Data Protection Commissioner

Guidance Notes - Monitoring of Staff

The Data Protection Commissioner accepts that organisations have a legitimate interest to protect their business, reputation, resources and equipment. To achieve this, organisations may wish to monitor staff's use of email, the internet, and the telephone. However, it should be noted that the collection, use or storage of information about workers, the monitoring of their email or internet access or their surveillance by video cameras (which process images) involves the processing of personal data and, as such, data protection law applies to such processing. The processing of sound and image data in the employment context falls within the scope of the Data Protection Laws.

The Article 29 Working Party, has adopted a Working Document (WP55) on the surveillance of electronic communications in the workplace. Its main guiding principle is that you do not lose your privacy and data protection rights just because you are an employee. Any limitation of the employee's right to privacy should be proportionate to the likely damage to the employer's legitimate interests. An acceptable usage policy should be adopted reflecting this balance and employees should be notified of the nature, extent and purposes of the monitoring specified in the policy.

In principle, there is nothing to stop an employer specifying that use of equipment is prohibited for personal purposes but the likelihood is that most employers will allow a limited amount of personal use. In the absence of a clear policy, employees may be assumed to have a reasonable expectation of privacy in the workplace.

The following points need to be addressed by data controllers:

  • the legitimate interests of the employer - to process personal data that is necessary for the normal development of the employment relationship and the business operation - justify certain limitations to the privacy of individuals at the workplace. However, these interests cannot take precedence over the principles of data protection, including the requirement for transparency, fair and lawful processing of data and the need to ensure that any encroachment on an employee's privacy is fair and proportionate. A worker can always object to processing on the grounds that it is causing or likely to cause substantial damage or distress to an individual.
  • monitoring, including employees' email or internet usage, surveillance by camera, video cameras or location data must comply with the transparency requirements of data protection law. Staff must be informed of the existence of the surveillance, and also the purposes for which personal data are to be processed. If CCTV cameras are in operation, and public access is allowed, a notice to that effect should be displayed. Any monitoring must be carried out in the least intrusive way possible. Only in exceptional circumstances associated with a criminal investigation, and in consultation with the Gardai, should resort be made to covert surveillance
  • monitoring and surveillance whether in terms of email use, internet use, video cameras or location data are subject to data protection requirements. Any monitoring must be a proportionate response by an employer to the risk he or she faces taking into account the legitimate privacy and other interests of workers.
  • at a very minimum, staff should be aware of what the employer is collecting on them (directly or from other sources). Staff have a right of access to their data under section 4 of the Data Protection Acts.
  • any personal data processed in the course of monitoring must be adequate, relevant and not excessive and not retained for longer than necessary for the purpose for which the monitoring is justified.

Use of the Computer Network, E-Mail and Internet.

Private use of the Internet in the workplace and the monitoring of private emails pose certain challenges. A workplace policy should be in place in an open and transparent manner to provide that:

  • A balance is required between the legitimate rights of employers and the personal privacy rights of employees
  • Any monitoring activity should be transparent to workers
  • Employers should consider whether they would obtain the same results with traditional measures of supervision
  • Monitoring should be fair and proportionate with prevention being more important than detection.

Template for Acceptable Usage Policy – Email and Internet

The following is the Office Policy of the Data Protection Commissioner and may serve as a template for organisations wishing to develop Acceptable Usage Policies in relation to email and the internet.

  • Material you receive (e-mail, fax,cd, diskette, download)
  • E-mail has the same status as incoming paper and fax. It must be opened, read and evaluated and responded to within the timelines set out in the offices business plan.

1 - Potentially dangerous material

Do not launch, detach or save any executable file (i.e. those ending in 'exe' or 'vbs') under any circumstances. Contact IT Division immediately.

All incoming attachements must be virus checked by IT Division. Please note that all floppy disks and CD's brought into the office from home PC's should also be virus checked. The safer option is to forward these attachments by e-mail from your home pc as they will be automatically screened by the mailsweeper software.

Do not open, detach or save any unofficial file attachments to your hard disk or any network drive. Official attachements should be placed in the relevant document Library or detached to a shared drive. Please beware of saving any documentation to the hard drive of you pc as this will not be backed up and will be irretrievable in the event of your pc breaking down.

2. Obscenity, Child pornography and Incitement to hate.

You are subject to all legislation regulating Internet use, including the provisions regarding obscenity, child pornography, sedition and the incitement of hate. In particular, persons have obligations under the Irish Child Trafficking and Pornography Act 1997, not to allow any of its systems (mail, Internet etc.) to be used for downloading or distributing offensive material.

3. Other Offensive and Time wasting Material

Unsolicited material can arrive from anywhere. Should you receive material which you find offensive or abusive or time wasting respond to it just as you would an offensive letter: complain directly to the sender and bring it to the attention of the sender's employing organisation / IT and HR managers as appropriate.

In the case of any Spam mail don't issue any reply.

4. Misleading information

Always be aware that the Internet is an unregulated, world wide environment. It contains information and opinions that range in scope from reliable and authoritative to controversial and extremely offensive. It is your responsibility to assess the validity of the information found on the Internet.

