Manager wanted access to a subordinates email without the subordinate being aware.
Posted by roger_ramjett@reddit | sysadmin | View on Reddit | 226 comments
This has bothered me for awhile now so I want to ask your opinion.
I was working at a small company (50 or so users) when a manager came to me asking to be able to read the email of a subordinate.
I knew that there was some bad blood between them. Even though the subordinate had never broken any company rules, I got the impression that the manager was looking for a way to get the subordinate fired. He wasn't investigating a specific problem.
After thinking about it for awhile I went to the company owner and told him what the manager wanted to do and was he (the owner) OK if I made it possible?
From what I had seen in the past, the manager and owner were on very good terms with each other, I'd say they were personal friends. I was hesitant about going to the owner as they may talk about what I had done and it could come back on me.
I'm sure that if I had told the manager when he first asked, that it wasn't possible to read the subordinates email without the sub knowing, the request would have ended there.
In the end the owner said to go ahead with the request and I provided a way for the manager to access the subs email without the sub knowing.
Not long after that the sub was fired and, as far as I could tell, there was no cause for the firing. I stay out of the office gossip but from what I overheard no one knew what the reason was for the firing.
Would the firing happen if I had not given the access? It probably would have happened no matter what I did, but it still bothers we as I am not sure I did the right thing.
TheDutchDoubleUBee@reddit
If this happened to me I would go to court, and it all came out that you provided it, and I would sue you to financial ends. This is what totally is wrong, you stepped in totally wrong and expect to get it back to you. You should have contacted HR, the person who has the mailbox owned, and never had this done without a clear statement on paper. Now you are liable and I hope for you the victim will never find out. The way you write “I provided access that the sub would not find out” tells me you were totally in it and can be considered as conspiracy against that sup. I would strictly advise to take a lawyer, because it can fire back when the Sup discovers that you provided the access. Because one thing I know, de owner will say in court “I did not advise to do it, I let the IT judge it” and then manager is gonna say “I asked, I did not know it was nor allowed, I trusted the judgement of the IT” so you will get the Karma you deserve. Personal mail boxes are always protected from access by other, that’s why it is a protected mailbox. In Europe you could face prosecution and direct job loss without compensation. Says admins are powerful people with powerful access. That’s why there is a lot of certification and logging of these things. And if it was a Microsoft or Google platform, the evidence that you granted access will stay there for a long time and cannot be deleted. YOU ARE A DISGRACE FOR THE JOB OF SYSADMINS!
TacodWheel@reddit
I've always pushed those requests to HR, and have them provide authorization in writing. Something I can keep on record.
Secure_Cyber@reddit
Exactly! Need that digital "paper trail" and evidence of chain of custody.
After_Nerve_8401@reddit
This is one of those things that is morally and ethically wrong, but 100% legal. Also, a manager might go rogue. Many years ago, I had a similar request and mentioned it during a meeting with the Director. He was shocked, and he said he would speak to the manager about it. I never heard anything more about it.
dustojnikhummer@reddit
Depending on jurisdiction. It is definitely not legal in GDPR countries.
War_D0ct0r@reddit
Why is it morally and ethically wrong? The company owns the email. Bigger companys are now scanning your email and generating alerts that can be checked. Company is protecting itself. Some of this is required by law, liability, and compliance. If I email certain customer information its a firable offense.
awful_at_internet@reddit
The biggest issue is that the manager is almost certainly not the correct person to have that access or enforce those compliance requirements.
I read people's emails all the time... when they get flagged by our systems. Because that's my job. I do not let other employees read them, and they only ever come to my attention because they exhibit specific, pre-defined suspicious traits. If I see concerning or suspicious activity, I escalate it to my seniors, who look in the user's email to examine the activity I flagged, and see if any action needs to be taken. If so, they escalate to the appropriate leadership, who determine what actions should be taken and work with the individual's supervisor to implement that action.
The supervisor is basically the second-to-last person involved. Now, at a small shop, sure; that chain gets shorter. It still almost never starts with the supervisor doing the investigation. As well, the investigation needs to be scoped appropriately: the seniors doing the investigation have a very specific activity they are looking for; the managers in this post are just sniffing around.
Unnamed-3891@reddit
This entirely depends on your jurisdiction. Has the OP confirmed they are in the US? I am in a nordic country and if I did what was asked here, I would be committing a crime and facing a major fine. Where I am, the mere fact of the employer owning work hardware and email does not grant them complete and total control over worker's privacy when using them. You can disagree and that's fine, but again, different rules in different jurisdictions.
MissionSpecialist@reddit
I'm not in Europe but work for a global company that has decided to enforce a single standard globally.
As a result, our American employees get some actual privacy rights (although Californians had some of them already), and American managers learn that they don't get access to something just because they want it.
All such requests to Legal, which considers scope, duration, purpose, and presence (or lack) of employee consent before making a decision.
hkusp45css@reddit
If I email some stuff out of my job, it's a felony.
NoPossibility4178@reddit
*depending on where you live
Unnamed-3891@reddit
This entirely depends on your jurisdiction. Has the OP confirmed they are in the US? I am in a nordic country and if I did what was asked here, I would be committing a crime and facing a major fine.
Likma_sack@reddit
100% this. HR and CIO/CTO needs to approve these requests in writing before any action is taken.
Blog_Pope@reddit
Small company might not have those roles. If he had a CIO/CTO I'm sure OP would have escalated there.
Bottom line is the company owns the email system; best practice would be the employee manual is clear about this because not having a clear statement creates gray area.
Best practice would also be to get an email so the specific request is documented vs a verbal statement that can later be contested.
OCGHand@reddit
Had this happen to an employee who was with the company for 10+ years and had her business files and personal files in One Drive, SharePoint, Exchange Emails, and on Company laptop. It was PITA to get everything for her personal files transferred over to her new personal computer, and emails. She ask if she can keep the work email address to use, because she use that email for personal use, and SSO for some personal services. Her manager said yes, but the Ownership said no because they are not going to pay for email license
davidm2232@reddit
'No expectation of privacy'
Blog_Pope@reddit
That’s the general rule, but I believe there are cases where in the absence of formal policy it was argued that managers had suggested the email was private and that set an expectation of privacy. Hence it’s best to have something formal in the manual
Depending on your risk tolerance, you could send a generic reminder to everyone that there is “No expectation of privacy” and all email is subject to management review. Be clever and tell the CEO you will do it to keep the company safe legally. And it doesn’t specifically tip off the user, but might give them a needed kick in The ass
NoPossibility4178@reddit
Where I live it's illegal to do this... of course people do it anyway, if they do something to you then you need to prove their read their email which is also complicated... but you'd never get this in writing at least.
GlobalAd7103@reddit
Agreed- if its company provided email there generally is no expectation of privacy. It is a weird spot to be put in - happens more often than you would think.
kkoss@reddit
I work for a small company and started the process of any request like this need to be approved by the requestors manager. If I believe there may be any malicious intent I voice my opinion. Although I know this my not be standard as currently solo IT
BioshockEnthusiast@reddit
Seems like as good a starting point as any. Sunlight is the best disinfectant, anyone with malicious intent will grow more hesitant as more sets of eyes get directed toward their request.
jib_reddit@reddit
They often outsource HR/Legal to an outside company, the good ones I have worked for do anyway.
Likma_sack@reddit
Correct, I didn't think about it like that thanks for the perspective.
