Can You Monitor Employees’ Emails and WhatsApps?

Many employers assume the answer is simple: if the device belongs to the business, the business can monitor whatever it wants.

That is not the law.

In South Africa, employers may monitor employee communications in some circumstances, but not without limits. The Constitution protects the privacy of communications, POPIA regulates the lawful processing of personal information, and RICA regulates the interception of communications. In other words, workplace monitoring is possible, but it must be justified, proportionate and properly managed.

What Employers Usually Think

In practice, employers often believe that:

• company email accounts can be checked at any time

• WhatsApp messages sent on a work phone belong to the employer

• a workplace policy gives unlimited monitoring rights

• once an employee is “on company systems”, privacy falls away

These assumptions are risky. Employees do not lose all privacy rights simply because they are using workplace systems or employer-issued devices. South African law starts from the position that privacy matters, including the privacy of communications.

What the Law Actually Says

The better starting point is this: yes, employers can monitor certain communications, but only within legal boundaries.

Three legal frameworks matter most:

1. The Constitution

Section 14 of the Constitution protects the right to privacy, including the privacy of communications. That means employers should not approach monitoring as an unrestricted management right.

2. POPIA

POPIA applies when personal information is processed by private and public bodies. If an employer accesses, stores, reviews, searches or shares employee communications containing personal information, that conduct must comply with POPIA’s requirements for lawful and reasonable processing.

3. RICA

RICA regulates the interception of communications. That means employers should be extremely cautious about monitoring live or in-transit communications, especially where they are trying to access private messages or intercept communications without a proper legal basis.

So, Can You Monitor Emails?

Usually, yes, but not carelessly.

Employers generally have a stronger basis to monitor:

• company email accounts

• communications sent on company systems

• messages reviewed for security, compliance or operational reasons

• communications monitored under a clear workplace policy

That said, even with company email, the monitoring should be tied to a legitimate purpose such as protecting confidential information, investigating misconduct, ensuring regulatory compliance, managing cyber risk or preventing harassment or data leaks. Broad, secret or excessive monitoring creates legal exposure. POPIA requires processing to be lawful and reasonable, and the constitutional right to privacy remains relevant.

What About WhatsApp?

This is where employers often get into trouble.

Monitoring WhatsApp is usually more sensitive than monitoring company email because WhatsApp is often used as a personal messaging platform, even where it is installed on a work phone. The fact that a device belongs to the employer does not automatically mean every chat on that device is fair game.

The legal risk becomes even greater where the employer tries to access:

• private chats unrelated to work

• messages on an employee’s personal phone

• messages without prior notice or policy support

• communications in a way that could amount to unlawful interception

The safer view is that employers should only access WhatsApp communications where there is a clear and defensible reason, the scope is limited and the organisation has already put employees on notice through properly drafted policies and procedures.

When Monitoring Is More Likely to Be Defensible

An employer is in a stronger position where:

• the communication occurs on a company-managed system or device

• there is a clear IT, communications or monitoring policy

• employees have been notified that monitoring may occur

• the purpose is legitimate and business-related

• the monitoring is targeted rather than indiscriminate

• access is limited to those who need to know

• information gathered is handled in line with POPIA

In other words, the question is not only whether the employer can monitor, but whether the employer can justify the monitoring. POPIA’s purpose is to protect personal information through minimum conditions for lawful processing, and the Information Regulator enforces compliance.

Common Mistakes Employers Make

Treating a work device as a waiver of privacy

Ownership of the laptop or phone helps the employer’s case, but it does not eliminate employee privacy rights.

Having no policy at all

If there is no communications, monitoring, data protection or device-use policy, the employer’s position becomes much weaker.

Monitoring too broadly

A focused investigation into suspected misconduct is easier to justify than open-ended surveillance of everything an employee says or does.

Ignoring POPIA

Even where access is justified, the employer must still process personal information responsibly and securely. POPIA was enacted to establish minimum conditions for lawful processing of personal information.

Trying to read clearly private messages

This is especially dangerous where the messages are on a personal device or relate to purely personal matters.

A Practical Example

Suppose an employer suspects that a senior employee is forwarding confidential pricing information to a competitor.

A lawful and sensible response may include:

• reviewing the employee’s company email account

• checking company-owned devices in line with policy

• limiting the review to material relevant to the investigation

• preserving evidence carefully

• avoiding unnecessary access to purely private communications

A reckless response would be to search every private WhatsApp conversation on the employee’s personal phone without notice, policy support or legal advice.

The first approach may be defensible. The second may create serious privacy and evidentiary problems.

How Employers Can Protect Themselves

Employers should:

• implement clear IT, communications and monitoring policies

• state expressly that company systems may be monitored for legitimate business reasons

• distinguish between company systems and personal devices

• avoid blanket or covert monitoring unless there is a clear legal basis

• ensure any review is necessary, proportionate and properly authorised

• align internal practices with POPIA compliance

• obtain legal advice before accessing sensitive communications, especially WhatsApp content

Final Thoughts

Can you monitor employees’ emails and WhatsApps?

Sometimes, yes. Unrestrictedly, no.

South African employers should not assume that company ownership equals unlimited access. Monitoring has to be approached carefully, with proper policies, a legitimate business purpose and close regard to privacy, POPIA and RICA.

Businesses often do have valid reasons to investigate communications. The real risk lies in how they do it. An employer with a good case can still create liability by using the wrong process or overreaching into private communications.

Need Help Reviewing Employee Communications Lawfully?

Barter McKellar advises employers on workplace monitoring, employee privacy, disciplinary investigations, POPIA compliance and labour disputes.

If your business needs to investigate employee communications or update its internal policies, getting the process right from the outset can avoid costly disputes later.