Ex Colleague emails

LegacyUser

Hi Folks.
We had a new start about 3 months ago, he was sacked last week and was a disaster unfortunately.
The rest is probably not work problem related but...
I was going through his work emails to pick up the pieces early this week and came across a number of documents that suggested in no uncertain terms that he had been scamming people(on a personal level) for the sale of high end watches. Nothing linked to my companies industry.
I mentioned it to a director and we don't know what to do.
I do a bit of buy and sell and collecting and the thought of someone spending their hard earned with this scumbag is not nice.
Would the guards care if I passed on what I knew? Is there a buy and sell watchdog or could I report his details to adverts, done deal etc?

ted1

If he was using a company email address you should contact the people immediately and also the gardai

wexie

ted1 wrote: »

If he was using a company email address you should contact the people immediately and also the gardai

Would very much second this.

I don't know if it could ever come back to the company but regardless of that it's not really something you'd want the company name associated with.

If it's not company email I'd probably still pass it on to the gards and perhaps wherever the advertising was taking place, be that Donedeal or the likes.

Westernyelp

wexie wrote:

If it's not company email I'd probably still pass it on to the gards and perhaps wherever the advertising was taking place, be that Donedeal or the likes.

If not a company email. They should not have been going through it. Otherwise contact Gardai

wexie

Westernyelp wrote: »

If not a company email. They should not have been going through it. Otherwise contact Gardai

Maybe I should have been more specific, an email account actually tied into the business name ie. Joeblogscompany.ie rather than a gmail account (or the likes) used for the business.

Claw Hammer

There is one thing you need to be careful of if you tell the guards. They might take away your computers as evidence and you won't get them back for years. Make sure everything is fully backed up and you have hardware at the ready so that you don't get caught with your computers gone out the door. There is a very long delay in Garda forensics at the moment.

LionelNashe

ted1 wrote: »

If he was using a company email address you should contact the people immediately and also the gardai

If you're going to contact the guards, I wouldn't be contacting the people (at least not without checking with the guards). They're witnesses/victims that the guards may need to talk to, and they wouldn't want somebody else getting in there first.

rd1izb7lvpuksx

You should be very careful here. Unless the Acceptable Usage Policy for email prohibits personal use of work email and unless the employee was informed before the email was sent that they were subject to surveillance or monitoring of their work email, then the act of reading their email is a breach of their privacy - as ruled on by the ECHR here: https://www.bbc.co.uk/news/technology-41160853

Galadriel

Nataly Putrid Microchip wrote: »

You should be very careful here. Unless the Acceptable Usage Policy for email prohibits personal use of work email and unless the employee was informed before the email was sent that they were subject to surveillance or monitoring of their work email, then the act of reading their email is a breach of their privacy - as ruled on by the ECHR here: https://www.bbc.co.uk/news/technology-41160853

Even after they have been sacked? :eek:

jimmycrackcorm

wexie wrote:

Maybe I should have been more specific, an email account actually tied into the business name ie. Joeblogscompany.ie rather than a gmail account (or the likes) used for the business.

It looks like they were trying to use the business for a scam so it should be a matter for the Gardai

rd1izb7lvpuksx

Galadriel wrote: »

Even after they have been sacked? :eek:

Yeah, probably especially so if they've been sacked, given that they're unlikely to have any goodwill towards the company.

Vetch

Nataly Putrid Microchip wrote: »

You should be very careful here. Unless the Acceptable Usage Policy for email prohibits personal use of work email and unless the employee was informed before the email was sent that they were subject to surveillance or monitoring of their work email, then the act of reading their email is a breach of their privacy - as ruled on by the ECHR here: https://www.bbc.co.uk/news/technology-41160853

It's a bit more nuanced than this. An employer can access employee emails using their (the employer's) legitimate interests but shouldn't monitor employee communications in an intrusive manner. The OP can report a crime to the Gardai and they can decide if they want to investigate and request the emails. There is no data protection issue with the use of personal data for investigating a crime.

rd1izb7lvpuksx

Vetch wrote: »

It's a bit more nuanced than this. An employer can access employee emails using their (the employer's) legitimate interests but shouldn't monitor employee communications in an intrusive manner. The OP can report a crime to the Gardai and they can decide if they want to investigate and request the emails. There is no data protection issue with the use of personal data for investigating a crime.

