For many employees the workday now stretches across emails, WhatsApp chats, Teams calls and late-night messages sent from the comfort of your own home. The line between “work” and “private life” has become increasingly muddled, especially in hybrid and remote working environments. This has led to a question that many people now ask: can your employer legally read your messages?
In South Africa, the answer is not a simple yes or no. It depends on what platform is being used, whose device it is, what the employer’s policies say, and whether the monitoring is lawful.
Employees do enjoy a right to privacy that is protected by the Constitution, and personal information is also regulated by the Protection of Personal Information Act (POPIA). The Constitutional Court in the case of Bernstein v Bester made it clear that privacy in the workplace is not absolute, and the scope of an employee’s private sphere becomes narrower as the employee moves from the truly personal realm into business and workplace activity. But privacy in the workplace is not an absolute right. That said, if an employer provides the system, the device or the network, it will usually have a stronger legal basis to monitor what happens on it, provided it is done properly. The Labour Court in NUMSA v Rafee N.O. and Others recognised that employer and employee interests must be weighed against one another: The employee may seek to preserve the confidentiality of personal information, while the employer is entitled to protect confidential information about its business operations.
This means that an employer may generally monitor communications on company email accounts, internal messaging systems such as Microsoft Teams, and company-issued laptops or phones. There are usually legitimate reasons for this, which include but are not limited to, protecting confidential information, investigating alleged misconduct, maintaining cybersecurity, ensuring systems are being used appropriately, and managing legal or operational risk.
This, however, does not mean that an employer can watch everything in secret or rummage through communications without limits. Monitoring must be lawful, proportionate and transparent. In practice, this usually means employees should be clearly informed through workplace policies, IT use rules, employment contracts, or notices that communications on company systems may be monitored. If there is no policy, or the monitoring is excessive or hidden, the employer may face legal difficulties. The court made it clear in Protea Technology Ltd and Another v Wainer and Others that even in an employment setting, purely private communications may still attract a legitimate expectation of privacy, and an employer cannot compel disclosure of the substance of genuinely private communications merely because they occurred during working hours or on business premises.
Another important law is the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA). RICA places restrictions on the interception of communications, especially where messages are being accessed in real time. In broad terms, interception is not freely allowed simply because someone is at work. There are limited exceptions, including certain circumstances involving business systems, but employers must still act carefully and within the law. The safest approach is clear notice, a properly drafted monitoring policy, and tightly defined purposes for any monitoring that takes place.
The more difficult cases arise when employees use their own phones or laptops for work, or where work conversations happen on personal apps such as WhatsApp. Here, the expectation of privacy is usually much stronger. An employer does not gain automatic access to a personal device just because a work issue was discussed on it. Private chats on personal phones are not the same as messages sent through a company email server.
This is particularly relevant in the age of bring-your-own-device (BYOD) arrangements. Many employers allow staff to use personal devices for convenience, but that does not give the business unrestricted rights over the device itself. A BYOD policy may allow limited access to work-related information, especially where this is necessary for security, data protection or investigation purposes. Even then, the scope of access must be carefully defined. The employer is not entitled to wander into an employee’s private photo gallery, personal emails or unrelated WhatsApp conversations simply because one’s work message exists on the device.
It is, however, important to consider that personal devices are not immune from scrutiny. If an employee uses a private phone or account to leak confidential information, harass a colleague, share trade secrets, or conduct work-related misconduct, those communications may become relevant in a disciplinary or legal process. In such cases, the issue is usually not a general “right to read everything”, but whether there is a lawful and justified basis to obtain access to specific material. From this it is clear that context is essential and each case needs to be considered on its own merits.
For employees, the practical lesson is simple: if you are using a work platform, assume your employer may be able to access it. If you are using a personal device, your privacy is stronger, but not beyond reach where serious workplace issues are involved. Protea Technology also made it clear that once an employee abandons the private sphere of communication and moves into the sphere of the employer’s affairs, the benefit of privacy may be lost. It is also worth remembering that deleted messages are not always truly gone. Depending on the system, backups, servers or forensic recovery may still exist.
For employers, the legal and reputational risks are equally real. Heavy-handed surveillance can undermine trust, damage morale, and create legal exposure. The most effective approach would then be not to secretly monitor but set clear rules around the issue. A well-drafted workplace policy should explain as a minimum what systems are monitored, why monitoring happens, what information may be accessed, how long data is kept, and what employees can realistically expect in terms of privacy.
Ultimately, modern technology has made it easy to send a message in seconds and much harder to know who might later read it. In law, the distinction is usually less about whether a message feels private and more about where it was sent, on whose device, and under what policy.
So, can your boss read your messages? Sometimes, yes - but not without limits, and not every message, on every device, whenever they choose.
