On 26 January 2012, the European Commission released new proposals regarding the EU Data Protection Directive (95/94/EC) and e-Privacy Directive (2009/136/EC) which came into effect 25 May 2011. The objective is to make the data protection rules more consistent across all EU member states, making it far simplier for international businesses to understand their data obligations and comply with the rules.
These laws apply to both employee and consumer personal information.
Organisations will need to obtain “specific and explicit” consent from internet users to store information and must delete data unless there is a “legitimate and legally justified interest” in keeping it. In the working group’s opinion on the question of consent, when consent is required from a worker and there is a real or potential relevant prejudice that arises from not consenting, the consent is thus considered not freely given and therefore not valid.
For tracking internal communications, (e.g. email and intranet pages), we have suggested employers may comply with these rules within their employment and labour agreements and within the context of privacy and/or technology use policies that explains the reasons for the collection and use of such data. The company should be clear about the reasons for data monitoring, and the extent is it is necessary to achieve a legitimate aim (see the closing paragraph for our rationale).
By no means claiming any legal expertise on the matter, we do suggest that companies are already collecting personally identifiable employee information simply by function of using their email systems. In other words, the employee email address, and what messages the employee has sent and received is already stored within the Exchange environment. Certainly the PoliteMail email analytics data are additive to this. Our system is storing another copy of the email address, and storing additional interaction data (open/click/fwd/reply) in relation to those email messages.
Certain types of data tracking and processing are not significantly intrusive. The PoliteMail email analytics tool enables communicators to measure the effectiveness of their email communications and the ability to monitor if the resources being developed and deployed to support the organisation are in fact being utilised by employees. While the tool also enables communicators to take follow-up action with specific employees or groups of employees based upon their interactions (or lack thereof), we see this as reasonable use of data and not outside the interests of data protection or privacy compliance.