Camilla Pastille

London

Data Protection Officer

Well actually - it wasn't long ago that the Information Commissioner (for it is he that protects your individual rights) was saying that if you put 'private' in the title of the email then the boss couldn’t read it.

Nonsense! If you send OR RECEIVE private email on a company email domain then the company has vicarious liability for anything you write or receive (e.g. the company gets sued, not you), therefore can read it all AND keep it for as long as it decides it wants to (forget about using Principle 5 of the Data Protection Act to demand your old private emails get deleted when you leave the company).

On the other hand you can proceed against snooping bosses under Principle 7 unless the company can prove they are protecting the data, protecting access to the data, and auditing any access - that might means the company should clear all email off the company's servers immediately (because it's stored unencrypted, easily read by techies) and store it all in a compliant repository such as Iron Mountain or IBM's Cryoserver (forget about most of the ‘email archiving’ solutions out there; most of them breach the Act).

Not that anyone actually does that, but that still leaves companies open to civil actions by employees under the Act is the system is so insecure that techies can read your email.

The real problem with 'personal' email is that there's no such thing - people just don't get it that the company's email system is just like the company's fax system - we don't 'demand the right' to send and receive private faxes, so why do we think we have these rights for email?