Chunkycarl@reddit
100% That and reminding people that there is no expectation of privacy on company owned emails chats, and devices.
VernapatorCur@reddit
Exactly. Have the manager email you the request, then forward it to HR and the managers boss asking for confirmation from both.
charleswj@reddit
I'm just here waiting for the ever escalating series of cya comments
rubixd@reddit
Yeah maybe others have had sufficient experiences to make them more cautious of this sort of thing, but if I have the employees manager, in writing, requesting this, especially through our ticketing system, I just do it.
VernapatorCur@reddit
And I've been fired because I processed a request like this, with their managers approval, without notifying a wider list of people.
Z3r0C0o@reddit
Yeah, ummm, what were you fired for?
rubixd@reddit
That would be one such experience -- yes. Super shitty, sorry that happened to you.
Was there an existing policy or procedure you failed to follow?
GlowGreen1835@reddit
If a US company, make sure the president's personal email address is CCed. Not the company president, the US president.
charleswj@reddit
Now you're just trolling me
hkusp45css@reddit
Yeah, it's like murder porn in the crime threads.
Everybody just one ups the last list of people and documents that are critical to one's freedom and moral stature.
Did the user put in a ticket? Great, we have documentation.
Did they Not? Then we don't work.
No ticket, no tech.
It's not just a good idea, it's the law.
LaDev@reddit
Yeah, this is the right way. We click buttons. We are not the decision makers of when the business gets specific data. We channel the request properly, we perform our own CYAs, and we complete the business ask if approved.
thatguyyoudontget@reddit
This. Always in writing.
NSASpyVan@reddit
By HR and Legal approval only
C(over)YA
mini4x@reddit
This is our policy as well, HR issue, not an IT issue.
roger_ramjett@reddit (OP)
Company was to small to have a hr department. The owner handled everything himself. The one person that was sort of HR was the person whos email account was being accessed.
jefbenet@reddit
1000% CYAP - cover your ass~~ets~~ policy
largos7289@reddit
True but in his case the company is probably so small i doubt there is a HR person. If the IT guy can go into the owners office and have a chat, that's a really small business.
waddlesticks@reddit
Yep HR and CIO approval... And also we must have an exact end date. No reason to have access for a prolong period of time if management made sure stuff was going to the appropriate mailboxes...
CantaloupeCamper@reddit
Yup, still could be a legitimate request… but documentation always.
Icolan@reddit
This is the right answer, but in OP's case it may not be possible. Their employer is a very small company and may not have much of an HR department.
BrainWaveCC@reddit
Doesn't matter. Get someone high enough to make the decision, in writing.
But do remember that there is no implicit guarantee of privacy when using corporate equipment.
So, while I wouldn't be ecstatic to do it, I wouldn't have a problem doing it if the company asks. It's their data.
But, given that my credentials would be associated with the access, we're getting that in writing, thankyouverymuch.
TacodWheel@reddit
That's fine. Still get it writing to CYA.
ineyeseekay@reddit
HR for sure, and legal if available. The CEO isn't not going to be knowledgeable on what's ethical and legal, especially if the fired person decided to sue. Better to include one or more other people with relevant knowledge of the liabilities that such a request presents and leave yourself out of it until an approved decision warrants your involvement. But a company that size, may not have a hold resource for that...
derango@reddit
Upvote, and reply for emphasis. If you're working for a big enough place to have a HR department, all requests for access to employee communications get forwarded to them and get signed off on in "writing", never verbally. Yes, everything done on employer owned equipment is subject to review, but I don't want to be responsible for giving someone access to something they shouldn't have and then have it come back down to me when fingers start getting pointed.
If you don't have HR, it gets passed up to whoever is higher up than the person requesting the access. Always in writing, always documented.
I don't care why they want access, that's not my business. I just need someone who isn't the person asking for access to approve it.
DrunkyMcStumbles@reddit
Yes, even when an employee leaves, we have a process involving HR and our security group engaging in a procedure written by legal. Principle of Least Privilege is there to protect everyone.
Still employees are advised that anything discussed over company communication channels is not private.
grepsockpuppet@reddit
This is the way
InspectHer_1@reddit
Where I am, if it’s not a shared mailbox then we need authorization from CHRO and one other C level executive in order to grant access to
bukkithedd@reddit
This is the way.
Dizzy_Bridge_794@reddit
No expectations for privacy. Get it in writing from HR.
amensista@reddit
you do as you are instructed to do and you're overthinking the whole situation.
if he gets fired or what's happening that's not in your business. your job is to do.
you might be the wrong job actually because it sounds like you're getting way too involved in the politics and people's emotions and this and that that's nothing to do with you.
corporate communications and email or 100% the property of the company so if a manager wants to review an employee's email that's his prerogative there's no questioning it and whoever else is go to HR and all of that bullshit that's nothing to do with it either.
sorry dude but you're putting too much hard and emotion and nosiness into your job.
TK-CL1PPY@reddit
Governance should ALWAYS be separated from implementation. If there isn't governance approval as a policy, like HR or the CEO, IT could just start reading anything they wanted without violating any rules.
You might be in the wrong job if you don't know that.
amensista@reddit
the manager of the guy asks an IT employee to provide access to company property within his department. So grant the access. There's no assumed privacy or anything whatsoever associated with this request.
if that same manager asks for access to an employee not under his team i.e. an employee who works under another manager who, on the organizational chart is a peer or he requests access to email from someone above him then that requires escalation.
is this case scenario as described by OP he should execute the request documents it because it's a ticket anyway. he should also take his emotions out of it how he feels about the employee or whatever all the ethics is nothing to do with it.
this is company property being accessed.
have you actually ever worked in a real company?
Byany2525@reddit
This requires HR, legal approval. Never just off management.
FortiSysadmin@reddit
The owner of the company is...the owner. What that person is what goes.
BlitzNeko@reddit
Not true at all. Employees still have rights.
ARLibertarian@reddit
You're so cute when you're like this.
BlitzNeko@reddit
You’ve never had to deal with lawyers have you?
ARLibertarian@reddit
Lawyers only get involved when there's enough money to skim some for themselves.
I don't know where you live, but where I am there are near zero protection for workers. Unions are weak to non-existent, protection agencies are headed by pro-business sycophants at the state level, and have been gutted at the federal level.
We're one really good energy crisis away from a mad max style dystopian hellscape.
BlitzNeko@reddit
The whole place full of people who are spineless and incompetent? Where is this magical land that you live?
Lawyers get involved with someone with half a brain cell gets them involved. But I suppose it doesn’t matter, if you’re gonna be a doormat.
Nasboy@reddit
Seeing this like this reminds of lucky I am that our org has a standing rule. No one has direct access to another users mailbox unless you are an EA
jeffrey_f@reddit
There is a huge difference between a larger/large company and a small company. Where you would need a paper-trail in the form of a ticket to document what was done, in a large company. Not so much in a small company. If you insubordinate in a small company, you are usually out and a new person will be hired.
darksidelucky@reddit
get the request in an email and CYA!
florence_pug@reddit
Why lie? There no expectation of privacy regarding the users' emails and there is nothing wrong with a supervisor having access to it.
Status_Jellyfish_213@reddit
That’s simply not true in the UK / EU. They can access emails, but you must have a good reason and follow GDPR in the UK.
So the answer to this really depends on their location.