Material you send

Remember that e-mail is effectively on official headed paper and can be traced back to place, date and time of sending. Make sure you are satisfied with its content and that it has been approved at the appropriate level. Double check the address of the intended recipient. Once the "send" key is pressed, e-mail cannot be stopped or retrieved. Deleting mail from your system does not make it untraceable.

Do not send any unofficial graphics or executable files under any circumstances. Do not instigate or forward "unofficial mail" to users either within or outside the Office or send any material which may be offensive or disruptive to others or which may be construed as harassment. Do not make derogatory comment regarding gender, marital status, family status, sexual orientation, religion, age, disability, race or membership of the travelling community.

Remember that screensavers can be a means of causing offence.

Do not use another's e-mail account.

All e-mail's are automatically backed up and are recoverable. All e-mail's leaving the Office should have the following text or equivalent automatically appended :-

"The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. It is the policy of [ insert employer's name] to disallow the sending of offensive material and should you consider that the material contained in the message is offensive you should contact the sender immediately and also your IT manager".

In general : think before you send.

Screening procedures

A suitable IT screening system should automatically screen all mail for known viruses, attachments etc.

IT Division does not normally read individuals mail or open mail boxes except:

(1) where the screening software or a complaint from an individual indicates that a particular mailbox contains material which is dangerous or offensive.

(2) where a legitimate work reason exists to open the e-mail.

Opening mailboxes for investigation requires authorisation by (Senior manager) on a case by case basis. The individual's mailbox, hard disk, network drive and relevant backups are then searched.

Where investigation proves that a problem exists it will be reported to the sender, their organisation, the staff member concerned, Head of Division and HR Manager for appropriate action. Where the problem concerns material such as a virus or an unauthorised .exe file, which can damage the network, IT Division may immediately close down an account pending further investigation and action.

Blocked messages either inbound or outbound are deleted after 21 days, if a request for release is not received. Messages containing virus files are not retained.

Time wasting and resources

Network resources such as storage space and capacity to carry traffic are not unlimited. However your time and that of your colleagues is the most valuable resource available to the Office.

You must not deliberately perform acts which waste your own and your colleagues time or computer resources. These acts include

  • Playing games
  • Online chat groups
  • Uploading / Downloading large unofficial files which create unnecessary non-business related loads on network traffic
  • Accessing streaming audio / video files, for example, listening to music or watching movie clips
  • Forwarding audio / video files to colleagues
  • Participating in mass non-business related mailings such as chain letters
  • Sending unofficial attachments

Financial Implications

Do not download any material / software from the Internet for which a registration fee is charged without first obtaining the express permission of the Office. Only the software installed by IT Division, and therefore listed on the Offices Assets Register, is deemed to be legally sourced by the Office and covered by the appropriate licence agreement. No other software is approved for use on any of the Offices computers or laptops.

Security

You are responsible for the use of the facilities granted in your name. The main protection at present is your password. Make it difficult to guess and above all, do not share your password with anyone, write it down or give it out over the phone. If you think someone knows your password, ask for it to be changed as soon as possible. Maintaining the privacy of your password is your responsibility and consequently you are responsible for any abuses taking place using your name and password.

In general do not leave your computer unattended without securing the session by password or signing off.

When leaving your pc unattended press Ctrl Alt Del (in the same way as logging into your pc) and click the "Lock workstation / Lock computer" box. On return press Ctrl Alt Del and enter your password to log back into the pc.

Users accessing the Internet through a computer attached to the Office's network must do so through an approved Internet firewall or other security device. Bypassing the Office's computer network security by accessing the Internet directly by modem or other means is strictly prohibited.

You are reminded that files obtained from sources outside the Office, including disks brought from home, files downloaded from the Internet, news groups, bulletin boards or other online services and files attached to e-mail messages may contain computer viruses that may damage the Office's computer network. While the Office is continually upgrading its virus protection infrastructure, the potential introduction of viruses on the Office system always remains a threat. All incoming material, regardless of origin, should be virus checked before being used on any PC on the Office's network. This is not paranoia : a wide variety of viruses from a wide range of individuals and organisations have been blocked over the last 12 months. This threat is real and will not be diminishing. If you suspect that a virus has been introduced into the Office's network, notify the IT Section immediately.

The Internet is not secure. Whether by e-mail or via the World Wide web, do not give out more information than is necessary to fulfil your purpose. Beware of demands for unnecessary information. Be wary of sites which request more data than is necessary for accessing the site or for making a transaction, or which do not tell you why they require this data from you. In particular, no information on IT systems or resources should be disclosed over the Internet or through e-mail without authorisation from IT Division.

External e-mail should only be used to transmit unclassified information to individuals outside the Office. Classified or confidential material should not be sent by e-mail unless it is encrypted.

Weblogs

All web browsing is logged. Screening software prevents access to certain non-work related sites. The logs of web browsing will only be accessed with management authorisation, where there are reasonable grounds to believe that this policy has been contravened.

Personal Use

Just as with the phone, a small amount of limited personal use of e-mail and Internet facilities is permitted if such use does not otherwise infringe this policy.

Freedom of Information and Archives Acts (only applies to public bodies)

Incoming and outgoing e-mail's which are of "enduring organisational interest" are records under the above Acts and must not be kept in your e-mail account. They must be transferred to the appropriate document library or file.






» Permanent Link