Response #1: We have a system where 2 people must approve. Generally it is the Senior Vice-President (SVP) of HR and I but in some limited situations it might be two attorneys.1
Response #2: Our practice is that some attorneys in the Legal department have access to the system archiving emails. When necessary for Human Resources to have access, a manager or director must get authority from our Information Technology (IT) department.2
Response #3: We require approval by the SVP of HR and the Chief Information Officer (CIO). Our Security Chief is the only one that can petition them for approval. Our policy makes clear that employees do not have an expectation of privacy with respect to company assets. However, to curb the possibility of overzealousness and abuse by management, we require a showing of reasonable cause.3
Response #4: I agree with the approach in Response # 1 and would have at least two persons approve, one of which is not HR or IT, but legal or compliance. I have seen HR get excessive with the power to review email, badge entry records, security camera info etc. without a check and balance.4
Response #5: In a past life, we had a policy that required the signoff of the head of HR and the Chief Ethics Officer in addition to the supervisor (unless the supervisor was one of those people, in which case it would go to a reasonable substitute, such as the Chief Executive Officer).5
Response #6: Speak to your IT Group first. You may discover that employee monitoring is actually an ongoing part of your IT systems, and that if you have a policy which requires HR input before commencing an investigation, this will not reflect what is actually happening at your organization.6
Sample HR, IT and Legal Procedure about investigation into an employee's electronic files
COVERT ACCESS[1]
An employee's e-mail or hard drive may be accessed without notification upon approval in writing (e-mail is sufficient) by two of the following: Chief Human Resources Officer, Chief Ethics Officer, VP – Internal Audit, VP-Global Security, General Counsel, or Chief Labor and Employment Counsel. The Chief Human Resources Officer may delegate his/her authority to any Senior Vice-President of Human Resources or any Regional VP of Human Resources. In the event that such authority is delegated in this manner, the second approver should be one of the other contacts listed above but may not include the Chief Human Resources Officer. In addition, the following precautions should be taken:
(a) Access should be for a specific, business reason and clearly specified in scope.
(b) All searches must be limited to the scope and logged with the time, date and reason for access.
(c) Any information gathered must be kept confidential and subject to any applicable data protection rules. It must also be stored securely and confidentially and disposed of in a manner consistent with company policy.
ACCESS TO THE ACCOUNT OR COMPUTER OF AN EMPLOYEE WHO HAS LEFT THE BUSINESS.
Access to the e-mail or hard drive of a departed employee may be granted by any of the above listed authorizers or their delegate. Such access should be provided for legitimate business purposes only. All exclusively personal e-mails or other content and/or attorney-client privileged e-mails should generally be disregarded.
Unless doing so would compromise a confidential investigation, local HR should also be made aware of the access.
ACCESS TO AN ACCOUNT WITH THE ACCOUNT HOLDERS PERMISSION
Any employee may authorize access to his or account as needed in connection with the performance of his or her job or if so requested by the Company. Such access is not intended to enable any employee to "sign on" as anyone other than themselves. Unique personal identification and verification must be maintained for audit purposes. Unless doing so would compromise a confidential investigation, local HR and the employee's manager should be made aware of any circumstance where an individual has access to another employee's e mail.
[1] Covert access, in particular, may be prohibited or restricted in some jurisdictions, particularly in the EMEA region. Controlling legal issues should be considered to determine whether covert access is permissible and any approved access should be in accordance with applicable data privacy regulations.7