Is a work email address covered by privacy laws?
One of the most common privacy questions is: are work email addresses considered personal information by privacy laws?
The reason this question gets asked is because so many potential data breaches involve the misuse of work email addresses. Whether you using the CC rather than the BCC field or send an email to the wrong person at work – both cases raise issues if the disclosure or misuse of a work email address is a data breach under privacy legislation.
As is often the case in privacy, the answer is … it depends. The treatment of business email addresses changes depending on the privacy law that applies.
Below, we look at some of the major privacy laws and how work email addresses are treated.
Work email address: Australia
The Australian Privacy Act 1988 (Cth) applies to personal information. Personal information includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
For example, personal information may include:
- an individual’s name, signature, address, phone number or date of birth
- internet protocol (IP) addresses
- online identifier
- voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique)
- location information from a mobile device (because it can reveal user activity patterns and habits).
Whether emails are personal information has been considered by the OAIC, most recently in a determination issued in June 2020. Consideration was given to two emails – one was a work email and the other a personal email including an individual’s name (something like firstname.lastname@example.org).
The OAIC determined both these email addresses were personal information as follows:
- For the work email, although it used an acronym for the business employer (email@example.com), an internet search would have revealed the full name of the employer thus giving a name and employer which were probably sufficient to identify an individual;
- For the personal email, although the email included a fairly common surname, which, alone may not be sufficient to identify an individual (firstname.lastname@example.org), combined with the other information disclosed, (the name of his partner, the fact that he was in a same-sex relationship and other information), the OAIC was able to conclude that an individual was reasonably identifiable from the information disclosed.
Based on this, it is likely that work email addresses are generally considered personal information unless they are generic or shared email addresses. For example, business email addresses such as AliceFlynn@abce.com.au will be considered personal information whilst general email addresses like email@example.com will not be personal information.
State privacy legislation and work emails
The treatment of work email addresses may be different for employees of state government agencies.
In Queensland the ‘routine personal work information’ of public sector employees can be disclosed in certain circumstances. This includes public sector employee work email addresses. Read more here: Routine personal work information of public sector employees | Office of the Information Commissioner Queensland (oic.qld.gov.au)
In NSW, ‘information about an individual that is contained in a publicly available publication’ is exempted from the definition of personal information. So, if you work for a NSW State agency and your email is included in a publicly available record, then it is likely to not be protected.
To determine what might be covered, the different state privacy laws should be consulted.
Work email address: European Union (GDPR)
Personal data is defined by the GDPR as “any information relating to an identified or identifiable natural person.”
Given the similarity in definitions, it is not surprising that work emails in the EU are treated in much the same way as under the Australian Privacy Act. Under the GDPR, personal data includes any business contact information related to an individual such as their name, job title, company, business address, work phone number etcetera.
However, personal data does not include generic business names, business addresses or other general information as long as it cannot be linked to an individual. So, any email address such as contact@admin@, info@, and similar business addresses do not fall into a protected category by GDPR. To be considered personal information, the work email address should be something like:
Further information can be found here.
Work email address: United States
There is no federal privacy law in the United States that would treat work email addresses as personal data.
However, the Californian CCPA will change this, and treat business emails as personal information under the current proposed changes, unless the proposed law is watered down prior to 2023. The CCPA is a little different to the GDPR but it does include the right to request deletion and the need to provide privacy notices. If a Californian requests the deletion of their data then any email addresses – work and private – must be removed.
More information is found here.
Work email address: Canada
Canada’s PIPEDA covers the usage of an individual’s personal information. Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
- age, name, ID numbers, income, ethnic origin, or blood type;
- opinions, evaluations, comments, social status, or disciplinary actions; and
- employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).
However, there are some exemptions. PIPEDA does not apply to the use of business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession.
Accordingly, work email addresses are not covered by PIPEDA.
More information here.
Work email address: Singapore
Singapore has comprehensive privacy legislation that covers all personal information – the Personal Data Protection Act (PDPA).
The PDPA defines personal data as data about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access. However, the PDPA generally does not apply to:
- Any individual acting on a personal or domestic basis.
- Any individual acting in his/her capacity as an employee with an organisation.
- Any public agency in relation to the collection, use or disclosure of personal data.
- Business contact information such as an individual’s name, position or title, business telephone number, business address, business email, business fax number and similar information.
Guidance to the PDPA further clarifies that organisations are not required to obtain consent before collecting, using or disclosing any business contact information or comply with any other obligation in the Data Protection Provisions in relation to business contact information.
So, like Canada, a work email address is not covered by Singapore’s privacy law. More here.
Work email address and privacy laws – What should you do?
Don’t assume that work emails are exempt from privacy laws because in many cases they won’t be. Good practice might be to treat all business emails as if they were personal information as your starting point, recognising that unauthorised exposure of work email addresses may also be a lower risk than exposure of personal email addresses.
And of course, it’s worth remembering that different laws apply to the use of business emails for marketing – which are part of spam laws. See, for example, Canada’s spam rules and how they apply to business emails: here on page 4.
If you need more clarification or if you have any queries about what is personal information, how you should manage your personal data or whether you’ve had a data breach, Privacy 108 is here to help.
Contact us at any time: firstname.lastname@example.org.