Legitimate interest is not sufficient, according to the ECHR and the DPC. It also must be necessary and proportionate, and it must be declared to the employee prior to the commencement of surveillance.

We don't have the fruit of the poisonous tree here, so the information gained improperly can be used in the investigation of a crime, but that doesn't absolve the company from illegal surveillance. It's far more likely to result in repercussions for the company and reporter than for the alleged scammer. The allegation alone is likely defamatory.

Vetch

Nataly Putrid Microchip wrote: »

Legitimate interest is not sufficient, according to the ECHR and the DPC. It also must be necessary and proportionate, and it must be declared to the employee prior to the commencement of surveillance.

We don't have the fruit of the poisonous tree here, so the information gained improperly can be used in the investigation of a crime, but that doesn't absolve the company from illegal surveillance. It's far more likely to result in repercussions for the company and reporter than for the alleged scammer. The allegation alone is likely defamatory.

The OP is silent on what the former employee was told about how his email account would be monitored. There is no indication of undue or intrusive surveillance; the emails were only found after the employee was sacked.

From the sounds of it, a colleague was going through a work account and found personal data. The colleague didn’t set out to intrude on personal data. It is within the company’s legitimate interests to access work accounts in order to pick up on business affairs. A work account may have been used to perpetrate crime. It is also within the company’s legitimate interest to protect its name. The accessing of the account does sound necessary and proportionate. It doesn’t seem to have been a personal email account that was gone through. Where a company uses its legitimate interests to process personal data a data subject can object, however, the objection may not win the day and I can’t see that it would here.

Employees can only have a reasonable (not absolute) expectation of privacy at work. Data protection is not an absolute right. It is set against a number of other rights, including the right to conduct a business. The ECHR document you linked to sets out a balancing act between employee and employer rights.
The Data Protection Act 2018 lifts various rights and obligations of data subjects and controllers, including for crime investigation. It would be unfortunate if data protection legislation deterred a person from reporting a suspected crime.

rd1izb7lvpuksx

Vetch wrote: »

From the sounds of it, a colleague was going through a work account and found personal data. The colleague didn’t set out to intrude on personal data. It is within the company’s legitimate interests to access work accounts in order to pick up on business affairs. A work account may have been used to perpetrate crime. It is also within the company’s legitimate interest to protect its name. The accessing of the account does sound necessary and proportionate. It doesn’t seem to have been a personal email account that was gone through. Where a company uses its legitimate interests to process personal data a data subject can object, however, the objection may not win the day and I can’t see that it would here.

Well, the ECHR and DPC are pretty clear that a colleague going through a work account is a breach of privacy, unless the former employee was told prior to sending the email that it may be subject to surveillance.

Everything else is tangential, since while the company can of course report what they've found, and it can be it used in a criminal investigation, it also leaves them open to legal action.

To be clear, unless the employee was notified in advance, and the surveillance was necessary, proportionate, and in the legitimate interest of the employer, then the surveillance was undue and intrusive. That the employee was sacked is beside the point, as their right to privacy isn't affected by their employment status.

Just because the business would like to access their email to "pick up the pieces" is not alone a sufficient basis to read through their email. The business is obliged to have continuity and off-boarding processes, or an AUP that expressly allows for access to email for this purpose.

These abuses are the kind of relatively minor data protection issues that will hopefully be taken more seriously now that the GDPR has provided teeth. Far too many employers have taken liberties will practices like email and CCTV surveillance on questionable grounds in the past.

B.A._Baracus

Hi op,
best advice is to do nothing. It's not any of your business. Sounds cold... but that's life. There are a million and one scammers currently trying to scam people in this world, somewhere, as I type this.

It's not a defeatist attitude to come to realisation that the Gardai have better things to do than being told about a former employee's emails scamming people with watches. It's messy. Not worth it from their side. Every day dozens of ads pop up on adverts and gumtree. Scammers galore.

the_syco

InspectorFraud wrote: »

I was going through his work emails to pick up the pieces early this week and came across a number of documents that suggested in no uncertain terms that he had been scamming people(on a personal level) for the sale of high end watches. Nothing linked to my companies industry.

What did your company lawyer say about it? If your company doesn't have a lawyer, it should consider getting one.