Workplace Investigations

In internal investigations, the fundamental rights and freedoms of employees are at stake,  including the right to privacy, respect for the privacy of home life and correspondence, freedom of expression, and the obligation of loyalty in searching for evidence.

In principle, work emails and files can be reviewed, even without the employee's consent, prior knowledge or warning. This includes: work email accounts; files stored on a work computer or a USB key connected to a work computer; and SMS messages and files stored on a work mobile phone and documents stored in the workplace unless they are labelled as “personal”. On the other hand, it is not permissible for an employer (or an investigator) to review “personal” emails and files, such as documents or emails identified as “personal” by the employee, or personal email accounts (Gmail, Yahoo, etc), even if accessed from a work computer.

There are certain exceptions to the above principle. An employer is allowed to check “personal” emails or data in any of the following cases:

• if the employee is present during the review;
• if the employee is absent, but was duly notified and invited to be present;
• if there is a particularly serious “specific risk or event”;
• if the review is authorised by a judge (this means having to prove a legitimate reason justifying not informing the employee).

When documents or emails are not marked as “personal” but contain information of a personal nature, the employer may open and review the data but may not use such documents or emails to justify applying disciplinary measures to the employee or use such documents or emails as evidence in court if they indeed relate to the employee’s private life.

Special attention must be given to employee representatives who must be entirely free to carry out their duties.

As discussed in question 7, it may be difficult for a company to search an employee’s personal possessions. The company may search and gather electronic data stored in work laptops or company servers, subject to legal requirements and restrictions (eg, obtaining consent). 

The PIPA provides specific guidance on the requirements for obtaining consent. Under the PIPA, to collect or use an individual’s personal information, the information holder must be informed of and consent to:

• the purpose of the collection or use;
• the personal information that will be collected;
• the period of retention and use; and
• his or her right to refuse to provide consent and any disadvantages that may result from such refusal.

There are separate requirements for obtaining consent to provide an individual’s personal information to a third party. Also, consent must be obtained separately for the collection, use or provision of sensitive or unique identification information.

Under limited circumstances, personal information may be collected, used, or provided to third parties without obtaining the consent of the information holder. For instance, a company may collect and use personal information without obtaining consent where obtaining the information is necessary to achieve the company’s “legitimate interests”, which clearly exceed the information holder’s right to his or her personal information, and the collection and use are carried out within reasonable bounds. The term “legitimate interests” in this context is generally understood as a concept similar to “justifiable act” under the Criminal Code. The Korean Supreme Court has held that under exceptional circumstances such as the following, the company’s collection and review of employee data may constitute a “justifiable act” under the Criminal Code:

1. the company had specific and reasonable suspicion that the employee had committed a crime and the company had an urgent need to verify the facts;
2. the scope of the company’s review was limited to the suspected crime through the use of keywords, etc;
3. the employee had signed an agreement stating that he or she would not use work computers in an unauthorised manner and that all work products would belong to the company; and
4. the company’s review uncovered materials that could be used to verify whether the employee committed the alleged crime.