Excessive use of phones for personal useExcessive use of the internet for personal useInappropriate behavioursMisuse of company vehicles some of the reasons that monitoring for corrective or disciplinary purposes, however doing this incorrectly or in a cavalier or ill informed manner is a minefield for an employer and can be far more damaging for an employer than the employee who is being accused.
Employees have a reasonable right to privacy.The ICO is very clear on how monitoring should be approached and it is with a spirit of honesty and openness toward employees.
There are many needs that have to be addressed when considering monitoring and informing and educating employees in order to stay within ICO guidelines on monitoring.If these areas are not addressed Employment Tribunals may well result in a negative outcome for the business and potentially could attract the attention of the ICO which is rarely pleasant.
Who should be collecting the data may not be the same as who should have access to it or be responsible for it.? This example shows IT as the collector, manager and accesser of the data – is that appropriate? (of course it might be)
CIA elements required to make successful Monitoring policy.
So let’s look at our example again...Would it make more sense for the data to be accessed only by HR and pertinentManagement? Employees would also need to know who is accessing this data. IT will be involved in harvesting the data but is it appropriate they have access to it? CIA is the guide to how you should manage this important and sensitive data. Don’t forget sometimes there are emotive issues involving highly controversial or sensitive matters.So the person reviewing any resultant data needs to be in an appropriate setting. For instance if someone habitually surfing on pornographic websites and data is collected on what they are viewing, it is not appropriate for the offensive material to be reviewed in a busy office surrounded by the people who would have been offended by it in the first place! Also they should be aware of correct procedures and for instance as in this example, not make copies of everything that has been viewed as this in itself is also an offence (if it is something like child abuse etc).
Waldrons march 2013 v1.0
Effective Employee MonitoringMike Gillespie – MD Advent IM Ltd
Agenda• Thinking about monitoring employees?• Monitoring or Snooping?• Monitoring, The Data Protection Act (1998) and the ICO• Managing resulting data• CIA• Summary and Questions holistic security
Thinking of monitoring employees? Data Protection holistic security
Monitoring or Snooping?•Clear, achievable and targeted •Blanket employee coverage - notobjective issue led•Employees aware, educated and •Covert – employees unawareaccepting •No policy or no education in place•Clear compliance with DPA for •Lack of DPA complianceresultant data..we’ll come onto thislater. holistic security
Monitoring, DPA and the ICO• Why you are monitoring•What the process is•What you are monitoring –systems, applications, hardware etc•When you will be monitoring•Who will be responsible for monitoring•Who will have access to the data generatedby the monitoring•How that resulting data will beheld, managed and eventually destroyed Without consistent and effective rules and policies, culturewill take over until policy becomes whatever culture dictates. holistic security
Managing resulting data creation IT Dept holistic security
CIA (not what you think...) confidentialityAvailability integrity holistic security
CIA (not what you think...) Assurance that information is shared only among authorised persons or organisations. Breaches of Confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality ofconfidentiality the information concerned. Such disclosure can take place by word of mouth, by printing, copying, e-mailing or creating documents and other data etc. The classification of the information should determine is confidentiality and hence the appropriate safeguards. holistic security
CIA (not what you think...) Assurance that the information is authentic and complete. Ensuring that information can be relied upon to be sufficiently accurate for its purpose. The term Integrity is used frequently when considering Information Security as it is represents one of the primary indicatorsintegrity of security (or lack of it). The integrity of data is not only whether the data is correct, but whether it can be trusted and relied upon. For example, making copies (say by e-mailing a file) of a sensitive document, threatens both confidentiality and the integrity of the information. Why? Because, by making one or more copies, the data is then at risk of change or modification. holistic security
CIA (not what you think...)availability Assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them. holistic security
Managing resulting data creation HR Dept holistic security
Information Commissioners Office GuidanceSection 5 of the ‘Quick guide to theemployment practices code’ covers employee monitoring and can be accessedfrom the ‘For Organisations’ section of the ICO website www.ico.gov.uk holistic security
Summary• Use the ICO Guidance• Have firm, clear objectives and targets• Be open and consistent• Ensure resultant data is managed in line with the Data Protection Act (1998) holistic security