Your company should have a policy regarding access to and use of company email and it should tell all employees what that policy is.
The most sustainable and productive policies are those that give appropriate respect to employees' desire for and expectations of privacy, and that also provide for responsible and thoughtful procedures when legal obligations or business needs suggest that some invasion of those privacy interests is warranted. Indeed, the very existence of a policy and of an appropriate procedure for balancing the interests of the many parties involved in this issue may itself be the most valuable tool to defend against after the fact attacks on any particular company practices.
You should include employees (as well as technical experts, lawyers, and management) in the process of forumating your company policies on these issues. Employee users of the system will help spot issues and their involvement will help you develop sound policies that achieve widespread acceptance and respect. Don't adopt policies or procedures that you would be embarrassed to describe fully to your employees -- or to see described in the morning newspaper.
While you are formulating your company policy, you should gather some key information regarding the nature and extent of your company's electronic messaging systems, who has access to what types of data, what provisions have been made for backups and security, who is charged with responding to requests for access by third parties, and who has done what to assess and minimize foreseeable risks.
Make sure your policy is consistent with and incorporated into whatever process you use to establish and disseminate other company policies.