GDPR - employment issue

[Nc2603]

Someone is under investigation for sending messages at work when they should be working.

However, the company have accessed all the messages, including those not sent or received when at work and not done on a works device. Is this a breach of GDPR?

What device are the messages on? A personal device? Were they sent to another work or personal device?

It might come under collateral intrusion, but need some more info.

How were they able to do that?

@DeltaAlphaDelta79 i think a variety. I think they were sent mostly using a phone but some on a work laptop (during work hours.)

I don’t know how they were accessed sorry - I presume they went on the laptop in question and accessed them that way.

You say sent on a work device. In which case they own the device and can access
it anytime they like. I expect he signed a contract as such when getting it.

www.edps.europa.eu/data-protection/data-protection/reference-library/private-use-electronic-communications-workplace_en

If they’re viewable on a work laptop they are on a work device plus in any event the employee will in all likelihood have agreed to the company processing data for employment purposes which includes investigations.

You've said they accessed messages not sent on a work device, do you mean they were received by a work device?

You're not being entirely clear on what has happened

Anything on a work device belongs to the company.

If some have been sent on a work laptop and they have used something like whatsapp, viber or imessage where they can sync between devices then you can then see other messages apart from intended messages.

Work devices belong to the employer and there should be no expectation of privacy.

There should be an acceptable use or monitoring at work policy (may be in the information security policy). Generally there can be no expectation of privacy for messages sent and received on work devices.

GDPR may not even come into it, if it’s not concerning personal data.

If they're on a work device, they're fair game. I used to do investigations and if they accessed personal emails on a device and those emails were visible in their web history (ie you didn't have to log into their email account to see them), you could use them as evidence.

Is it the WhatsApp online version that’s on the laptop and now they are able to access all messages even the ones sent on an evening via a phone? If so I suspect by logging on on the work device you will have given them the rights to view it.

Not necessarily true, but it all depends what it says in their privacy notice and supporting policies.

Unless this is a very small organisation, the likelihood is that the employees have signed an agreement that data processed in the course of their work can be accessed by employers.

If they have accessed personal data, then whether it is a breach will depend on the exact circumstances. For example, if a personal email is sent to or from the work email account, it would be impossible for the employer to avoid accessing it, while legitimately accessing work emails.

Do you mean they were logged into email or social media on both a work computer and their phone and that all messages can therefore be accessed via the computer, even if they were sent out of working hours on the phone?

I am surprised

I'd have thought work email = they access everything

Personal email / snap / whattsapp on a work device = they know how long you've been on it but they can't actually access the messages.

But this is just guessing!

(Off to shut down Tescos order on work laptop)

On a more general point, I would be wary about getting involved, OP. Your colleague almost certainly has not told you the full picture, because it is human nature to minimise any wrong-doing.

I have lost count of the number of HR issues I have managed, where a well-meaning colleague has interfered, and actually made things worse for all concerned. The person supporting your colleague should be someone with the right expertise and a full knowledge of the circumstances. A union rep is ideal, if she is a union member.

Yes, this is pretty much it. Sorry for not being clear - I’m walking that fine line of not wanting to give outing info and wanting to help!

@MissLucyEyelesbarrow I’m not involved particularly. Don’t worry about me

TBH I was worried about your colleague, not you.

You’re going to have to be clearer. Which platforms (Facebook /teams/ whatspp) and what sort of messages (posts /DMs etc)?

both GDPR and employment law may be relevant but it is very fact pattern specific.

If they were logged into personal social media/messenging services/email on a work device then its very likely that the employer will be able to see messages etc. Not really a breach of GDPR.