2. Agenda
• Thinking about monitoring employees?
• Monitoring or Snooping?
• Monitoring, The Data Protection Act (1998) and the ICO
• Managing resulting data
• CIA
• Summary and Questions
holistic security
4. Monitoring or Snooping?
•Clear, achievable and targeted •Blanket employee coverage - not
objective issue led
•Employees aware, educated and •Covert – employees unaware
accepting •No policy or no education in place
•Clear compliance with DPA for •Lack of DPA compliance
resultant data..we’ll come onto this
later.
holistic security
5. Monitoring, DPA and the ICO
• Why you are monitoring
•What the process is
•What you are monitoring –
systems, applications, hardware etc
•When you will be monitoring
•Who will be responsible for monitoring
•Who will have access to the data generated
by the monitoring
•How that resulting data will be
held, managed and eventually destroyed
Without consistent and effective rules and policies, culture
will take over until policy becomes whatever culture dictates.
holistic security
7. CIA (not what you think...)
confidentiality
Availability
integrity
holistic security
8. CIA (not what you think...)
Assurance that information is shared only among authorised persons
or organisations. Breaches of Confidentiality can occur when data is
not handled in a manner adequate to safeguard the confidentiality of
confidentiality the information concerned. Such disclosure can take place by word of
mouth, by printing, copying, e-mailing or creating documents and
other data etc. The classification of the information should determine
is confidentiality and hence the appropriate safeguards.
holistic security
9. CIA (not what you think...)
Assurance that the information is authentic and complete. Ensuring
that information can be relied upon to be sufficiently accurate for its
purpose. The term Integrity is used frequently when considering
Information Security as it is represents one of the primary indicators
integrity of security (or lack of it). The integrity of data is not only whether the
data is 'correct', but whether it can be trusted and relied upon. For
example, making copies (say by e-mailing a file) of a sensitive
document, threatens both confidentiality and the integrity of the
information. Why? Because, by making one or more copies, the data
is then at risk of change or modification.
holistic security
10. CIA (not what you think...)
availability Assurance that the systems responsible for delivering, storing and
processing information are accessible when needed, by those who
need them.
holistic security
12. Information Commissioners Office
Guidance
Section 5 of the ‘Quick guide to the
employment practices code’ covers employee monitoring and can be accessed
from the ‘For Organisations’ section of the ICO website www.ico.gov.uk
holistic security
13. Summary
• Use the ICO Guidance
• Have firm, clear objectives and targets
• Be open and consistent
• Ensure resultant data is managed in line
with the Data Protection Act (1998)
holistic security
Excessive use of phones for personal useExcessive use of the internet for personal useInappropriate behavioursMisuse of company vehicles some of the reasons that monitoring for corrective or disciplinary purposes, however doing this incorrectly or in a cavalier or ill informed manner is a minefield for an employer and can be far more damaging for an employer than the employee who is being accused.
Employees have a reasonable right to privacy.The ICO is very clear on how monitoring should be approached and it is with a spirit of honesty and openness toward employees.
There are many needs that have to be addressed when considering monitoring and informing and educating employees in order to stay within ICO guidelines on monitoring.If these areas are not addressed Employment Tribunals may well result in a negative outcome for the business and potentially could attract the attention of the ICO which is rarely pleasant.
Who should be collecting the data may not be the same as who should have access to it or be responsible for it.? This example shows IT as the collector, manager and accesser of the data – is that appropriate? (of course it might be)
CIA elements required to make successful Monitoring policy.
So let’s look at our example again...Would it make more sense for the data to be accessed only by HR and pertinentManagement? Employees would also need to know who is accessing this data. IT will be involved in harvesting the data but is it appropriate they have access to it? CIA is the guide to how you should manage this important and sensitive data. Don’t forget sometimes there are emotive issues involving highly controversial or sensitive matters.So the person reviewing any resultant data needs to be in an appropriate setting. For instance if someone habitually surfing on pornographic websites and data is collected on what they are viewing, it is not appropriate for the offensive material to be reviewed in a busy office surrounded by the people who would have been offended by it in the first place! Also they should be aware of correct procedures and for instance as in this example, not make copies of everything that has been viewed as this in itself is also an offence (if it is something like child abuse etc).