Tag: 上海后花园SAN

Watching brief

Related posts:No related photos. Comments are closed. Previous Article Next Article Watching briefOn 1 Jul 2003 in Personnel Today The Monitoring at Work Code, published last month, gives employers a guideto when and how they can monitor staff.katherine o’brien discusses somepotential scenariosGeneral guidelinesPaper UK (PUK) is a paper distribution company with about 100employees. Employees work either at the company’s head office, or at thecustomer advice centre taking queries from customers. The HR manager has readabout the new code for monitoring employees, and wants to know what PUK shoulddo. Katherine O’Brien comments: The third part of the Employment PracticesData Protection Code – Monitoring at Work (published on 11 June 2003 after alengthy consultation process) provides employers with guidance on how theycan monitor job applicants, employees and other staff. Monitoring is an intrinsic part of the employment relationship, andtechnological developments mean employers hold extensive information on theirstaff – often collected automatically and without too much thought. Staff maybe filmed on CCTV as they arrive or leave work, electronic swipe cards willindicate their whereabouts on the employer’s premises, and computer logs arecreated when staff switch on their computers. During the day, records indicate staff access to the internet and sitesvisited. E-mails sent and received are recorded as well as telephone calls. Ifstaff are provided with work mobile telephones or company cars, then managementoften makes records of use. The Code lays down guidelines for steps employers should take in decidingwhether any particular form of monitoring is appropriate in the circumstances.Any adverse impact of monitoring on individuals has to be justified by thebenefits received. The Code recommends using specific impact assessments to decidewhether or not this is the case, to establish what monitoring is to be carriedout and to whether a monitoring arrangement is a proportionate response to theproblem to be addressed. An impact assessment involves: – Identifying the purpose behind the monitoring arrangement and the benefitsit is likely to deliver – Identifying any likely adverse impact of the monitoring arrangement – Considering alternatives to monitoring or different ways in which it mightbe carried out – Taking into account the obligations that arise from monitoring – Judging whether monitoring is justified. The following factors may establish whether there is an adverse impact onstaff and customers of the organisation: – What intrusion will there be in private lives or interference with privatecommunications? – How much information do staff have on how and when they are monitored? Themore information provided the better, as it allows staff to limit the adverseimpact on them – Will there be any impact on the relationship of mutual trust andconfidence between the staff and employer or any other confidentialrelationship, such as, for example, trade union representatives? – As part of the impact assessment, it is important to consider the leastintrusive method of monitoring possible and alternatives to monitoring – In establishing that staff are complying with company policy andprocedure, using different methods of supervision, training and clearercommunication may deliver acceptable results – Specific incidents can be investigated by accessing stored e-mails, ratherthan undertaking continuous monitoring. Monitoring can also be limited to staffabout whom complaints have been received or areas of high risk – Automated monitoring is less intrusive and means the personal informationis only ‘seen’ by a machine – Spot-checks or audits can be undertaken rather than continuous monitoring(depending on the circumstances, as sometimes continuous monitoring can be lessintrusive than human intervention). As well as the aspects mentioned above, deciding whether a current orproposed method of monitoring is justified involves emphasising the need to befair to staff, ensuring any intrusion is no more than necessary. Any significantintrusion will only be justified if the employer’s business is at serious risk.Consultation with staff and/or trade unions can be of assistance whenconsidering these issues. CCTV monitoringPUK has noticed an unusually high amount of stock is being ordered ona regular basis, and believes some is being stolen. It proposes to set up CCTVcameras to monitor the situation. Can it do this? KO’B comments: When carrying out an impact assessment for videomonitoring PUK should consider the following: – It must establish why it is setting up the CCTV and what benefit itbelieves it will obtain. Does it wish to obtain evidence that theft isoccurring, deter future thefts or catch the perpetrators? PUK should alsoconsider whether it is reasonable to believe stock is being stolen. This willadd weight to the belief that monitoring is required. – In order to reduce the adverse impact, PUK should consider targeting areasof particular risk, for example the stockroom. PUK may feel other areas needmonitoring depending on where it feels it is most likely to identify theperpetrators of any theft. Where possible, monitoring should be confined toareas where staff expectation