IFeelEmptyInsideMe@reddit
Why? GDPR I thought only covered personal info that other organizations had. Not internal to company info, especially not over in company user accounts? That makes no sense.
Status_Jellyfish_213@reddit
No, it is not only between businesses
DarraignTheSane@reddit
I agree with much of what I understand about UK & EU privacy laws, but this one is pretty wild. Not that I don't believe you.
The email account in question isn't personal. It's on a company owned server / service and is provided to the employee for the purpose of conducting company business. Any Computer Acceptable Use policy will outline specifically that email and any other IT systems that employees are given access to are not to be used for personal matters.
I, and likely anyone who downvoted you (I did not), really can't fathom how there can be any expectation of privacy on something that is entirely not yours.
It would be no different than arguing that my company can't search a file cabinet they've provided me, because I've stored my bank records (or whatever other sensitive personal info) in there. The only seemingly rational answer is that I shouldn't have stored them there in the first place because it wasn't mine to store my personal things in.
unionpivo@reddit
Same way you have rights in homes you rent.
Owner can't install cameras in bedrooms, bathrooms etc. And even if owner lets the police in, if they don\t have a warant, they might not get to use the evidence (at least here, that said there are exceptions to that)
DarraignTheSane@reddit
Not an equivalent example. You're not renting your employer's email server / service, you're not consuming it as a private entity.
unionpivo@reddit
I disagree. If you want to follow your analogy, its like being in their apartment and being filmed on the toilet.
Bottom line is, in some places we think (and have laws) that there is a limit to what employers can do to employees.
I understand that there are two sides of a coin. I personally like the side of the coin the EU is on.
DarraignTheSane@reddit
Yeah, I see the argument but don't agree with it - mind you, not all that vehemently.
An email account provided to you to perform work duties simply isn't the metaphorical toilet. It's just not "your" space... again, IMO.
Status_Jellyfish_213@reddit
Indeed.
Even in the use of company equipment, your right supersede that of the company. Now this isn’t going to help you if your information for example is needed in a legal case, either for or against you, or a tribunal - because that information is required and justified in acquiring.
But no company should ever be put forward over yourself - it is a company, not a person.
npsage@reddit
I don’t mean this an insulting way; but it really is the simplest to put it.
In the EU; the rights of biological people (including their right to privacy) are considered more important than the rights of any non-biological entity including a company you might work for.
In the US; the fleshy folks have whatever rights are left after the business make sure those “rights” won’t interfere with their profit making ability.
cplusequals@reddit
This is an extreme misunderstanding of US law. Legal entities have "rights" only in the furtherance of the individuals that make up those entities. I think the oft miscited Citizens' United ruling is a good example of this misunderstanding as the ruling was predicated on the free speech rights of the individuals incorporating the non-profit. The individuals in that group had their rights violated. The underlying judicial philosophy is called associational standing and has deep precedence in English Common Law. Similar concepts with different implementations are found within British, Canadian, and Australian law.
magataga@reddit
In the US there are a ton of ways something like this can go sideways. State Law varies widely. Company Policy varies widely.
An unscrupulous manager can absolutely make an ask like this and then roll their employee under the bus. Firing can absolutely lead to litigation for a variety of reasons.
Always loop in HR and Always respectfully require instructions like this in writing, protect yourself.
Proof-Variation7005@reddit
I think we’re just assuming OP can’t be British cause he never used “mate” or any British style slang.
sryan2k1@reddit
There's massive legal liability around this even in the United states. A directive like this must come from HR or your company's legal representation not just some random manager
ISeeDeadPackets@reddit
No there isn't. Do you have a meaningful use policy that informs employees their email is not private? It's not the employee's mailbox, it's the company's mailbox that they have assigned to the employee. They could stream his inbox to a billboard next to the interstate if they wanted to.
EVERGREEN619@reddit
There is no such liability for Americans. There is no expectation of privacy on corporate devices in America. My users all sign an agreement that says they acknowledge this. It's also in the employee handbook as a policy that they sign. All 10 companies I have worked for had users sign the same type of agreement.
Most companies don't have HR or a legal team. Unless you consider the owner to be the HR and legal team. So this advice doesn't apply to half the population in the US. Half work for the big companies the other work for small and medium sized businesses.
Only 0.3% of businesses in America have enough revenue to justify hiring a legal team. We outsource legal typically until a company starts spending more than $250,000 a year in legal services.
If you work for one of those big companies, you're not asking questions like this. At those big companies you expect everything you're doing is already monitored in some kind of way by your manager. This has major small/medium sized vibe.
magataga@reddit
100%
magataga@reddit
Always Always Always get HR involved and get these kinds of instructions in writing. Your gut reaction is very bad.
florence_pug@reddit
True
cryonova@reddit
Corporate email is not your personal property, the owner of the company and tenant owns all the emails and any content within it. Its your job to provide that content, but you can make HR aware.
rrmcco04@reddit
The job of a sys admin with data is to "not know" what you are looking at for content and to follow policies and procedures. When there isn't one, you have to look to the data owner for it.
If there is no policy for something like this, your supervisor gets looped in and you find the right spot for that creation then follow it.
Going to the owner is right. What is more right is to establish a practice where someone wanting that access has a written account and record of it. That's mostly CYA. I had a strict policy of "unless you are HR or a lawyer, I don't touch data for a current employee" because that was agreed upon. Then there is no manager fishing for reasons and private email leakage.
Did the person get fired because you granted email access? Nope. If an email caused it, them writing the email did. None of what happened is on you. And if you worry that the next time it happens you want to give a warning, not on your life do you do it. This whole system is based on trust with the IT people to do the job and do it professionally. I wouldn't tell my own kin that their boss is investigating them if it was due to a job duty.
That doesn't mean "just grant access to boss," that means make sure there is a written process so if someone wants to look at an email, you point them to the process and it's someone else's approval, not yours.
bukkithedd@reddit
First things first: get this shit in writing!
I CANNOT stress this enough. It doesn't matter what type of company you work for, get this shit in writing.
Secondly, if you're in the EU, be very careful. GDPR is NOT a joke, and the fines for breaking those set of rules can be extremely steep for the company you work for.
vandon@reddit
Not just get the instructions in writing, CC HR and Legal dor advice.
mybrotherhasabbgun@reddit
Yep, right here. Also, not really applicable since this is a smallish business but in government or large corporations you might be giving a manager access to communications between the subordinate employee and HR about an ongoing complaint about the manager. We would never give access to an active employees account. Ever.
Evil-Bosse@reddit
A small GDPR violation is still €10 million(or 2% of company annual turnover whichever is largest) in fines. A lot of small companies would go under with a €10 million fine, so if no legal department exists I want the CEO to be aware of those fines before signing off on it. And in most cases where I've highlighted this the CEO has responded with a "oh no, I'll handle this petty squabble"
bukkithedd@reddit
Yep, absolutely. If something I did caused the company I work for to be hit by a €10 mill fine, I can absolutely without a doubt guarantee that I'd be without a job, instantly.
bukkithedd@reddit
Here in Norway there's specific laws that prohibit it. You CAN give access, but the employee HAS to be given written notice that it's happening, it has to be for a limited, stated time, and the employee should be present when the mailbox is opened.
