Q. A deceased employee’s spouse has asked us for copies of personal e-mails that were on the employee’s work computer. Can we provide her copies?
A. As with tangible property of a deceased employee, release computer data only to an authorized individual. Before releasing any of the data, however, determine if you have an obligation to do so.
While privacy law is still evolving, the first step should typically be to review your electronic communications policy. If the policy clearly states that any data sent, received, accessed or stored on company computers belong to the company, you might take the position that you own all the data. You can decline to produce it.
If the policy is not clear, or you decide to produce the data anyway, you may want to review the data to determine what to release. You are within your rights to withhold proprietary information or other communications that contain information that would pose a competitive risk if it were disclosed.
Also review the data carefully and confer with counsel to ensure it doesn’t release any data in violation of various laws that may contain privacy provisions, such as the Health Insurance Portability and Accountability Act (HIPAA) and workers’ compensation, disability, drug testing,, attorney-client privilege or other laws.
While determining your obligations, preserve the deceased employee’s personal computer data and any backup of that data.
If you have not already done so, consider establishing a data-retention and destruction policy. Then preserve the data for the period set forth in the policy.
What if you believe you may have an obligation to produce the data, but so far, no one has requested it? In that case, before changing the format or destroying the original data, consider notifying individuals potentially authorized to obtain the data. Tell them the data will be converted to a backup format or destroyed if not requested by a certain date.