of privacy is low (not the staff toilets, forinstance) – Continuous monitoring will only be justified in rare circumstances due toits particularly intrusive nature – Are there practical alternatives to CCTV, such as security checks on staffleaving the building? – Is PUK able to make it clear that monitoring is taking place and why, inall areas where the monitoring takes place (placing a prominent sign,identifying the organisation responsible for monitoring, who is to be contactedand why it is being done)? This is particularly important in public areas wherepeople other than staff are likely to be inadvertently caught on camera – Can PUK justify the continuous monitoring of a particular area? This maynot be so simple if individuals are likely to be continuously monitored, forexample those working in the stockroom. In limited circumstances, the Data Protection Act 1998 allows covertmonitoring. Covert monitoring should be authorised by senior management, whomust satisfy themselves that there are grounds for suspecting criminal activityor equivalent malpractice, and that notifying individuals would prejudice itsprevention or detection. A reliable test is whether or not the activity wouldbe of sufficient seriousness to involve the police (unless covert monitoring isto be carried out in a private area, in which case a suspicion of a seriouscrime and an intention to involve the police is required). PUK would find covert monitoring difficult to justify when it doesn’t havean individual in mind. Personal information collected should only be used for the purposes forwhich the monitoring was introduced, unless it is in an individuals’ interestto use it or if it reveals an activity no reasonable employer could be expectedto ignore (for example, serious harassment). E-mail and the internetStaff working in the customer advice centre at PUK take queries fromcustomers by telephone and e-mail. The manager believes some employees arespending a large part of their time looking at pornography on the internet andsending personal e-mails. He wants to check what members of staff are doing.Can he do it and what methods can be used? KO’B comments: PUK needs to establish whether it has a current staffpolicy regulating electronic communications and whether it establishesboundaries of acceptable behaviour with regard to e-mail exchange and use ofthe internet. A policy for the use of electronic communications should incorporate thefollowing features: – Clear boundaries as to the amount and type of personal communicationsallowed – Specified restrictions on what can be viewed or copied from the internet – Clear instructions as to what would be considered offensive rather thansimply a reference to ‘offensive’ material – Examples of personal information which staff are permitted to communicate – Alternatives to electronic communications for passing on personalinformation – An explanation of the purpose for which any monitoring is conducted, theextent of monitoring and means used. This should include how the policy isenforced and the penalties for a breach of that policy. In addition, PUK must ensure it is not in breach of the Regulation ofInvestigatory Powers Act 2000 and Lawful Business Practice Regulations.Interceptions are not permitted without the consent of the sender and recipientunless authorised under the regulations. An interception is likely to beauthorised where it is for the purpose of running the business and allreasonable efforts have been made to inform internal users of the interception.Once PUK has established the purpose of the monitoring arrangement and thebenefits it will deliver, it should look at any adverse impact and suitablealternatives. – Analyse e-mail traffic rather than monitoring the content of messages. Ifthe content is monitored, PUK may be at risk of breaching its duty of trust andconfidence – Detection of personal communications should be possible from the headingor address. The content of personal e-mails should only be accessed where thereis a pressing business need to do so – Establish whether any methods of monitoring can be limited or automated.Automated systems can provide protection from intrusion and malicious codes anddetect references to particular matters – Technology that prevents rather than detects misuse could be used to stopstaff accessing unauthorised websites. PUK can also detect time spent accessingthe internet rather than monitoring sites visited or content viewed,particularly if web access for personal reasons is not permitted – Monitoring can also be done on an aggregated basis by examining logs ofwhich sites have been visited and only focusing on specific individuals whohave been identified as problematic. Such a log is also likely to identifysites accessed accidentally – In all cases, before further action is taken, staff should be given anopportunity to explain their actions or challenge any information. Monitoring e-mails will mean processing information about external peoplewho should be informed of the monitoring. Staff must also be made aware of thenature and extent of e-mail and internet access monitoring. Katherine O’Brien is a trainee solicitor at Lewis Silkin Find out more on the code at www.dataprotection.gov.uk read more

Recent Comments