Generally speaking, opening an employee mailbox is as legally strict as opening their physical mail is. The amount of redwood trees complete with branches, squirrels, birdnests and acorns the government agency that sets policy on this can shove up your backside is frightening, and NOT something I'd want to be on the receiving end of.
JBD_IT@reddit
You don't get any lube either, they just go in dry.
bukkithedd@reddit
No lube, no foreplay, little warning and a LOT of force.
FarmboyJustice@reddit
Those acorns tho...
Greerio@reddit
You’re right. It should be about policy. What does the policy say? Don’t have one? Found a gap. Write one.
bukkithedd@reddit
On things like this, I never write the policy. I leave that to legal/HR. It's their job to ensure that the policy follows all applicable laws.
techierealtor@reddit
Same thing in America. It’s one thing to grant know access to mail, unknown, I want hr and legal to at minimum say “we are aware” if not outright say “go ahead”. While data privacy on company systems is nonexistent in America, still at minimum ethics violation.
gzr4dr@reddit
Yup. IT can assist with technical guidance but the policy needs to be owned by HR or Legal. IT just administers the policy.
Greerio@reddit
Don’t mean to imply you specifically, but the company in general.
Dwonathon@reddit
I do this every once in a while and never think anything of it.
"Hey, can you give me access to Sharon's emails?" "Sure thing, you'll have a shared mailbox on your Outlook in 10 mins."
Local_Trade5404@reddit
i would not beat yourself for that
1. work emails are company property so should be used for work things and company can have access to it
2. boss wanted to fire that guy anyway and you cant know if something on emails helped with that or not (probably not if he would found something in there it would be probably disciplinary kick)
Suspect6307@reddit
A lot of companies put a clause in the on-boarding paperwork that states all electronic communications performed under your company account are the intellectual property of the company buuuuut, I 100% agree with pushing this back as an HR request to be sure internal policy is followed.
Biglig@reddit
I have a process where this will be done but only with the written approval of our chief compliance officer. Generally, if anyone wants to potentially break the law I need their sign off :-)
TechIncarnate4@reddit
First of all, you did the right thing by going to the owner. Always get approval in writing from HR or owner. Second - You have no idea if there was cause or not. Its none of your business. They could have been embezzling money, they could have been lying to clients, they could have been sending company data out to their personal account, they could have been harassing someone. Who knows. If they wanted to share the reason for the termination, then they would have.
Stand-Upstairs@reddit
A good rule for this, is that someone cannot request their own access to things. We always push the management to go up their chain of command to get authorization for something like this. Usually we require a justification to be included, with what they're looking for, where they're looking, what's the business need.
If you don't already, develop a policy that follows proper access controls and access management.
stevorkz@reddit
Get it approved via email. Other than that there's not much you can do. Technically, mailboxes are the property of the company. There should not be anything private in there that would bring on the notion of privacy violations.
casetofon2@reddit
That's a GDPR Thing and needs to be signed off from a GDPR Compliance Officer from inside your company. Throw the entire GDPR Laws in to his face and tell him to read it .
SiIverwolf@reddit
If in the EU, sure.
AU, and by the sound of it US, there is absolutely no assurance of privacy for your staff mailbox.
It can vary a bit from one company to the next, and sometimes there's HR policies around who needs to approve that kind of access, but particularly in a small company with no real HR, if the boss comes in and says do it, there isn't really any protections (at least not that I'm aware of).
descartes44@reddit
Workers have no expectation of privacy in their tech environment. You should have a policy that tells them this. Just always make sure that you get the request in writing, and document the info handover. If it becomes a legal thing later, you can prove that you were following the manager's directive.
wrt-wtf-@reddit
This is a HR/CEO level call in a small company. Get your request in writing.
I’ve had issues where one of my employees were bullied by a middle manager to snoop on browsing history and emails of employees not even within their section. I wasn’t able to intercept it in time but this ex-military manager did a full standover of my colleague. She let me know after the event - in a remote location - and I pulled in HR immediately.
Anyone involved in the incident was removed from the business immediately and flown back to their home base. I struggled to keep my colleague but in the end, being a remote site with HR having everyone muted, the rumour mill did the damage to her tenure that the manager started.
The advice is to never get in the middle of these things even if you are threatened. Being in IT means that you have the keys to lots of information that isn’t otherwise accessible.
TwinIronBlood@reddit
Why did you risk going to the CEO. If it happens again tell them. They need to get HR and the CEO to sign off on it in an email.
termrannz@reddit
I've been there in this same situation, except it was access to about 60 peoples mailboxes, including managers beneath them. Got an email from the manager saying "just get it done, HR will approve it". Kept the email as a CYA, backed up in multiple places. The manager then got rid of that person, and about 15 others, mostly unjustified - they settled any employment disputes with a payout and NDAs.
Found out the manager later placed the head of HR so got automatic approval for anything. Felt awful at the time but at the end of the day, I was following orders and it wasn't worth risking my career over.
Professional_Mix2418@reddit
It depends on the jurisdiction you are in, and what the company handbook or internal staff acceptable use policy states. Regardless of the size this is for not only who wears the HR hat, but also the CISO hat, and Id argue the DPA hat as well. If the employee wasn’t informed ahead of the event then you may not have acted lawfully enabling that.
Call_me_Telle@reddit
Well it’s not your business what other employees or your manager is doing or not so I see no point in thinking too much about it.
Where I work at (EU) this wouldn’t be possible w/out approval of HR, Work Council, CEO and Data Protection Manager
FireFitKiwi@reddit
Company email is company property. HR should be involved and you need official requests to breach privacy however. Tldr don't talk shit on email or teams. You have Snapchat for that
notHooptieJ@reddit
who is authorized to approve that?
if they are, do it and move on. otherwise, send their request cc'd to the approver.
Stay in your lane on this one, its icky, but not illegal in most places (unless you're in the eu).
National_Way_3344@reddit
There's no fucking way id do this for anyone without HR manager signoff.
FortiSysadmin@reddit
50 employees. There is likely NOT an HR department or anyone whose sole job is HR crap.
Telnets@reddit
Pretty much this.
As IT, I'm not there to make decisions, I'm there to keep the system online and ensure people have what they need. I don't fill requests unless I have a signature of the person above the one asking for the request. If there is noone above them, HR sign off. This goes for any change to the system, big or small, or any asset that leaves my hands.
Simple as that. Never put yourself in the position where you can't say "this person authorised it"
National_Way_3344@reddit
My job is to make sure there's a pile of data to analyse if there's a cyber security incident.
My job isn't to generate a report of a user's web access log so you can fire them.
Boky34@reddit
Are you NA or EU based?
OtisB@reddit
Every company has different approaches to things like this. The place I'm at now and the previous one - were both pretty up front about the company owning the email contents and so it wasn't abnormal for a manager to ask for themselves or someone else to have access to someone's email for purposes of making sure work got done. Because this was the norm, I didn't and don't question it but I DO make sure that my manager knows whenever this happens because if there's some goofy shit going on that I don't know about, they will.
BlitzNeko@reddit
If the company offers health insurance in any fashion, then that would constitute a violation of HIPAA.
If a manager ever complains about employee gossip, that’s a huge red flag time to get your résumé out there.
4thehalibit@reddit
We will do direct manager only. If anyone else asks it goes through HR
vrtigo1@reddit
Access isn't yours to give or restrict as the systems in question don't belong to you, they belong to the company. You're a tool that does what the company tells you to do.
