Essential guide to creating an email policy for your employees

Black and white image of paper with e-mails written on it on background of shredded paper

Email is an essential tool that’s the lifeblood of every company, but it can be used to by staff to waste time, or even worse provide an entry point for hackers and cyber-attacks. A clear email policy will keep your business protected as well as clearly spelling out expectations to staff. It also describes how you monitor and manage email to keep your company’s data, systems and software safe.

Permitted use

Sending emails

Receiving emails

Monitoring email

Implementation

1. Permitted use

Employees should primarily use company email systems for business

  • You cannot stop employees receiving personal emails.
  • It is reasonable to allow some personal use of email, especially if you have employees who use their email for business purposes outside of normal working hours.
  • You may encourage employees to use filters to separate their messages into specific business and personal folders.

Limit personal use

While everyone may receive the odd personal email at work, it’s unprofessional, unproductive and unsafe to use a company email for personal correspondence. You should set reasonable limits for email use.

You might prohibit:

  • excessive personal use of email;
  • conducting other business using a work email account;
  • people using work email address for shopping or access to online services such as eBay or PayPal;
  • sharing of inappropriate or illegal content such as offensive jokes;
  • using email for gambling or other paid-for services;
  • engaging in illegal activities;
  • encrypting personal emails and attachments;
  • employees from allowing other people to access their email account.

Set out when email should and should not be used

Set out what devices employees may use to send and receive email

Mobile devices

It is common for employees to send and receive emails from mobile devices, like smartphones and tablets.

The same guidelines and email etiquette apply no matter where or how employees access emails

  • Employees may resent restriction on the personal use of email, particularly if they are encouraged or expected to use mobile devices outside of office hours.

Security is the biggest concern for mobile devices

  • Ensure all mobile devices have password protection, or biometric security activated (such as a fingerprint scanner or facial recognition) before the phone can be opened and emails accessed.
  • Set up a 'remote wipe' function, so email data can be deleted remotely by you if the device is lost or stolen.
  • Use an email service that syncs emails across all devices. This ensures employees can always access the latest emails, even if they lose their mobile device.

Consider your employees' work-life balance

  • Using mobile devices for email can encourage employees to check messages at all hours.
  • Set boundaries and make it clear that employees are not expected to respond out of hours.
  • As a manager, ensure you don’t send too many emails outside of work time.

2. Sending emails

Employees should only ever use their own, password-protected accounts to send emails

  • Passwords should be strictly protected and never shared.
  • Passwords should be changed at least every 90 days (or sooner if possible).
  • Passwords should be strong, using a mix of letters, numbers and symbols.

Establish standards for outgoing messages

  • Ensure consistency by defining the font and type size for company emails.
  • Consider limiting on the size of any attachments employees can add. Even if your company email system can handle large attachments, your contacts may not have the same capabilities.
  • It is better to send large files (eg those over 10MB) using a transfer service such as WeTransfer.

Have rules for handling confidential information

  • Explain to employees that most emails are sent in plain text, so they can be intercepted and read online.
  • You may want to limit or ban the sharing of certain types of information by email. Customer lists, personal data and financial information should never be sent via email, for example.
  • Encrypted emails offer extra protection, scrambling messages and any attachments so they cannot be intercepted and read.
  • A safer option is to use a password protected online storage system such as DropBox to give all staff access to essential information, removing the need for it to be shared through email.

Explain that the safe use of email is a contractual obligation, not a personal choice

  • An email can be as contractually binding as any other form of communication.
  • You may prohibit the use email for any contractually significant communication with a client or customer, and insist that such documents are posted.
  • Consider including a disclaimer on emails to provide extra protection. For example: 'This email is confidential, and is intended for the use of the named recipient only. If you have received this message in error, please inform us immediately, and then delete it. Unless it specifically states otherwise, this email does not form part of a contract.'

Explain your policy on storing both sent and received emails

  • Your system may file emails automatically.
  • Stored emails must be protected from any later editing or unauthorised deletion.
  • Back up all email data regularly in a safe storage system that conforms to all data protection rules and regulations, including GDPR.
  • Inform employees about the permanence of emails. For example, centrally stored emails are still available to be viewed by the company, even after an employee deletes them.
  • Emails should be stored for at least 7 years.
  • You must tell employees how you monitor emails.

3. Receiving emails

Set out who should read incoming emails

  • Employees should read only their own emails, however those engaged in job shares or managers may be granted access to specific mailboxes if required.
  • Establish how you will handle emails sent to generic addresses ([email protected], for example). Assign responsibility for dealing with generic email accounts and set up your technology so only the relevant people can read them.
  • The policy should cover how incoming emails are handled when employees are absent, including off work sick and on leave.

