giving employees written notice in an employee handbook that their work email isn't private and that the company is monitoring these messages.

There are several reasons why an employer may choose to monitor work emails. These include:

• Security reasons
• Productivity reasons
• To check whether staff are following company guidelines
• To check whether staff are communicating with colleagues or clients professionally
• To assess performance and employee productivity
• To ensure company rules and procedures are being followed
• To investigate any breaches of company rules
• To prevent reputational damage
• To prevent potential criminal activity
• To avoid the spread of viruses or hacking threats from scams like phishing emails

There are also some less noble and sometimes illegal reasons for monitoring, including snooping on employees' personal lives and monitoring union organising activities.

If you are concerned about your employer monitoring your work emails, it is worth checking your employee handbook or contract to see what the policy is. In the UK, there are several laws that cover employee rights when it comes to email monitoring, including the General Data Protection Regulation (GDPR) and Data Protection Act 2018, and the concept of fairness as applied by the Employment Rights Act 1996.

To comply with the Data Protection Act and GDPR, employers must prove that their surveillance is necessary, justified, and proportionate. This means that employers should only collect the data they need and not go overboard by collecting every piece of data. Employers must also ensure that any data collected is only used for the purpose for which it was collected and is not kept for longer than necessary.

Mailbox Folder Permissions

When Mailbox Folder Permissions are used, there is much more control over the level of access granted. Full access can be granted, or editor access, or reviewer access (which is like read-only access). It's not an all-or-nothing approach.

However, when Mailbox Folder Permissions are configured, auto-mapping is not used at all. Users will always need to manually add mailboxes to their Outlook profile if their access has been granted using mailbox folder permissions.

A common use of mailbox folder permissions is granting read-only access to a specific mailbox folder. This can be achieved by granting a user the Reviewer role for the folder. This allows the user to read mailbox folder items but not perform any other actions (e.g. creating or deleting items).

Admins have full access

As a user, you cannot audit which admin accessed your mail. Therefore, it is essential to assume that anything on your work laptop or email can be accessed and viewed by your boss or IT administrators. This includes emails, files, and even your browsing history.

It is important to note that while admins have the technical capability to monitor your email, it does not mean they are actively doing so. Most IT departments prioritize integrity and will only access your email if requested by management or for a specific reason. However, the possibility of monitoring underlines the importance of using work emails solely for work-related purposes and refraining from sharing personal information.

IT departments can access work devices

A BYOD policy typically includes guidelines on the following:

• Acceptable use: These guidelines outline how and when employees can use their personal devices for work. This includes instructions on securely connecting to corporate resources through a virtual private network (VPN) and a list of approved work-related apps.
• Security measures: BYOD policies set security standards for employee devices, including password requirements, two-factor authentication, data backup protocols, and procedures to follow if a device is lost or stolen. IT departments may also specify security software that employees must install, such as mobile device management (MDM) or mobile application management (MAM) tools.
• Permitted devices: The policy may outline the types of personal devices that are permitted for work, including minimum operating system versions and other relevant specifications.
• Data handling: BYOD policies often specify how sensitive company data must be handled, stored, and transmitted on employee devices. This includes data security and retention policies to comply with regulations such as HIPAA, Sarbanes-Oxley, and GDPR.
• Privacy and permissions: While respecting employee privacy, IT departments may need certain permissions on work devices. This includes installing specific software and controlling certain apps to maintain separation between employee personal data and corporate data.
• Reimbursement: The BYOD policy may outline reimbursement practices if the company reimburses employees for using their personal devices, such as offering stipends or subsidising data plans.
• IT support: The policy should clarify the extent of IT support provided for personal devices, including troubleshooting and technical assistance.
• Off-boarding procedures: When an employee leaves the company, BYOD policies typically include steps to remove sensitive corporate data from their device, revoke access to network resources, and decommission user accounts.

It's important to note that the level of control and access IT departments have over employee devices may vary depending on the organisation's BYOD policy and local regulations. Employees should carefully review their company's BYOD policy to understand their rights and responsibilities when using personal devices for work.

Work accounts are not private

Even if your IT department is not actively reading your emails, they likely have the ability to do so if they deem it necessary. Additionally, your employer may have installed employee monitoring software on your computer, which can track your keystrokes, website activity, and even take screenshots of your screen. This software often runs in the background and may go undetected by the user.

To check if your work computer is being monitored, you can examine the background processes on your computer. On Windows, press Alt + Ctrl + Del and open the Task Manager to view the list of running processes. On a Mac, navigate to Utilities and launch the Activity Monitor. Look for any unknown or suspicious programs and end the process if necessary.

It is important to note that your IT administrator may have hidden the monitoring program or run it in stealth mode, making it difficult to detect. In addition, your employer may have installed monitoring software that cannot be uninstalled without administrator privileges.

To protect your privacy, it is advisable to avoid using your work computer or work email account for personal activities or communications. Do not log into personal email or social media accounts on your work computer, and refrain from storing personal files on your work device. Instead, limit personal activities to your personal computer and accounts to ensure your privacy.

Frequently asked questions