Should employee expect any privacy when it comes to corporate computer usage? What legal routes an Info Sec Officer has to gain complete visibility (managed computer usage)?
Thanks for your insights.
a. Should employee expect any privacy when it comes to corporate computer usage?
b. What legal routes an Info Sec Officer has to gain complete visibility (managed computer usage)?
1. During in-processing (on-boarding) of each new employee or associate provide a copy of the officially published and internally available company policy statement on use of company hardware and software systems, which includes clear statements on expectations of personal privacy on those systems. State clearly how personal information and HIPPA protected information is handled and protected in those systems. (That policy statement must be reviewed by both HR and legal offices and signed as official by the appropriate senior executive.)
2. Have each new employee sign a statement during in-processing (on-boarding) that they have read and understand the company policy statement on use of and privacy on all corporate computer equipment and accounts, including when accessed from personally owned or public computer systems.
3. At sign-on to any company hardware or software system, open with a splash screen with simple summary of the policies and a clear statement that by signing into the system the individual is acknowledging all of the provisions found in the complete (cited) policy
4. Require annual refresher training on system usage and policies, with an acknowledgement of completion and understanding at the end; require that training completion for the system accounts to be kept accessible. Highlight any changes since the previous year's version in the training.
5. Be completely consistent in enforcing the training and acknowledgement requirement: If anyone fails to complete the training and sign the ACK by their deadline lock their accounts, NO MATTE WHO THEY ARE.
It depends. There will be scenarios in which an employee has a reasonable expectation of privacy and in which monitoring of employees will need to be compliant with privacy law.
If for example an employer offers confidential health counselling services it would seem reasonable that such conversations remain private.
If an employer provides a confidential whistle blowing facility, say for example, to identify fraud, then the employee should be protected from being 'unmasked'.
The law will always take precedence over a company's internal policies regarding employee privacy. It would be foolhardy not to take due account of the applicable laws within the jurisdiction in which an employee resides, as the employee could potentially make a formal complaint to a privacy regulator, who often have legal powers to investigate and bring enforcement action. And that's why it's a legal question too.