While the Data Protection Act doesn’t prohibit organisations from collecting and using employee information, what they do collect can’t be excessive, and it has to be relevant and used appropriately. These principles
Employee monitoring can take many guises, such as CCTV to detect crime, computer log analysis to identify system misuse, and email scans to prevent data leakage. It can play a vital role in combating theft and policy breaches, and can be justified on the grounds that it not only protects the organisation’s assets, but also makes the workplace safer for employees by detecting incidents of bullying, for example.
Any form of monitoring is intrusive in some way, and this has to be balanced against your employees’ right to keep their personal lives private, per employee monitoring laws. The Human Rights Act (HRA) states that: "Everyone has the right to respect for his private and family life, his home and correspondence." Your guiding principle should be openness, and you should be able to justify the benefits of monitoring to the organisation or other relevant parties, such as the police, if monitoring has any adverse effect on an employee or employees.
Your employees have an expectation of privacy in the workplace and should be made aware of the nature, extent of and reasons for any monitoring you do. Where employees know monitoring is being carried out, there is no longer an expectation of privacy. (A rare exception is when covert monitoring can be justified, which is discussed later in this tip.) Always put up signs in areas where CCTV cameras are in use, and send email reminders about how computer activity is logged and monitored; this in itself acts as a deterrent and is one of the main objectives of monitoring.
You need to document and justify the need to carry out the various forms of monitoring you use. The document should cover what particular issue the monitoring will combat or resolve, such as theft or improper use of the Internet or email. For example, making your employees aware their emails are monitored will help ensure they comply with your Acceptable Email Usage policy. However, reading every email would be considered excessive and can’t be justified.
What is acceptable and effective is taking random samples or reviewing emails containing certain words or phrases. Another option is to confine monitoring to a specific area you feel is at risk. This means, for example, only reviewing emails by a particular employee who you think may be sending proprietary information to a competitor or installing CCTV cameras only in the area of your premises where theft is a problem.
The information you collect during monitoring can only be used for the purpose for which you carried out the monitoring, per DPA Principle 2: Processing personal data for specified purposes. However, if, for example, CCTV footage taken to prevent theft from your warehouse showed an employee was putting other workers at risk by breaking health and safety rules, you wouldn’t be expected to ignore it. Of course, any information you collect through monitoring has to be kept secure according to DPA Principle 7, as it refers to living, identifiable people. Also, you can’t collect more information than you need or keep it for longer than strictly necessary, according to Principle 5.
Collecting personal health information, such as information gleaned from screening for alcohol or drug abuse, may be necessary on health and safety grounds, but you should only involve those individuals whose jobs are critical to safety or who work in a hazardous environment. These employees should know what information about their health is being collected, and the company should ensure its rules and standards have been clearly explained to them. Again, be sure this type of monitoring can be justified by the resulting benefits. The information relating to an employee’s health must be kept highly secure.
The covert monitoring of workers can be justified in exceptional circumstances when there are reasons to suspect criminal activity or extremely serious malpractice, and informing anyone about the monitoring would make it difficult to prevent or detect such behaviour. (The right to privacy under the HRA is only upheld as long as it does not infringe upon other rights.)
Covert monitoring should be authorised by senior management with the number of people involved in the processing of the evidence kept to a minimum. The monitoring should be strictly targeted, kept within a fixed timeframe and stopped earlier if the investigation has been completed. Never use covert monitoring in private places, such as toilets or private offices unless you suspect a serious crime and intend to involve the police. If you are justified in obtaining information about a worker’s criminal convictions, you should do so only through a disclosure from the Criminal Records Bureau.
If an employee is caught contravening policy of any kind, you must enforce your rules and standards and discipline him or her accordingly. However, your employee monitoring policy must give the employee the opportunity to comment on or object to the information you’ve gathered, as it may be inaccurate or misleading. For example, information from a third party may simply be wrong. Remember, too, that employees have a legal right of access to information you hold about them, including information you obtain through monitoring.
Monitoring employees’ activities plays an important role in running an efficient and safe organisation, but it is important that it is done within the confines of the law, which gives ample latitude for organisations to protect themselves as well as their employees.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in October 2011