While we often get hung up on matters of privacy and security when it comes to the actions of governments and law enforcement, there’s also the matter of privacy at work. Can your boss snoop on your email? What about CCTV footage? How about listening into phone calls? Legislative and ethical challenges abound.
Recent changes such as the introduction of the Australian Privacy Principles, mandatory retention of telecommunications metadata, and increased government surveillance with more security cameras in public areas mean that our activities are recorded and retained more than ever before in our history.
The reason given by governments is almost always couched in terms of public safety and to aid in the capture and prosecution of international crime gangs, child sex offenders and terrorists.
But our offices are a little different. So, how do you manage privacy and surveillance at the office?
#1 Consult – a lot
Privacy is a very emotional matter for some people. Given the massive amounts of data that flow through networks and applications, it’s inevitable the IT team will be dragged into the privacy and security debate.
Not everyone will like every aspect of how you manage workplace privacy and surveillance but being open will help.
#2 Check the law
Most Australian states and territories have rules around workplace surveillance that cover security cameras and other devices.
- Workplace Surveillance Act 2005 (NSW)
- Listening and Surveillance Devices Act 1972 (SA)
- Surveillance Devices Act 1998 (WA)
- Surveillance Devices (Workplace Privacy) Act 2006 (Vic)
- Surveillance Devices Act 2007 (NT)
But there are also the Australian Privacy principles governing Personally Identifiable Information. If you operate globally, you’ll need to check the rules for each jurisdiction you operate in.
#3 What are you collecting, why and how will it be used?
For all of the data you plan to monitor and retain I suggest producing an itemised list of what data you’re collecting. For example, there might be email, phone records, security camera footage and building access.
Then, for each piece of data specify:
- What is being collected
- How long it will be retained
- Who can access it
- Under what circumstances it can be accessed
My experience is people are most concerned when access arrangements to this data is unclear. For example, you might specify a line manager can only request access if they have the signature of two or more senior execs, or an exec and the CEO.
#4 Be prepared to iterate
The temptation with many workplace policies is to publish and call the job done.
However, laws and social situations change, For example, the recent leaks from the CIA could change the way you secure and access email records. And the federal government is contemplating an expansion of the existing metadata access regime.
As well as scheduling a regular six monthly or annual review, I’d suggest being prepared to make changes in response the other changes when they occur.