Close
Login to MyACC
ACC Members


Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

This Wisdom of the Crowd, compiled from responses posted on the Employment & Labor and Compliance & Ethics Network Forums* addresses concerns about internal computer investigation policies within an organization.
*(Permission was received from ACC members quoted below before publishing their eGroup Comments in this Wisdom of the Crowd Resource)
 
Question
Does anyone have any insight on who can authorize an investigation into an employee's computer files, emails, etc. and under what circumstances? I believe a request should require Human Resources (HR) involvement but would appreciate any other thoughts.
 
Wisdom of the Crowd:

Response #1: We have a system where 2 people must approve. Generally it is the Senior Vice-President (SVP) of HR and I but in some limited situations it might be two attorneys.1

Response #2: Our practice is that some attorneys in the Legal department have access to the system archiving emails. When necessary for Human Resources to have access, a manager or director must get authority from our Information Technology (IT) department.2

Response #3: We require approval by the SVP of HR and the Chief Information Officer (CIO). Our Security Chief is the only one that can petition them for approval. Our policy makes clear that employees do not have an expectation of privacy with respect to company assets. However, to curb the possibility of overzealousness and abuse by management, we require a showing of reasonable cause.3

Response #4: I agree with the approach in Response # 1 and would have at least two persons approve, one of which is not HR or IT, but legal or compliance. I have seen HR get excessive with the power to review email, badge entry records, security camera info etc. without a check and balance.4

Response #5: In a past life, we had a policy that required the signoff of the head of HR and the Chief Ethics Officer in addition to the supervisor (unless the supervisor was one of those people, in which case it would go to a reasonable substitute, such as the Chief Executive Officer).5

Response #6: Speak to your IT Group first. You may discover that employee monitoring is actually an ongoing part of your IT systems, and that if you have a policy which requires HR input before commencing an investigation, this will not reflect what is actually happening at your organization.6

Sample HR, IT and Legal Procedure about investigation into an employee's electronic files

COVERT ACCESS[1]

An employee's e-mail or hard drive may be accessed without notification upon approval in writing (e-mail is sufficient) by two of the following: Chief Human Resources Officer, Chief Ethics Officer, VP – Internal Audit, VP-Global Security, General Counsel, or Chief Labor and Employment Counsel. The Chief Human Resources Officer may delegate his/her authority to any Senior Vice-President of Human Resources or any Regional VP of Human Resources. In the event that such authority is delegated in this manner, the second approver should be one of the other contacts listed above but may not include the Chief Human Resources Officer. In addition, the following precautions should be taken:

(a) Access should be for a specific, business reason and clearly specified in scope.

(b) All searches must be limited to the scope and logged with the time, date and reason for access.

(c) Any information gathered must be kept confidential and subject to any applicable data protection rules. It must also be stored securely and confidentially and disposed of in a manner consistent with company policy.

ACCESS TO THE ACCOUNT OR COMPUTER OF AN EMPLOYEE WHO HAS LEFT THE BUSINESS.

Access to the e-mail or hard drive of a departed employee may be granted by any of the above listed authorizers or their delegate. Such access should be provided for legitimate business purposes only. All exclusively personal e-mails or other content and/or attorney-client privileged e-mails should generally be disregarded.

Unless doing so would compromise a confidential investigation, local HR should also be made aware of the access.

ACCESS TO AN ACCOUNT WITH THE ACCOUNT HOLDERS PERMISSION

Any employee may authorize access to his or account as needed in connection with the performance of his or her job or if so requested by the Company. Such access is not intended to enable any employee to "sign on" as anyone other than themselves. Unique personal identification and verification must be maintained for audit purposes. Unless doing so would compromise a confidential investigation, local HR and the employee's manager should be made aware of any circumstance where an individual has access to another employee's e mail.

[1] Covert access, in particular, may be prohibited or restricted in some jurisdictions, particularly in the EMEA region. Controlling legal issues should be considered to determine whether covert access is permissible and any approved access should be in accordance with applicable data privacy regulations.7

 
1Michelle Deutsch, Associate General Counsel, Lifelock, Inc (Apr. 13, 2016)
2David Kight, Assistant General Counsel-Employment, Garmin International (Apr. 13, 2016)
3Nathan Franklin, Senior Counsel, Dow Corning Corporation (Apr. 13, 2016)
4Michael Martinez, Managing Counsel, Labor & Employment, Toyota North American (Apr. 13, 2016)
5Kerry Childe, Senior Corporate Counsel, Best Buy Co (Arp. 12, 2016)
6Sarah Eisen, Regional Counsel, Canada and Chief Privacy Officer, CSA Group (Arp. 13, 2016)
7Shay Hable, Chief Labor & Employment Counsel, Newell Brands (Apr. 13, 2016)
Region: United States
The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.
ACC