Set out your security procedures for dealing with viruses and other email threats

Set an acceptable response time

  • Emails should be read and answered quickly to ensure a smooth running business.
  • Your policy may stipulate that certain emails ­­– customer enquiries for example – receive a response within 24 hours.
  • Depending on your industry, a faster response time may be necessary.
  • Software can help filter and prioritise emails.

Explain how emails should be handled when an employee is absent or leaves

  • It’s simple to set up an auto-responder which automatically responds to emails explaining that the employee has left/is absent and provides an alternative contact.
  • If you decide to allow someone else to check the employee's emails, ensure any personal emails are handled appropriately and with respect.

Explain how unwelcome emails should be dealt with

  • Employees should tell friends and contacts not to send inappropriate emails. For instance, inappropriate chain letters or enquiries from recruitment consultants.
  • Regularly review and delete junk emails (spam). It is a bad idea to reply to spam as a response confirms that the email has been sent to a live address.

Set out your policy on storing incoming emails

Viruses and phishing

Emails pose a significant security threat to your business. They are often used to distribute viruses and spyware, or for phishing attempts.

A central email server or an email service provided by your IT supplier will provide protection that can reduce risk, but never remove it entirely. Even the strongest filters will allow the occasional malicious email to slip through.

Ensure your email policy includes procedures for dealing with suspicious emails, setting out the expectations of all staff.

Delete attachments from unknown senders

  • You may need a different approach if you expect to receive such files from new contacts.

Take care with high-risk file types

  • Some kinds of file are more likely to carry viruses. For example, file names such as .vbs, .js, .exe, .bat, .cmd or .lnk could all contain malicious content.
  • Compressed files (containing .zip, .arc or .cab) may also contain dangerous files.

Get advice from the IT manager if you are unsure

  • Never open a suspicious email or attachment.
  • Instead, inform the IT manager if you receive a suspicious attachment or if you suspect a virus has entered the system.
  • The quicker a specialist is alerted to a potential threat, the sooner they can act to limit the damage.
  • Encourage all staff to be open and seek help if they believe they have clicked on a dangerous link, attachment, or email.

Be aware of phishing emails

  • Criminals increasingly target individuals in spear phishing attempts, where the email appears to come from someone they know.
  • Encourage staff to be vigilant and to question every email, even if it’s from someone they know and trust.

4. Monitoring email

There are legal restrictions on how you can monitor employees' use of email.

You must include a clause on email monitoring in your employment contracts. If you fail to do so, you will need to obtain consent to perform checks.

Tell employees how email is monitored and for what purposes

  • If you use monitoring software, you should make employees aware of this.

Explain that you reserve the right to read individual emails

You may inspect individual emails for 'specific business purposes', including:

  • establishing the content of transactions and other important business communications;
  • making sure employees are complying with the law and with your internal policies;
  • preventing abuse of your systems;
  • checking emails when employees are on leave.

If you wish to make interceptions for other purposes (marketing, for example) you will need consent from the sender and recipient.

Respect your employees' right to privacy

  • Your employees are entitled to a degree of privacy at work.
  • If you suspect an employee is wasting time using work email for personal reasons, only monitor their emails if they know there is a limit on personal use and that their email may be monitored.
  • If you choose to monitor an employee's emails, avoid reading the actual content.
  • Checking the email's recipient or sender should tell you if a message is personal.

5. Implementation

Consult employees on what you should include in your email policy

Take expert and legal advice

  • Professional legal advice can be useful to ensure you meet all data protection and privacy requirements.

Make the policy available to everyone

  • Ask employees to confirm they have read and agreed to your policy.
  • Refer to the policy in your employment contracts.
  • Make sure managers familiarise themselves with the contents of the policy.
  • Provide a contact name for employees who have any questions.

Put in place any software that can help you monitor and manage emails effectively

This might include:

  • monitoring software to provide a record of email traffic;
  • filtering software to help employees prioritise emails;
  • auto-responder software to reply to emails when employees are absent;
  • virus-checking and other security software.

Provide any training that is needed

  • Employees may need training in effective use of email software, and information on security protection..

Enforce the policy

  • Make an individual responsible for routine enforcement of the policy - usually the network administrator. A director should take overall responsibility.
  • Apply the policy consistently and fairly to everyone, including management and leadership teams.
  • Clarify any exceptions.
  • Make sure you have an appropriate disciplinary procedure in place to deal with breaches of the policy.
  • Revise the policy regularly, in line with changes in legislation.
  • The policy will only provide legal protection if it is properly implemented and enforced.

Signpost

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.