Privacy
Gamertsfelder warns organisations considering the implementation of monitoring software need to ensure appropriate internal policies are in place so that employees the Privacy Act is not being infringed upon.
"When drafting internal policies, organisations need to consider whether employee consent is in act even required under the Privacy Act and, if so, the scope of any consent which needs to be obtained," he says.
Although the Privacy Act is driven by consent, certain activities and organisations have "carve outs" removing them from the scope of the Act. A relevant example is employee records; an organisation does not need consent to keep records of the conduct or performance of an individual.
Gamertsfelder says it is arguable that this covers monitoring, as it is implicitly related to work conduct. However, he warns "there might be a fine dividing line" so an organisation that permits personal use of IT systems would need to spell out exactly what types of personal use are permitted and get permission to monitor such use.
"The Privacy Act has important implications on the storage and retrieval of data," warns White. "Unless an exemption applies, users are entitled to know that information is being collected and the employer needs their consent for the use of such software. Users are entitled to know what information is being stored about them and amend same if inaccurate."
Andrys also believes that Australian privacy laws require disclosure of the type of information that is being collected, and employees' consent obtained because Internet usage patterns could constitute private information.
Gamertsfelder observed that there have been around 20 complaints in this area to the Federal Privacy Commissioner, but as they have generally been resolved on a confidential basis, no trends are apparent yet.
Smith takes a different view: "The privacy legislation is really associated with the gathering of personal information on an organisation's clients, publishing a privacy policy, and giving clients the opportunity to opt out and check their details at any stage. At this point, this legislation does not include employees of an organisation."
Since it is not clear at this stage whether this type of monitoring is exempt from Privacy Act provisions, it would seem prudent--as well as good employee relations practice--to discuss any proposed implementation with staff and obtain their explicit consent.
Some of the products mentioned in this article seek to minimise cyberbludging and other misuse of resources by blocking or restricting certain traffic rather than drawing attention to incidents of abuse, but you may need to collect data in order to identify that traffic.
If the software used for that purpose was developed with a different privacy regime in mind, it's possible that it might not dovetail with Australian requirements.
According to Gamertsfelder, the New South Wales government is contemplating new surveillance laws that would go far beyond the provisions of current privacy laws and would require employers to gain the express consent of employees before conducting any electronic surveillance of them, including monitoring e-mail and Web use.
"This would be an extraordinary outcome as it would impact adversely on an organisation's ability to maintain security and effectively deal with its own property, i.e. its information systems, in a manner which it and its employees determine," he says.
"Security is a huge issue that you don't want to be interfered with by privacy or industrial relations laws," says Gamertsfelder. "The Privacy Act is fairly balanced and doesn't present a threat to security," he added, but the proposed surveillance laws "get into troubled waters."
There are other legal considerations arising from monitoring and surveillance systems. "Organisations need to be particularly careful that any surveillance or monitoring actions do not breach offence provisions in Telecommunications laws," Gamertsfelder advises.
These provisions prohibit the interception of telecommunications, and in some circumstances e-mail or other Internet monitoring or surveillance could possibly constitute an offence under these laws.
Chuawiwat suggests that if an organisation permits the use of e-mail for private purposes, employees should be instructed to put the word "private" in the first line of the message, and MIMEsweeper set to ignore the content of such messages and merely add an appropriate disclaimer to outgoing messages.
"We only stop the [messages] that the policy says to stop and hold," he says. While this provides a greater degree of privacy, it also provides a hole through which confidential material can leak.
i think that the cyberbludging special was helpful