By John Thornton | 06 September 2013
Security and privacy can be conflicting needs, both on the international stage and at work. Employers must ensure their staff monitoring is legal and ethical
As technology advances, there are ongoing and increasing conflicts between protecting individuals through monitoring and invading their privacy. Increasingly, we are living in a world, particularly in cities, where our personal movements can be traced by CCTV and facial recognition. Our vehicles are tracked via automatic number plate recognition systems and our personal social networks leave digital trails.
The Edward Snowden affair has highlighted some of the concerns and issues at national and international levels. By leaking details of a massive US surveillance programme and links to Britain’s Government Communications Headquarters, this former NationalSecurity Agency contractor is either a brave whistle-blower or a naïve pawn who has undermined and jeopardised a major and successful initiative designed to prevent acts of terrorism.
The answer depends in part on your personal perspectives and beliefs, as well as your views on the adequacy of independent oversight and controls built into the operating arrangements.
These concerns usually become more pronounced and pertinent when we feel that the monitoring arrangements might affect us personally. If we look at the world of work, many large organisations now use specialist software to monitor how employees use their systems. You probably consented to this type of monitoring when you signed the Acceptable IT use policy, or whatever it is called in your organisation.
Typically, the monitoring software will flag up if John tried unsuccessfully to log in three times in the past hour, or if he lives in Bradford but tried to log in from China. It might show that Jane downloaded a database to an unencrypted USB stick or that George visits gambling sites when he takes his first coffee of the day. These modern security systems are designed to monitor and take action when an incident occurs or when threatening behaviour is detected. Your system might, for example, be monitoring 100 server logs in real time, and if somebody is doing something wrong and threatening, it stops it happening.
Moreover, as the systems get more sophisticated, they can begin to reveal patterns of behaviour that might lead to problems or wrongdoing in the future, or where staff just need help. For example, they might show that Bill in payroll is making extensive use of payday loans and visiting debt-counselling sites; that Jill visits suicide websites in her lunch hour; or that Paul is searching for advice on divorce. Should you as an employer intervene and, if so, how? Do you have processes in place to handle and escalate this type of feedback? What you don’t want is for the IT security guy to ‘pop round’ and say ‘are you feeling OK?’, or for the first response to be a visit from internal audit.
As a good employer, you need to think holistically about protective monitoring, employee privacy and how you act on information received, rather than treating them as separate issues. The vast majority of employees are loyal, hard-working and honest. There will, however, be those who have problems, do stupid things, are not honest or have temptation forced on them. You need to balance employee privacy with protection, and ensure that your monitoring is both ethical and legal.
Monitoring will probably also raise questions about temporary staff, partners and contractors who might have access to your systems. Often, organisations find they are managing perhaps twice as many identities as they have employees. You might need different types of escalation procedures.
Many organisations have invested in powerful monitoring tools without thinking through the next steps and integrating these issues into their governance arrangements.
The important points here are proportionality, transparency and accountability.
John Thornton is director of e-ssential Resources and an independent adviser on business transformation, financial management and innovation [email protected]
This opinion column was first published in the September edition of Public Finance magazine