Not trying to frame that in a bad context, just reminding you that morality shouldn't really enter into the discussion here because of the above.
But, this might be a decent opportunity to draft an IT policy to formalize the process for this sort of request in the future so you've got your bases covered.
National_Way_3344@reddit
I actually think you're dead wrong on that.
IT has ethics.
I've been asked before to perform an invasive inspection of someones web search history.
While the technical capability may exist to provide access, and the data is usually collected for generalised analysis - it doesn't mean just any person can request scoped data. You ain't getting that shit from me unless the request comes from the HR Manager.
vrtigo1@reddit
Dead wrong, on what specifically?
I think you've missed my point. I never said IT should do this, or shouldn't do that. I said that without authorized direction from the business, IT follows established policies and procedures.
The point is, the decision does not lie with you as an individual.
VG30ET@reddit
Agreed, we always get access requests in writing either either director or HR approval, company policy clearly states that all IP and information stored within corporate domains is owned by the company, and subject to search at any time.
progenyofeniac@reddit
Agreed, with the limit of what’s within the law, of course. But at least in the US, email and email systems belong to the company. It’s really no different than if a manager or HR wanted to search an employee’s desk. There’s no expectation of privacy.
lesusisjord@reddit
CEO asked me to do this. I conferred it into a shared mailbox and gave him permissions to it. U did the change when he was done.
The CEO also made sure I got bonuses every year, gave me raises, and started my salary $7,500 higher than asking when I first joined.
I can be loyal when it’s obviously it’s gone both ways.
ChampionshipComplex@reddit
Staff need to have signed an Acceptable Use Policy first and foremost, stating that they should have "No expectation of privacy while using company owned equipment" - and then this sort of action should only be taken when made in writing from the HR department - and it is HR that should receive access to the emails not the manager.
daddyrabbit78@reddit
That's exactly how our chain-of-command works. The manager asks HR, HR asks legal, legal green-lights, HR comes to my boss, my boss comes to me, I get what they're asking for, I give it to my boss, my boss gives it to HR, HR gives it to legal, legal reports their findings back to HR, HR lets the manager know of their decision. ALL in writing. Manager never sees a single byte of data. It's basically like getting and executing a search warrant.
angel_rayo@reddit
If it’s company email, then the company has the right to look at it any time for any reason, at least assuming they have a competent security head - the acceptable use policy should state this clearly (often known as the “no right to privacy” clause).
The devil is in the details of course, in this case the process through which this happens (not usually because a manager just asks) but ultimately, yes, the company has the right to do this whenever, and should. When I craft these policies, they always include a statement reminding employees who wish to maintain prIvacy to use their own hardware and personal accounts, and encrypt them for good measure if they are particularly worried (although at that point, why work there? but I cant say that).
Also…people say go to HR…look, the only reason for HR‘s existence (at least in an American corporation, so this may not be relevant to you) is to protect the company from its employees. If anyone tells you otherwise, they are lying. It’s all a liability game, nothing more.
daddyrabbit78@reddit
You're absolutely right. Unfortunately, a lot of small companies don't pay a legal team to go over their policies with a fine-toothed comb (it's moronic to NOT have what you said in there, but alas, they depend on implication). And we all know that ambiguity in a policy/contract benefits the person that didn't draft it (the employee). Nothing should be implied. That's why when when I was freelancing, after a court scare, I started drafting my own contracts that clearly stated my policies on user access with or without their knowledge.
TK-CL1PPY@reddit
If the employee manual is actually readable (although a company this small may not have one) there is almost always a line similar to "You have no expectation of privacy when using any company information technology resource."
It sucks when you get asked to do this. Lying about your ability to do it would probably get you fired. As others have said, you absolutely get the authorization in writing. I always have either the CEO or the CHRO do it. There have been times when they said, "no way."
It is almost always a personal dislike driving the request. Having governance (owner / CEO / HR) separated from implementation (you) is the right way to do this, and is a documented procedure at the bigger shops I've been at, and issued to HR and IT. We also create an internal ticket for it
Depending on your risk tolerance, you could set a calendar reminder for three months in the future. Casually remind the owner of the access request, and that you learned last week what the proper method for doing this is. Ask for implementation. He might be cool with it. He might get pissed off and do anything that strikes his fancy to make work suck even more. He might fire you.
Good luck OP. Oracle just fired 30k people, and AI is starting to really hit IT jobs. Despite that, the best time to get a new job is when you are already employed. The place you are working at now isn't where you want to be. Personally, I'd keep my mouth entirely closed on the subject and start job hunting.
Mindestiny@reddit
This is where the ethics of IT comes into play.
We are, and always must be, a neutral party. That doesn't make us Yes Men, but at the end of the day we serve the interests of the business, and as long as it's not against company policy and not against the law, a manager has every right to look through their subordinates emails and we do not get to pass judgement on whether that's "appropriate management." What they choose to do with that access is up to them. There is no expectation of privacy for a company owned and operated email box, IT could see what's in there, HR could see what's in there, managers could see what's in there, etc.
If something feels hinky, you loop in HR and make sure policy is being followed, but beyond that it's the same kind of thing as "I know this list of people is getting laid off tomorrow, do I tell them?" and the answer is absolutely not.
Don't get me wrong, I've absolutely refused to do unethical and illegal things business leadership has asked me to do. But a manager checking the inbox of their subordinates doesn't fall into that bucket. And every time someone in IT breaches the businesses trust by not supporting the business, it makes it harder for all of us to earn that trust back. Businesses give us the keys to the kingdom, we have access to damn near everything and without trust from the business we can't do our jobs. We need to be proper stewards of that trust at all times.
daddyrabbit78@reddit
Excellent post! We have the keys to the castle, but that doesn't mean we get to give tours of each room.
As a young contracted freelancer, I was in litigation because one employee told their manager that another employee was producing (not just viewing) p*rn on a company laptop. The manager asked me to take a look. Being young and stupid, I asked no questions and did it while he was over my shoulder. We didn't find p*rn, but we did discover other things that weren't illegal but definitely against company policy and the female was terminated. The policies never mentioned that all company-owned equipment was subject to search (only that they were responsible of the laptop was lost or stolen), thus an expectation of privacy applied). She sued and I was a named defendant. First time I ever heard "fruit from the poisonous tree".
The only thing the arbitrator asked me was "as a computer technician, aside from the word of Mr. [Name], did you have any reasonable articulable suspicion to search Ms [Name]'s files say for instance of viruses or malware?" I said "no". Sad part is what she was doing definitely warranted termination, but she won like five figures in the settlement. Thank God I had an indemnity clause.
Sorry-Rent5111@reddit
You seem to be concerning yourself with things you shouldn't be.
Your job was to provide access to the email of a subordinate to their superior. You did this.
At the end of the day email is company property.
Ok-Double-7982@reddit
"Not long after that the sub was fired and, as far as I could tell, there was no cause for the firing. I stay out of the office gossip but from what I overheard no one knew what the reason was for the firing."
Meaning, you know nothing. Mind your business.
We view everyone's email as the company's. It doesn't matter whose email. But, an HR request or leadership request is enough approval to grant access to any subordinate's email.
daddyrabbit78@reddit
My employer made it clear the second day I was hired - always go to HR first while the employee is still employed. No exceptions. Not even the highest management in the building has the authority to make such a request. They can't even look at browser history. If it doesn't come from HR (who is ordered to contact company lawyers first), it doesn't get done. Period. Even if I have to remote into a PC for support, I'm obligated to ask "is there any sensitive information on your screen?"
