The document discusses effective employee monitoring and provides guidance on complying with relevant data protection laws. It advises having clear objectives for monitoring, making employees aware of monitoring policies, and properly managing any data collected to ensure confidentiality, integrity and availability in accordance with the Data Protection Act. The Information Commissioner's Office provides guidance on employee monitoring and data protection on their website.
2. • Thinking about monitoring employees?
• Monitoring or Snooping?
• Monitoring, The Data Protection Act (1998) and the ICO
• Managing resulting data
• CIA
h o l i s t i c s e c u r i t y
Coming up…
4. Monitoring or Snooping?
•Blanket employee coverage - not
issue led
•Covert – employees unaware
•No policy or no education in place
•Lack of DPA compliance
•Clear, achievable and targeted
objective
•Employees aware, educated and
accepting
•Clear compliance with DPA for
resultant data..we’ll come onto this
later.
h o l i s t i c s e c u r i t y
5. Monitoring, DPA and the ICO
• Why you are monitoring
•What the process is
•What you are monitoring –
systems, applications, hardware etc
•When you will be monitoring
•Who will be responsible for monitoring
•Who will have access to the data generated
by the monitoring
•How that resulting data will be
held, managed and eventually destroyed
Without consistent and effective rules and policies, culture
will take over until policy becomes whatever culture dictates.
h o l i s t i c s e c u r i t y
8. CIA (not what you think...)
integrity
Availability
confidentiality
h o l i s t i c s e c u r i t y
9. CIA (not what you think...)
confidentiality
Assurance that information is shared only among authorised persons
or organisations. Breaches of Confidentiality can occur when data is
not handled in a manner adequate to safeguard the confidentiality of
the information concerned. Such disclosure can take place by word of
mouth, by printing, copying, e-mailing or creating documents and
other data etc. The classification of the information should determine
is confidentiality and hence the appropriate safeguards.
h o l i s t i c s e c u r i t y
10. CIA (not what you think...)
integrity
Assurance that the information is authentic and complete. Ensuring
that information can be relied upon to be sufficiently accurate for its
purpose. The term Integrity is used frequently when considering
Information Security as it is represents one of the primary indicators
of security (or lack of it). The integrity of data is not only whether the
data is 'correct', but whether it can be trusted and relied upon. For
example, making copies (say by e-mailing a file) of a sensitive
document, threatens both confidentiality and the integrity of the
information. Why? Because, by making one or more copies, the data
is then at risk of change or modification.
h o l i s t i c s e c u r i t y
11. CIA (not what you think...)
availability Assurance that the systems responsible for delivering, storing and
processing information are accessible when needed, by those who
need them.
h o l i s t i c s e c u r i t y
14. Information Commissioners Office
Guidance
Section 5 of the ‘Quick guide to the
employment practices code’ covers employee monitoring and can be accessed
from the ‘For Organisations’ section of the ICO website www.ico.gov.uk
h o l i s t i c s e c u r i t y
15. Summary
h o l i s t i c s e c u r i t y
• Use the ICO Guidance
• Have firm, clear objectives and targets
• Be open and consistent
• Ensure resultant data is managed in line
with the Data Protection Act (1998)