Investigation of an employee's work computer

Can the employer control the content of the employee’s work computer?

The urgency of a crisis and the particular context of a computer incident mean that we must not fall into the trap of haste.

Indeed, a set of rules and precautions must be taken into account by the employer in order to be as respectful as possible of the employee’s rights, particularly with regard to the right to privacy.

Indeed, the remediation of a cyber crisis may require the intervention of technical teams on the computer of one or more employees in order to investigate the origin of the incident (sampling of event logs, analysis of a corrupted attachment, etc.).

At this stage, even if the suspicions are directed towards an employee’s workstation, the latter is not necessarily considered to be at fault. It is possible to imagine, for example, that a third party has fraudulently accessed the computer.

A distinction should be made between investigations for the purposes of the technical resolution of the crisis and those aimed at collecting evidence against an employee. Thus, it is specified here that the question of the use of the evidence collected during the investigation in order to establish the employee’s liability, in the event of a sanction by the employer or a labor dispute, will not be dealt with.

During a cyber crisis, can the employer check the content of the employee’s work computer and/or hand it over to the company’s technical teams in order to investigate?

I- Mandatory compliance with the rules prior to the investigation of the employee’s computer

The issue of the investigation of an employee’s work computer should ideally be done in consultation with the lawyers, HR, the DPO and the technical teams in order not to make mistakes in the urgency of the crisis situation.

The need for a legitimate reason and proportionality to the aim pursued

In law, it is necessary for the employer to have a legitimate reason to control the employee’s computer. Indeed, the control must be justified and proportionate to the aim sought. The employer’s curiosity alone is therefore not sufficient to constitute a legitimate reason.
The need to ensure the security of the computer network – in particular the resolution of a cyber crisis – seems to be a legitimate reason.

In conclusion: the need to remedy the incident in the case of cyber crisis management seems to be proportionate and constitutes a legitimate reason for the employer to access the content of the computer

Authorization from the employee not required for the investigation of the computer

The employee’s authorization is not required to access his or her work computer. The same applies to the peripherals that would be connected to it and considered professional (a USB key for example).

A summons to the employee is not mandatory in the event of an extreme emergency

The presence of the employee to intervene on his computer is not required in the event of an emergency, i.e. in the event of a ” particular risk or event”. ^[1]
The assessment of this urgency could nevertheless be called into question a posteriori. As a result, it would be preferable to wait for the employee’s presence or at least to warn him or her when possible.

II- The investigation of an employee’s computer by the technical teams and/or the employer

Once the necessary checks have been carried out and the legal framework has been defined, it is possible to start the investigations. Depending on the situation, it may be appropriate to investigate with at least two people (HR, DPO, mandated expert, etc.).

In addition, if the employer or the technical team needs a password to access the employee’s computer, the employee is obliged to provide it. ^[2]

Caution required during the investigation on the employee’s computer

1- The imperative distinction between the employee’s personal and professional files/emails

Messages received or sent on the professional messaging system are, in principle, of a professional nature. The employer is therefore entitled to consult them in the absence of the employee. In addition, the files and files created by the employee on the computer, made available by the employer, are also presumed to be of a professional nature. ^[3]
However, if a file/folder, or the subject of an email, indicates the mention “Personal” or “Private”, the employer must not access it because he must respect the secrecy of correspondence. ^[4]
However, in the event of a particular risk or event, case law maintains the possibility for the employer to consult these documents. It can be assumed that this also applies in the case of cyber crisis management, but no case law has attested to this to date. In addition, the internal regulations may contain provisions restricting the employer’s power of consultation, by subjecting it to other conditions such as the necessary presence of the employee. ^[5]
It is also possible for the employer to make a complete copy of the employee’s hard drive in the absence of the employee. The disc can thus be entrusted to a mandated expert, who will exclude from his report the documents identified as personal. When the preservation of evidence is necessary, it is recommended to call on a bailiff who can make a report and be accompanied by the expert in question.

2- The role of the network administrator

When the security objective of the computer network requires it, the network administrator can consult all employees’ emails, regardless of their personal/private nature. However, he cannot disclose the contents of the report to the employer. It is therefore a possible means of investigation to technically resolve the crisis and not to collect evidence against the employee.
However, the CNIL specifies that this access “can only be justified in cases where the proper functioning of computer systems could not be ensured by other less intrusive means”. ^[6]

3- The presumption of the professional nature of connection data

The employee’s connection data (history, favourites, etc.) are presumed to be of a professional nature, when they have been established using the computer tool made available to him by his employer for the performance of his employment contract. The employer can thus consult them, without the employee’s presence being required. ^[7]

Reminder of the network administrator’s duty of confidentiality

On December 17, 2001, the Paris Court of Appeal stated that: “It is the function of network administrators to ensure the normal functioning of the networks as well as their security, which entails, among other things, that they have access to messaging services and their content, if only to unblock them or avoid hostile approaches.”
The network administrator is thus bound by professional secrecy, in particular when he or she is likely to become aware, voluntarily or not, of private correspondence or personal files of employees.
This obligation of confidentiality can be recalled in the company’s IT charter as well as in the network administrator’s employment contract.

Thus, investigations on an employee’s computer must be the subject of particular attention. They should not be done in a hurry to ensure that the employee’s rights are respected. The use of a specialized lawyer may also be appropriate.

[1] Court of Cassation, Labor Chamber, May 17, 2005, No. 03‐40.017: The employee is not required to be summoned in the event of a “particular risk or event”

[2] Court of Cassation, Social Chamber, March 18, 2003, No. 01-41.343

[3] Court of Cassation, Social Chamber, October 18, 2011, No. 10-26.782

[4] Court of Cassation, Social Chamber, October 2, 2001 “Nikon”: The employee is entitled, even on his or her time and at the workplace, to respect for the intimacy of his or her private life, which includes the secrecy of correspondence.

[5] Court of Cassation, Social Chamber, June 26, 2012, No. 11-15.310

[6] CNIL. Guide for Employers and Employees, 2008, p. 22.

[7] Court of Cassation, Social Chamber, July 9, 2008, No. 06-45.800