ICAEW.com works better with JavaScript enabled.

Case law: Changing passwords to employee's personal internet accounts on company devices ruled unlawful

Employers entitled to access an employee's personal internet accounts on a company phone or other device should avoid changing the security details on those accounts as this may breach their duty of care towards the employee, a ruling makes clear.

April 2019

This update was published in Legal Alert - April 2019

Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.

Allegations were made against a sales director. His managing director repossessed his company phone, which the director also used to access personal internet accounts, to check the director was not misusing company information. He asked for the director's passwords for both the phone and internet accounts.

The managing director did find company information on the phone, but to delete it he had to reset the director's passwords - locking the director out of his AOL, WhatsApp and LinkedIn accounts, and his iTunes library.

The director was subsequently dismissed. He then claimed that the employer had breached its duty of care to him by interfering with his personal accounts - particularly by changing his passwords so he could no longer access his accounts.

The High Court agreed and said that the employer owed the director a duty of care in this respect because:

  • their relationship was sufficiently close;
  • it was reasonably foreseeable that the employer's action would cause loss to the director; and
  • it was generally fair, just and reasonable to impose a duty of care.

However, it said the breach only arose as a result of changing the passwords. The employer had been entitled to access the phone and internet accounts as a legitimate way of protecting its business. Therefore, it breached its duty of care only when it changed security details on his accounts.

The Court also commented that the managing director should have discussed what he planned to do with the director and/or taken advice from an IT specialist before changing the passwords.

Operative date

  • Now

Recommendation

  • Employers entitled to access an employee's personal internet accounts on a company phone or other device should avoid changing the security details on those accounts as this can amount to a breach of their duty of care towards the employee

Case ref: Richmond v Selecta Systems Ltd [2018] EWHC 1446

Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.

Copyright © Atom Content Marketing