Now after termination (ceremoniously or not), management has complete access to emails and their company-owned computer. That is why I tell everyone during onboarding to read the handbook and completely understand the expectations of privacy when it comes to company equipment and services.
Secret_Account07@reddit
It’s not unheard of.
I know everyone says to reach out to HR, which honestly is the proper process, but if your manager directs you to provide access to xyz i think you’re covered. Get it I’m writing and don’t ask questions. If something comes up 5 months down the line play dumb- yeah I didn’t ask but I assumed Bob would be out of the office or they were working on a project. So I followed managers advice
In my last role we would do this when someone was on vacation or needed it for records request.
If you trust the coworker I’d give them a heads up but only if you really really trust them and trust them to STFU about it.
It’s also possible your manager knows something you don’t. Maybe HR or mgmt is aware of something.
HR is usually the right move but don’t put a target on your back. It’s work emails and they own them. If he is doing something inappropriate it’s on him, not you.
Assumeweknow@reddit
Owner is the last say on this. If hes okay then you got approval. Dont think about it too much. Part of the job is facilitating productivity and approved access.
splntz@reddit
If it was a company e-mail account and or company computer the company owns that data whether you or the employee likes it. It's pretty simple in that terms. If it was an employee using their personal e-mail for work related stuff that's a different story all together.
HerfDog58@reddit
If my manager asked for this, the first thing I'd say to would be "I need authorization in writing from the CIO and President directing me to do so, and I want written confirmation from HR that action is not in violation of any company policy that could lead to my termination." If they gave me all that, I'd provide the access. After all, company email accounts belong to THE COMPANY, not the user, and NOT to you. In most locations are no different than desks and chairs - employees are authorized to use them, but that doesn't mean the company doesn't have total control over those assets. And with email, every company I've been with for the past 25 years stated that "company email is company property and the employee should have NO expectation of privacy of email content."
In this case, if the owner says to do it, it's pretty much done deal. It sucks, I wouldn't want to be in that position, but just because it might not be pleasant, or could be a shitty thing to do to that other employee doesn't mean it's illegal. It's also not really your place to judge whether the employee did anything wrong or not, it your job to support the IT needs. That doesn't mean I wouldn't be watching over my back to make sure there's no target on MY back. And if you feel like this was inappropriate for the owner and manager to do, you don't have to continue working for them...
If the company has HR/Legal teams, this would probably be referred to them to make sure the company doesn't end up on the losing end of a lawsuit.
EVERGREEN619@reddit
I would be very careful with the language you use. You definitely have the right idea but this reads to me almost like a combative stance on a completely normal request. One you will get many more times in the future and one they have asked IT people to do in the past without issues. Honestly I would just leave out the part that you could be terminated for following a superiors orders or requests.
nighthawke75@reddit
Or worse, like a regulatory agency. Education, for example, has to adhere to rules from AT LEAST 8 state and federal agencies. Being noncompliant with any one of them may put their money flow, or even their ability to function as a educational institution. It gets nasty.
OldGeekWeirdo@reddit
It sounds like a smallish company. Going to the owner was certainly an option, especially if there isn't an HR.
Getting permission (hopefully in writing) covered your rear. It is what it is and probably not much you could do about it.
Master-IT-All@reddit
Sounds like you did your job properly. You did the right thing.
End user makes request you can't authorize. Ask someone who can. Get authorization. Do work.
5eppa@reddit
In theory, any data on a company device and going through company tools like the email that's owned by the company is considered the property of the company. Never assume your Teams conversations cannot be on the desk of your boss.
Ideally that fact is in the policy somewhere so its easy to point to. If the owner says you can share, save that and get it in writing. Then if there is a problem the owner or at least someone else is responsible for the fallout.
Fitz_2112b@reddit
You did the right thing by taking the request to the owner. Anything that happens after that is not on you.
NotPennysBoat721@reddit
Sometimes in this job you will do things that feel gross, but its the nature of the position. Get it in writing, then just learn to mind your business (not in a snarky way!) and do what your leadership is asking. Make too many waves over direct requests, and you'll be the next one. It sucks, but you get used to it, to a degree.
Tricky-Service-8507@reddit
If hr approved it sure if not go away
email_person@reddit
Ask for a formal ticket to be submitted with proper manager approvals for tracking and audit purposes.
Possibly the person was already on the block and the manager wanted email access for continuity purposes.
Really, It's not your job to manage interpersonal or HR issues on another team. Just make sure you're covered with the right paper trail.
Ok_Discount_9727@reddit
The manager entered into a legal nightmare there if the subordinate ever figures that out.
In larger corporations that why these things always go through HR/Legal.
kaiserh808@reddit
Were you employed by the subordinate, or the owner?
The company owns the email account and all communications within the email account.
If the owner of the company instructs you to give them, or someone nominated by them, access to an email amount that they own, then it’s on you to comply with a legitimate request.
This is a very clear cut situation where it’s not up to you to decide what’s right, you do what you’re asked to do by the person that employs you.
Mephisto506@reddit
Having a defined process isn’t a bad idea, though.
xSchizogenie@reddit
Well, at least in Europe this would be illegal.
jupit3rle0@reddit
Full stop - you don't know that. And its really not your responsibility to make determinations on a specific employee like this. There could be a whole list of red flags this employee had accumulated; likely stuff that had nothing to do with email.
Best thing you could have done here is provide full access to the mailbox (doesn't notify the user) and be done with it. The more you try to gatekeep and inject yourself in between a manager and their sub, the more of a reason you give them NOT to trust you in the future.
Don't self-sabatoge. Stay in your lane. This is r/sysadmin, not r/managers.
MeatPiston@reddit
Shit advice. You can be held liable for unlawful actions performed at the behest of someone else.
jupit3rle0@reddit
Unlawful? The employer has full ownership of the employees' company email. There are zero laws being broken here. Private businesses can do this.
MeatPiston@reddit
Yeah you sound like management material.
BrainBlight@reddit
Our employee handbook clearly states that all computer equipment, user accounts, and email accounts and the like are the property of the company, are visible and monitored by IT at all times, and users have no expectation of privacy when using company-owned equipment. All employees are required to sign off on the employee handbook yearly.
But yes, always get that access request in writing from HR.
msp_can@reddit
We always were told (by HR) to treat HR as a "judge" - HR gives the written "warrant" with the parameters to IT and IT can action within that defined scope. That said, if a CEO or chair of the board (normally with a second board member signature) gives the directive (as I've had where the board was firing the CEO), there's little you can do do but ask for it in writing. Hindsight - something like this should be in a policy/procedure so you have something to push back on.
Bodycount9@reddit
Company email is not owned by the worker. Its owned by the company. Thus the company can do whatever they want with your email or anyone else's email.
This is why I tell people to not use company email for personal uses. Its just asking for trouble. Use your Gmail account for that.
I would need IT director approval, director of the person asking approval, or if its a director asking then C level approval before I give access. And it needs to be in email with their approval.
not-at-all-unique@reddit
I would suggest HR, just so you can have a sign off on this.
However. I don’t see any issue, at all, it’s company email, not your email, you should not be using it for personal stuff, it’s not private, there is no expectation of privacy…
boxyburns@reddit
At the end of day your thoughts on this don’t matter. Your job is just to follow the process. Approval from owner if there is no cto / hr seems fine. Just get it in writing as others have said.
