Occasionally an issue turns up in the news that captures the public’s imagination and highlights the scale of their ignorance. The BBC and other news outlets did this on Thursday when they reported on a case from the European Court of Human Rights (ECHR). The ECHR ruled that an employer was within their rights to read private messages sent using a work computer. Anybody that has worked in the information security field will be well aware of email monitoring being a fundamental part of Data Loss Prevention (DLP). Reading through the 1200+ comments on the BBC article, what becomes clear is the sheer range of viewpoints on this issue:
The politics of monitoring
One group of people failed to get past the word European in the article without resorting to anti-EU rhetoric, missing the point that this is a ECHR ruling that is neither binding on UK courts, nor is it setting new precedents.
And here it is- the European Court of Human Rights (ECHR) dictating to the people of Britain once again. Whatever your views are on the rights and wrongs of this policy, remember it was made in a foreign UNELECTED court and will affect you! We must have a British Bill of Rights and leave the EU. Only then, will we, the people of Britain, decide what we think is right for us.
An employer looking to monitor employees’ communications has to ensure that their monitoring is proportionate, complies with data protection laws and is appropriately communicated to, and agreed by users. There’s no set way to monitor employee activity, this being down to the needs of the organisation, and the intent of the monitoring. Some organisations choose to use blocking to reduce the scope of communications that need to be monitored. By blocking access to some webmail services, the need to monitor them for company specific information is eliminated.
Those not getting it
Many of the commenters took the thought of their employer monitoring their communications as some sort of personal attack on them.
The office is becoming more miserable by the second, rows and rows of zombies now stare forever at their screens without any interaction.
Let’s face it, the office is a social environment, unless you want to hire a computer instead let people be. I can imagine some jumped up dictator manager chomping at the bit to make peoples lives just that little bit more miserable.
This is appalling; an employer does not own an employee & an employee cannot reasonably be expected to compartmentalise his life in either work or family. If smokers can stand outside smoking and pregnant women have time off work then 1% of work time can be generally used for non-work activity. After all the employer benefits from an employees private interests, so this judgement is totally wrong!
What people in this camp fail to understand is that DLP is about preventing the loss of company data. This breaks down into a number of categories. Some organisations such as banks ban staff with access to customer data from any type of personal Internet use. If the employee then uses the Internet for personal business, and gets caught, there’s no grounds for argument. Other companies choose to ban some or all Internet services, and allow limited personal use over the work-provided services, on the proviso that your communications may be monitored. As an employee, you have to take a pragmatic view of the situation here: Yes, they could monitor your emails, but do you think they care that you’re asking your friend whether they fancy Pizza Express or Nando’s for lunch? Of course, if you really are having a conversation that is so private, you don’t want your company to be able to read it… Don’t use a company computer. This brings us to the majority of the comments:
Those that do
Fortunately, most of the commenters realised that the workplace is for work.
Personal email for personal stuff.
Work email for work stuff.
It’s not hard…..
If your using company mail accounts for personal use – Then you’re fair game
You’re in work, on work time, using work PCs and work internet access…. what sort of idiot thinks they don’t have a right/wouldn’t check what traffic is going over their networks? You’re there to work and are beholden to your employer. They also have a responsibility to make sure their networks and IP are secure. Seems an eminently sensible decision.
So what happens to monitoring now? Not much really – the ruling doesn’t change anything beyond bringing it to the attention of the public. So next time you’re signing an employment contract – read the bit about acceptable IT usage properly. If you’re like one of the people above that thinks monitoring is wrong, don’t sign. Simple.