What We Require Before Taking Action
In recent weeks, we’ve seen multiple cases where one director or senior stakeholder has asked us to provide covert access to another director’s mailbox, or requested to suspend their Microsoft 365 account – sometimes without notifying the affected party.
These are sensitive, high-risk requests. As your IT support partner, we want to clarify what we can and cannot do, and what we expect before taking any action.
Why this matters
Mailboxes and Microsoft 365 accounts contain both personal and business data. When the request involves a current director or senior employee, especially without their knowledge, this falls into a high-risk area under:
- UK GDPR and the Data Protection Act 2018
- Employment and fiduciary duty laws
- Internal governance and dispute resolution procedures
Acting without a clear, lawful basis could expose you and us to liability.
What we expect before proceeding
We will not carry out mailbox access or suspension on a current active director unless we receive all of the following in writing:
- Formal instruction from a current director or equivalent authorised officer of the relevant company.
- A statement that the request is made as part of an internal investigation, governance process, or disciplinary action.
- Confirmation that the company has:
- Reviewed and established a lawful basis for this access under GDPR
- Engaged HR or legal advisors if relevant
- Accepted full responsibility for the instruction and its consequences
- Clear details on:
- Whose mailbox or account is to be accessed or suspended
- Who will be granted access (if anyone)
- Whether the affected individual is aware (and, if not, why)
What we will and won’t do to other active directors.
| Action | Our position |
|---|---|
| Grant access to a current user’s mailbox | Only with full, formal written instruction as described above |
| Suspend or delete a mailbox/account | Only with formal authorisation and clarification of legal standing |
| Assess whether access is lawful | ❌ We will not make this judgement—this is the responsibility of your company, legal, or HR team |
| Provide admin access to internal contacts | ✅ Yes, we can assign scoped admin roles so your team can manage password resets or suspend users internally |
| Participate in covert monitoring | ❌ No, we do not facilitate monitoring or surveillance of users without transparent, formal process |
Our role
We’re here to support your business securely and responsibly. But in high-stakes scenarios involving internal disputes, employee surveillance, or director-level conflict, our role must remain technical and operational – not legal or investigative.
If you’re unsure how to handle these situations, we strongly recommend:
- Consulting your HR or legal advisors
- Establishing a clear internal authorisation policy for sensitive account access
- Informing us of any escalation paths or pre-approved contacts in advance
Questions?
If you need help setting up scoped admin access for your HR or operations team, or want to review your current permissions setup in Microsoft 365, get in touch. We’re happy to help – within clearly defined boundaries.