Balkghar@reddit
I am glad that in my country (Switzerland) that this is illegal without the explicit written and signed approval of the user
MeatPiston@reddit
In a functional organization this type of request will need sign off from several parties that are all high up. Not only for data governance reasons but it could also be a legal minefield. Employment law generally heavily favors the employee if an employer screws up, and varies by jurisdiction.
That said, small companies are rarely functional and I’ve seen owners gleefully do things that absolutely get them obliterated in court.
Make sure you also know how to implement a discovery hold is all I’m saying :)
Hefty-Possibility625@reddit
If everything is above board, it should go through a standard process like creating a ticket, getting HR Approval and generally documenting the request and approval. If your normal process is to take verbal requests and transfer them to a ticket, then I would have done that as long as you are consistent with that approach, you should be able to fall back on "standard operating procedures" if the manager comes at you for putting the ticket in. They either follow SOP or cancel the request.
YeastyPants@reddit
Every big company I've worked for required the person's approval in email before anyone on the email could access a mailbox. Do it without permission from the person owner of the mailbox, pack your shit and get walked out immediately
BrentNewland@reddit
Assuming you're not in the EU, that's not the employee's email or the supervisor's email, that's the company's email. Barring certain legal situations like HIPPA, there should be no expectation of privacy from the employer in work email.
For me, if a supervisor asks for access to a current employee's email, I check with that supervisor's supervisor. You got the OK from the company owner, so you did everything right (except for getting it in writing).
maceion@reddit
The main thing is a person should not be given access to another's correspondence without a court order. Copyright in corresponednce lies with the writer,
Greed_Sucks@reddit
In the USA it is absolutely legal and I have often granted such access.
Elensea@reddit
Business as usual in the US. It’s been stated in every employee handbook I’ve seen where email is company property with no sense of privacy.
Greed_Sucks@reddit
I agree with it. I mean if I had a company I would want to inspect how my employees are treating clients from time to time.
jhuseby@reddit
A court order for a small business company email? I think you might be taking your job a little too seriously.
su_A_ve@reddit
Always, always get approval in writing by the owner of the data - that is HR or the owner of the company…
Sad-Twist-5911@reddit
Thankful for GDPR.
justaguyonthebus@reddit
He was always going to get fired. By the time he is asking for access to the email, it was already decided. They were just fishing for the best excuse.
I knew of a manager getting let go for violating company policy. What company policy? Not keeping original receipts for 6 months that were scanned in and submitted for reimbursement.
Once they decide that they are getting rid of you, they will find a way.
Pyrostasis@reddit
Im not a fan of doing it but Im a facilitator, at the end of the day its the companies system.
We started getting these requests a few years ago. I spoke with leadership and HR and we settled on a clear request in writing must be submitted, then IT leadership and HR leadership meet and yay or nay it.
All of that goes in a ticket and access is for a set period.
IE if so and so is going on maternity leave and she has 12 big clients that need to get white glove treatment then her box can be assigned to the coworker that is covering for them.
For managers its specific purpose only and usually only for a few days.
Everything goes in a ticket and is documented, and everyone involved is aware its going in writing. It reduced the number of requests but they still happen.
Asleep-Bother-8247@reddit
I always send this shit to HR. Even when it's something simple like 'Steve isn't at the company anymore but we need some stuff from his OneDrive' - it goes to HR for them to approve providing access.
hkusp45css@reddit
I try to remember that these systems belong to my employer, I'm just paid to make sure they work.
If someone in my org comes to me with a request which is 1) Legal and 2) Within my abilities, my job is to handle it.
It's really that simple.
I can't invade someone's privacy on their computer in my org. Nobody has any expectation of privacy, in the first place.
The mailbox, the messages, the address, all belong to the employer. If they want to read them, I can make that happen. Whatever happens after that has nothing to do with me.
iSurgical@reddit
This is a great reply. We don't own anything when employed by a company and people tend to forget that.
We have employee monitoring software upon request. Do I agree? No, Can I do shit about it? No.
False-Pilot-7233@reddit
Where I work, a form needs to be sent in by HR. Along with signatures from legal, management, and C suite.
Humble-Plankton2217@reddit
Small company, owner authorized it. What do you think you could have done? Said no and gotten fired?
Polar_Ted@reddit
I forward the ticket to our security team. If they and legal agree we do it.
Grif73r@reddit
Typically, this needs HR approval.
The end user doesn’t ever need to know. There’s no expectation of privacy with corporate emails.
Regardless if you don’t believe they’ve done anything wrong, isn’t for you to decide. You’re not their manager here.
As for cause for firing, depending on your local laws, some places don’t need to give a reason for termination.
Disgruntled_Smitty@reddit
In my org management has those rights via policy. Thus if they request it, we offer permissions. So from my prospective if the owner said do it and the request was approved I'd do it.
yellowadidas@reddit
run that shit by HR
nighthawke75@reddit
Legal too. Both teams will grill the c level til we'll past done.
jdptechnc@reddit
Always an HR question, and always get it in writing.
lanekosrm@reddit
You got this in writing? If so, it’s scummy, but given the owner’s approval, you didn’t have much choice other than walking away. If you did it strictly on verbal authorization, check local laws to make sure you didn’t just expose yourself to risk.
ISeeDeadPackets@reddit
It's really none of your business why they were fired and I have no idea why you feel like it is. I would have done it with just the manager asking as users have no right to privacy in company email. You took it a step beyond that and took it to the owner and were still told to proceed.
It's business email, not personal email, I have no idea why so many people get hung up on this stuff. If you think they're firing people for no good reason then maybe look for another job, otherwise do yours and let the owner manage the company the way he feels is best.
On another note your statement that you could have just lied to the manager is also troubling. What happens when you tell someone something like that and they later find out it's inaccurate? Their only possible conclusion is that you are either incompetent and don't know how the things you're responsible for actually work, or you're a liar. Are either of those the impression you want out there?
biffbobfred@reddit
Other than asking for it in writing (so they can’t say you did it without asking) there’s not much you can do here. Everything on any work computer belongs to the company. I just assume anything I do is snooped upon.
magataga@reddit
For future reference always make sure to include HR in anything like that.
sryan2k1@reddit
All requests like this must come from the user themself or HR. No exceptions
florence_pug@reddit
That makes zero sense, like at all.
sryan2k1@reddit
"Hey I'm going out on leave and want my manager or coworker to have access to my mailbox while im gone"
Super normal depending on the business vertical you're in.
florence_pug@reddit
HR makes sense. The user being involved in this situation makes zero sense, hence my comment. Even still, where I work, a user cannot make this request. They don't have the authority.
sryan2k1@reddit
I mean the user can make the request and you can say no. Like I said it's up to the individual business and how you operate. Requests like this are fairly common in sales or anything where direct customer contact is watched while someone is out of office.
In M365 by default a user can delegate access to their own mailbox themselves. Have you disabled this or did you not know it existed?
florence_pug@reddit
always the arrogance comes out. Good day.
VinceP312@reddit
Email is a company resource and it's not up to you to override the "policy" of the owner.
You can create your own company and put your blood and tears into it and make any policy of your own.
