There may be lots of good reasons why you need to access someone else’s in box. They may have left your organisation and you may be monitoring their emails in order to deal with correspondence sent in the ordinary course of what your organisation does, they may be on holiday or off sick, in which case you may be checking their emails to ensure business as usual, or you may have the need to search email in and sent boxes to assist disciplinary investigations.

When you are accessing an employee’s emails, even though they are on a work email system, precautions need to be taken in accessing and then reading emails, possibly forwarding them on to someone else or responding to those emails. Those activities will potentially involve the processing of personal data, so the GDPR & Data Protection Act 2018 will have to be considered (amongst others). 

Hopefully you are aware by now that as Data Controller, you have to comply with the Data Protection Principles at Article 5 of the GDPR, including lawfulness, fairness and transparency, which requires you to provide the employee concerned with a privacy notice explaining that this will need to take place.

Does your Privacy Notice comply?  I would suggest probably not, as when we were drafting these things, we were thinking in terms of generic things that employers do, but it is only as we feel our way through GDPR on a case by case basis, and learn from issues arising that we start to think of all the potential reasons why we might be processing data, and these privacy notices are likely to get longer and longer and you should probably diarise to re-issue them to staff on a bi-annual basis rather than assume you’ve issued them once and that’s it.

In terms of your data mapping and listing of the justification that you have for processing data, in accordance with Article 6 of the GDPR, you will need to set out on the legal basis you are relying on.  For example, you probably would not want to rely on consent for this, as the employee can withdraw consent.  It is hard to see this as a necessity of the employment contract so you are probably relying on an employer’s legitimate interests.  

Just because you have a potential pathway through the legislation does not mean you can do it without restraint.  The processing of personal data in connection with your legitimate business interest needs to be done proportionately which tends to mean in the least intrusive manner possible. For example, when somebody leaves, rather than somebody accessing their entire account, it may be appropriate to forward emails received from the leaving date to, for example, a successor. You may need to think about restricting who has access to somebody’s account when they are absent, for example, it may be one authorised manager only or it may be IT who are required to set up some filters so that not all datais being looked at.It is worth considering the extent to which employees use their work email addresses for personal matters, and whether it is possible to distinguish between work and private matters in the emails.  For example, your email policy may require people to not use work emails for personal purposes, or may specify that they may do so only if they mark such emails as personal and private.