• forIndividuals
  • forBusiness
  • forCommunity
search
About usFact sheetsPrimary legislationWhat's new?
DictionaryTeachingContact usSite mapLinks
click to go home


Our Fact Sheets provide a detailed account of 29 areas of law as they apply to the Internet

Fact Sheets



IIA releases draft Cybercrime Code of Practice in July 2003

Email

Email legal risk


1. The nature of email

Email can be read by many people and copies stored on many servers or computers as they pass between the sender and receiver. Email may be stored for legal or technical reasons. Deleting an email from your mailbox does not mean that copies of it cannot be easily retrieved from other sources.

It may be a condition of employment that an employer has the right to read employee emails for the purpose of enforcing compliance with its electronic communications policy and obligations under the law. For example, an employer is required to take reasonable steps to protect employees from harassment and unlawful discrimination under discrimination and workplace relations law.

An employer will generally have the technical capacity to access the content of every employee email sent or received. Passwords do not guarantee that email is secure and cannot be read by others. Do not assume email is a secure mode of communication. Assume that email may be seen by the world at large, retrieved at a later date and used as evidence.

An individual, employer or a business can be served with a search warrant or court order that requires emails to be released to third parties such as lawyers, police, professional advisers, regulatory agencies and court officials.

Emails are easily forwarded, altered, forged or sent to unintended recipients by mistake.

The insecure nature of email means that an individual, employer, business or organisation (Entity) may be exposed to the following legal risks when sending, receiving or storing email.

Links to a discussion of each area of law mentioned below are provided at the bottom of the page.

2. Common law duty to keep information confidential

The common law may impose a duty of confidentiality on an Entity in a special relationship with another Entity. An Entity may be required by the other Entity to keep certain information confidential (documents or ideas, commercial, personal, artistic or State secrets). The duty is likely to be imposed by a court where a disclosure by one Entity to a third party would be detrimental to the other Entity.

An obligation of confidence may exist between an employee / employer, husband / wife or between business partners. The obligation arises from the special relationship between the Entities, not because of the nature of the information.

An Entity who places confidential information in an email later discovered by a third party may be liable in an action for breach of the duty of confidentiality. Such an Entity may also be in breach of any written confidentiality agreement binding that Entity to the other Entity.

3. Privacy law affecting a business or organisation

Commonwealth privacy law regulates the collection, use and disclosure of personal information (text, audio or video data that identifies a person, including an email address) by certain businesses and organisations. Under that law, a business or organisation must:

(a) only collect personal information that is necessary for the function or activity of the business;

(b) not use or disclose personal information without the consent of the person to whom it relates;

(c) take reasonable steps to protect the personal information they hold, and must not hold data longer than they need;

(d) clearly express and make available to the public their policy concerning the use and management of personal information;

(e) where lawful and practical, provide people with the option of remaining anonymous when entering into a transaction with a business; and

(f) not collect sensitive information (personal information concerning memberships, beliefs, health and other private matters) unless the person to whom it relates consents, or the organisation is required by law to collect it.

Personal information collected, disclosed or stored by email in breach of the above will expose the business or organisation to liability under privacy law. The business or organisation may be required to comply with a determination (which may involve compensation and remedial directions) from the Privacy Commissioner, subsequently enforceable by court order.

4. Spamming

New Australian legislation relating to spam - the Spam Act 2003 - came into effect on 10 April 2004. It is now illegal to send, or cause to be sent, 'unsolicited commercial electronic messages'. The Spam Act is enforced by the Australian Communications Authority (ACA). For information on spam laws, spam reduction, internet security tips and how to report spam, visit www.spam.aca.gov.au.

Sending unwanted or unsolicited emails (eg advertisements) to a large number of people via a mailing list or newsgroup is permitted under the new privacy laws provided an individual is given the opportunity to opt-out of receiving any further direct marketing.

A business or organisation that fails to remove a person from a mailing list after the person has opted-out will be in breach of the privacy law. A complaint about this may expose the business or organisation to an investigation and possible remedial directions (including compensation) by the Privacy Commissioner possible compensation order.

5. Defamation

An Entity may be liable for defamation where a defamatory statement, material or imputation is made in an email about an identifiable person or someone from a group and the email is sent and viewed by other people.

A defamation claim may be made against the original writer of the defamatory email and any person who copied and distributed the email. A defamed person may sue an employer where the employer’s company name appears in the email address visible on the defamatory email.

An Internet Service Provider (ISP) will not be liable for distributing the email unless it can be demonstrated that it was aware of the defamatory material communicated via its service.

A court order may require an Entity to compensate the defamed person for harm to reputation, make a public apology or stop the further dissemination of defamatory material on the internet.

6. Virus

An Entity should be aware that email attachments (including document files containing infected macros) can contain a virus that may infect and damage your computing systems and network. Consequential damages may arise in the form of lost business, opportunities or embarrassment.

7. Harassment and discrimination

An Entity that deals with an employee or person via email in a manner which treats them less favourably than another person on the grounds of their sex, race, disability, sexuality, gender status, age, pregnancy or marital status, or on other grounds, may be prosecuted for discrimination under workplace relations and discrimination law.

Certain email practices bestowing unwanted attention or offensive material on another may constitute discrimination or harassment under discrimination and workplace relations law.

Repeated email contact, chat room messages or posting messages to bulletin boards with the intention of causing psychological harm or arousing in the recipient a reasonable fear for their safety (or of others) may constitute the crime of stalking, punishable by fine, imprisonment or both.

8. Intellectual property rights

Protected intellectual property may take the form of text, sound, pictures, programs, cartoons, jokes and movies. The content of, or the communication of an email may constitute an infringement of copyright, a moral right, trade mark or a patent. Such an email may be retrieved at a later time and used in legal proceedings concerning the above infringements. Copyright is protected on a domestic and international basis.