Gavello@reddit
3rd party reviews the request. This could be HR or Legal but a party with the authority not directly related the request. This is to protect yourself but also the person making the request to ensure that it isn’t just a manager snooping. Once they sign off, all clear. There is no expectation of privacy but managers don’t just get to dictate what access they get. If there’s a need for access to be granted without knowledge, then you’d expect a higher escalation would already be involved in an investigation.
They can always ask the user to Grant mailbox access themselves if it’s something like vacation coverage.
waxwayne@reddit
It all belongs to the company.
The_Koplin@reddit
With regards to my state and where I am in the US. I have just about every manager asking to read subordinates emails, to ensure they are doing their job, not using it for personal reasons, being professional in communications, complying with policy, and critically so that if something comes into the subordinates account they can help out when the subordinate is not around.
Another point of view you might consider is the manager was going to fire the subordinate no matter what, perhaps they wanted to see if there was any project or communication the manager might need to be aware of and prepare for once the process of separating was complete.
As IT I give my self access to anyone's I need to do my job, to validate things like 'I didn't get such and such' only to find it in an automatic filter that filed it in 'crap I don't read' or some other such folder.
At the end of the day, I could care less if everyone is reading everyone else's email. There is no expectation of privacy, its a company tool to be used how the company sees fit. If they wanted privacy that is what encryption is for. That said you can read into a few things sometimes. If HR asks for the account to be disabled on expected last day of X. Likely good terms. IF however HR says term now and they are escorting the person out. Likely a bit more friction in the separation. Either way, no my problem. IF I have an ethical issue about it, I can and would choose to work somewhere else.
F7xWr@reddit
they can file eeo dont worry.
Down_B_OP@reddit
I think you are going to get two flavors of responses from the two types of Admins:
The corpo "just business" admins will say that a request from a supervisor is absolute and it's not your place to question it.
The "I'm just a guy doing a job" admins will say that while the task was unsavory, you followed the chain and you can only do what you can do.
I hate requests like that, they feel shady, but it is our burden to bear. It may be worth talking to HR and formulating a policy for these situations so it isn't a gut-check next time. At my current workplace, I have it arranged so all requests like that require a form be filed by the requester stating the purpose of the search that is sent to HR and confirmed by them before access is signed over.
bukkithedd@reddit
I despise requests like it, to be honest, and I go out of my damn way to make damn sure that my own ass is covered when I have to carry them out.
Montyg117@reddit
Anything typed or saved on a company account/device is company knowledge. There is no expectation or obligation of privacy. You did nothing wrong.
Bubby_Mang@reddit
Some dipwad manager can't just access other peoples inboxes without executive approval and some paperwork.
Why is it not doable? We do that all the time.
Chaucer85@reddit
1) Don't ever lie about why you can't do something. Don't make up a reason that could be disproven if the requestor asked someone else.
2) In smaller companies, managers and leaders feel a sense of privilege to access whatever/whenever, despite that being very poor security practice. Getting things in writing at least covers your butt snd makes a paper trail. You aren't saying no, you're just forcing them to acknowledge they know what they're doing can be open to later audits.
3) You aren't responsible for who the business does or doesn't fire. That's out of your control.
I've granted delegate access to dozens if not hundreds of accounts, but it's always documented in writing. That said, my last company, managers could request access to any of their direct reports' accounts, and it didn't need to be approved by HR. Only if someone who was not in line was asking for access to something, in which case we needed in writing that the manager approved it. If it was a terminated employee, HR was always involved because they assumed stewardship of these accounts until the data was migrated to a shared/team resource.
jhuseby@reddit
Best thing to do is just to cover your ass email whoever is in charge of you HR with the request. Feel free to even add in your recommendations on how to proceed. But if they say to give access, then you give access just make sure it’s in writing.
Thisbymaster@reddit
Always cover your butt. Document everything in an offline fashion. Doing weird things like this can be very illegal, harassment or just sketchy. Check your local laws and cover yourself.
DegaussedMixtape@reddit
You did essentially everything right here. If you didn't trust the manager to be acting within the rights of their role, you got another level of approval.
Granting rights for a manager to view emails, chats, call logs, screen time metrics, or whatever is all well within reason for a business to request.
Just this week I had to pull all of the sign-in logs, group membership, delegate access, etc of a user to provide to their manager because they are on the hot seat. It's really not your place as a sysadmin, engineer, ticket worker to protect an employee from their manager.
The one thing that I would absolutely not do in the future, and it sounds like you didn't here, is divulge to the sub that they are being monitored. Life isn't always fair, and maybe this employee didn't deserve to get fired, but it's really not your place to intervene. If it gets toxic and hostile, either continue to work with the good managers to fight the good fight or brush up your resume.
shelfside1234@reddit
Ability to access a subordinate’s mail is an HR issue; not your decision really
mystateofconfusion@reddit
Something similar happened to me. Small company and basically the person who ran the company asked me to do something similar and I too went to the owner. He said no, owner spoke to him directly about that and to let me know if I was ever asked to do something similar and I never was.
jdiscount@reddit
Honestly I don't find this a big deal.
Work email should be just that, work related.
I'd have no problems with any manager accessing my work email without my knowledge as
1) I don't have any expectations of privacy in a corporate workplace
2) my email is purely work related and honestly pretty boring, there isn't anything out of place and I have nothing to hide.
In saying all of this, there should be a process.
But in the case of a smaller company, it's usually just do whatever management ask.
Greerio@reddit
If it’s a company email, the user should expect that the boss can see it.
trebuchetdoomsday@reddit
make sure to disclose it. this is specific to california, but privacy laws (used to) like to expand.
https://www.callaborlaw.com/blog/no-written-policy-no-email-monitoring-allowed-in-california
In light of the Second Appellate District’s recent decision, and other practical considerations, California employers that monitor, or intend to monitor emails at any time in the future, should incorporate a written email policy that explicitly informs employees that the company will actively monitor their company email accounts. A California employer’s failure to have such a policy and practice may lead to a finding that the employee has a reasonable expectation of privacy in their work email accounts, consistent with the Constitutional right of privacy set forth in Article I of the California Constitution.
Happy_Kale888@reddit
It is up to me to enforce the rules I only make them when asked by my superior it is very simple. You need a policy in place to cover such things and a ticket system where you can track them. Does not need to be fancy.
WWGHIAFTC@reddit
I have always had a personal policy (in the event there was no company policy, worked at lots of small places) that any request like this goes through HR, in writing. I don't operate in a vacuum.
Employee requesting file access? Must come from their manager AND the manager of the department that owns the files, if different.
Employee requesting camera footage? Must come from a manager, and signed off by HR.
Manager wants employee email access? Must be signed off my HR, and I'll include directly level or executive level in the email chains.
demzor@reddit
It’s not the users email.. it’s the company’s email.
badaz06@reddit
When. I am asked to grant people access to things belonging to others, there is always tracking of that request. CYA from HR. Legal, and any potential lawsuits.
If you don't have something in place, it may be worth speaking to someone up the food chain to establish it. Never rely on "Oh my manager is a great person and would back me" because when he's got to make a decision that either he get's fired or you do....99.9% of the time you're getting fired.
ParkerPWNT@reddit
"Would the firing happen if I had not given the access? It probably would have happened no matter what I did, but it still bothers we as I am not sure I did the right thing."
No one knows. You did the correct thing which was to escalate the request.
The Owner signed off on it. You did your due diligence.