In Norway, employees are entitled to both freedom of expression and a reasonable expectation of privacy in the workplace. However, in certain situations an employer may still require access to your email account or other electronic tools you use for work purposes. The conditions for such access are quite strict and should only be used in exceptional circumstances.
“Access may be granted if there is a well‑founded suspicion that the employee’s use of email involves a serious breach of their duties under the employment relationship, or that the use of the email account may provide grounds for dismissal or termination. The second exception applies when access is necessary to ensure the daily operation of the business or to protect other legitimate interests of the organisation,” explains Frode Rognsaa, lawyer in Tekna.
The first situation could occur, for example, if an employee uses their email account to carry out criminal activities or to harass colleagues.
Use a private email account for private communication
“Use a private email account for private communication,” advises Tekna’s lawyer. Employers may demand access to all equipment provided by the employer, such as your work computer or mobile phone. This may include text messages, mobile data traffic, documents stored in your personal user area, and backups. Privately owned devices and accounts are not included in this access right.
Private email accounts – meaning accounts created outside your workplace – are not subject to employer access. If you use services such as Gmail, Yahoo or Hotmail, your employer is not legally allowed to access them. If you need to handle private communication while at work, you should therefore consider using an email account that lies outside the company’s control.
Read more about Social media and employers
There are important conditions that must be met before access is permitted
An employer cannot simply check an employee’s email or information stored on other electronic communication tools, such as a mobile phone.
When access is allowed, and how the employer must proceed, is regulated by a separate regulation. The regulation sets out several important conditions for access, which are explained in more detail below. These rules also apply to the employer’s right to enter an employee’s personal area on the organisation’s server or to access other electronic equipment. The regulation applies to both current and former employees.
When can access be granted?
A fundamental requirement for access is that it must be necessary for a specific purpose. If the employer’s operational needs can be met in another, less intrusive way, then access is not considered necessary – and therefore not permitted.
1) When it is necessary to maintain daily operations
This may typically occur when an employee is absent from work and there is good reason to believe that work‑related messages have been received in their email inbox and are needed for operational reasons. Time sensitivity is an important factor, and short deadlines may justify access even during brief absences. If the employee has set up forwarding of work‑related emails, or an automatic reply explaining where work‑related enquiries should be sent, this may indicate that access is not necessary.
2) When it is necessary to safeguard other legitimate interests of the organisation
Legitimate interests may include the need to run the organisation efficiently and responsibly, or to protect it from harm or liability. The assessment is based on what is normally considered legitimate for that type of organisation, which may vary between sectors and requires careful judgement.
3) When there is a well‑founded suspicion that the use of the email account involves a serious breach of duties under the employment relationship
The breach must be serious. This requirement is typically met if the email account is used to commit criminal acts or to violate employment‑related duties and standards, such as breaching confidentiality or downloading images involving the sexual abuse of children.
4) When there is a well‑founded suspicion that the employee’s use of the email account may constitute grounds for dismissal or termination
This may include both criminal actions and non‑criminal actions that are clearly not in the organisation’s interest. Examples include using the email account to harass colleagues or to send spam or harmful content.
It is the employer who must prove that there are grounds for such suspicions.
The rules apply only to equipment provided for work purposes
The rules apply only to access to communication tools and equipment that have been provided to the employee for use in their work. The employer’s right of access therefore does not apply to equipment owned by the employee. This means that an employer has no right to access content stored on an employee’s privately owned computer, even if it is occasionally used for work purposes. The same applies to a private phone, private email accounts and closed profiles on social media.
The employer must give notice before accessing information
As far as possible, the employee must be notified before access takes place and be given the opportunity to comment before the access is carried out.
The notice must include information about:
- why the conditions for access are considered to be fulfilled
- which rights the employee has under the regulation
As far as possible, the employee must also be given the opportunity to be present during the access and has the right to be assisted by an employee representative or another chosen representative. The employee is, however, free to decline being present or to decline having any representative.
If access takes place without prior notice
If access is carried out without prior notice – for example, if the employer does not have time to notify the employee beforehand or the employee cannot be reached – the employee must be informed after the access has taken place.
The notification must include information about:
- why the conditions for access are considered to be fulfilled
- which rights the employee has under the regulation
- which method was used during the access
- which emails or other documents were opened
- the outcome of the access
Carrying out access
As mentioned, a key requirement is that the access itself must be necessary. This means that if the information can be obtained in another way, the requirement for access is not fulfilled. If the email in question can be obtained from the recipient, the employer must make use of that option first. In situations where the employer does rely on the right of access, there are still certain guidelines that must be followed.
“As far as possible, the employer must notify the employee that access is being planned. The employee should then be given an explanation of why the employer believes the conditions for access are met, as well as the time and place for the access. The employee should always be given the opportunity to bring an employee representative. In addition, the rules of the Personal Data Act regarding the collection, use and re‑use of data must, of course, be respected. The employee must also be informed about their rights,” explains Rognsaa.
If there is a risk that evidence may be compromised, the employer may choose not to notify the employee, but this must be specifically justified. Higher standards are then required for the reasoning, and the employer must document that there are indeed grounds for accessing the information.
It is worth noting that, as an employee, you do not have the right to give advance consent to access. If your employer wishes to access your information, one of the two conditions mentioned above must be met. However, there is nothing preventing you from voluntarily requesting access yourself, for example if you want to rule yourself out of suspicion.
Read more about dismissal.
Deletion of data when an employee leaves
As a general rule, when the employment relationship ends, the employee’s email account and related services must also be closed. Any content that is no longer necessary for daily operations must be deleted within a reasonable period of time. According to the Norwegian Data Protection Authority, this means a deadline of six months after the employee has left.
It is not permitted to set internal instructions or enter into agreements regarding access that deviate from the rules to the employee’s disadvantage. What constitutes a disadvantage must be assessed in each individual case. As a general principle, rules that give the employer broader access rights will be considered disadvantageous to the employee.
Legal questions and answers
Do you have legal questions related to working life? Our lawyers provide answers to the most common questions.
Special considerations for students
As a general rule, the same regulations also apply to students who have been provided with an email account by a university or university college. In these cases, it will normally require quite a lot for access to be considered necessary in order to safeguard the institution’s daily operations. However, the conditions for access may be fulfilled where there is a well‑founded suspicion that a student’s use of the email account involves a serious breach of the duties that follow from the relationship between the institution and the student, or may constitute grounds for exclusion or expulsion.