Considerable damages awards may be ordered in such proceedings.

9. Other legal risks

When using email, be aware:

(a) you may need to obey laws in other states or countries;

(b) penalties for illegal email practices can be high for an Entity;

(c) changing the return address of email or disguising your identity when sending email may expose you to criminal liability for fraud or forgery;

(d) the use of email in any way that is likely to mislead or deceive; or contain false representations about price, quality, service, value or grade of goods and services, place of origin of goods, or the need for goods or services, may infringe trade practices legislation;

(e) email may contain information which breaches competition or consumer laws in Australia; and

(f) the export or import of encryption technology in and out of Australia by email may infringe the export law of Australia or the other country respectively.

10. Managing legal risk

An individual, employer, business or organisation (Entity) may manage the legal risks above as follows:

(a) Confidentiality

An Entity should assume that email is not confidential and is likely to be viewed by third parties.

Email correspondence in a business environment should be treated with the same level of formality as written business correspondence.

Email should be accurate, correctly addressed and should not contain confidential or potentially sensitive information.

Although not complete protection against a breach of confidence, a business email should be marked CONFIDENTIAL to indicate the information has a quality of confidence about it.

An Entity should obtain a confidentiality agreement from each other Entity involved in the handling of its confidential information, including a provision setting out what information may or may not be communicated by email.

(b) Privacy law

Before sending personal information, an individual should check the privacy policy of the receiving business or organisation to ensure it handles that information in accordance with the above privacy laws.

An individual can complain to the Privacy Commissioner concerning a possible breach of the privacy laws. The Commissioner has the power to investigate the complaint, issue remedial directions (which may involve compensation) and seek orders from a court.

An individual using interactive internet services (eg chat room, bulletin board) should consider not revealing their email address on the service given that unintended parties may gain access to that information at a later time from stored records.

An individual can use anonymity tools and cloaking technologies to provide untraceable encrypted email and protect their email address from disclosure. See Cyberspace Crime Fact Sheet below.

A business or organisation should take reasonable steps to ensure personal information is handled in accordance with the privacy law (eg implement mechanisms for removing a person from a mailing list when requested).

Where a business or organisation lacks the technical and management resources to ensure email is securely received, sent and stored, email should not be used to communicate personal information.

An entity operating an interactive service (eg chat room, bulletin board) should have a term in the website conditions of use stating users must not disclose personal information (eg email addresses) over the service. A further term would disclaim all liability for any disclosure of personal information by a user, and seek an indemnity from the user for any loss (eg legal costs) suffered by the Entity arising from the breach of the conditions of use.

(c) Spamming

An individual may opt-out of a mailing list or newsgroup to prevent the receipt of future emails from a business or organisation.

An individual can tailor their email preferences to block incoming emails from particular email addresses.

A Best Practice Model (see link below) on e-commerce generally states that a business should only send commercial email to their customers or to people who have already indicated they want to receive it. Prior to entering into a transaction, an individual should check whether the business they intend to deal with complies with the Best Practice Model.

The Internet Industry Association Code of Practice encourages Internet Service Providers (ISPs) to block incoming bulk postings from non-subscribers.

A business or organisation should implement technical and management processes to comply with the Best Practice Model to avoid breaching the opt-out provision of the privacy law and to encourage consumers to deal with it.

(d) Defamation

Given the insecure nature of emails, each email should be checked for defamatory material before being sent.

Emails containing defamatory material should be securely kept for later use as evidence in legal proceedings.

The electronic communications policy of a business or organisation should contain processes for ensuring emails are checked for and vetted of defamatory material.

(e) Virus

All email attachments should be scanned and cleared of viruses using virus protection software.

Never assume an email from an acquaintance is free from virus. Some viruses search the address book of the host computer and automatically spread the virus to those people.

(f) Harassment and discrimination

Emails containing obscene, sexual, derogatory or otherwise offensive content (including jokes, images, animations and videos) should not be sent in a workplace environment. Such an email may be mistakenly viewed by an unintended third party, or retrieved at a later time as evidence in harassment or discrimination legal proceedings.

Anonymity tools and cloaking technologies (discussed above) may be used to protect an individual from unwanted attention or offensive material.

A person the subject of email practices amounting to stalking should contact the police and store the emails for use as evidence.

(g) Intellectual property rights

An email to a colleague, customer or person should not use, contain or otherwise infringe the intellectual property rights of another (eg trading name, slogan, trade mark or patent protected ideas) unless authorised by licence or the agreement of the relevant owner.

The email should not contain the copyright protected material of another or infringe the moral rights of an author unless a licence (implied or express) exists which authorises that use.

(h) Other ways to minimise legal risk

Protect your password to prevent others from accessing your email.

Forwarding non-business related email or large email files may waste valuable resources in the workplace environment.

Do not delete business related email.

Email passwords should contain at least 6 numbers, letters and special characters, not simple words or personal information.


Other relevant Articles on this site:
Copyright protection of content
Moral right protection of content
Defamation
Trade Marks
Patents
Best practice model
Trade practices and consumer protection
Spamming
Customer information privacy
Security
Harassment
Confidentiality
Disabled access
Surveillance
Electronic communications policy

Other relevant Fact Sheets:
Confidential Information
Copyright
Cyberspace Crime
Defamation
Disability Discrimination
Misleading and Deceptive Conduct
Moral Rights
Patents
Privacy
Trade Marks, Domain Names and Passing Off
Workplace Net Control 

End Notes

"In 5 years most PCs will be given away. It will be the perfect way to serve ads in a targeted fashion." Iconoclast Market Researcher
forBusiness/