FacebookSnooping(300x188).jpg" style="width: 300px; height: 188px; border-width: 0px; border-style: solid; margin: 5px; float: left;" />Employers need to think afresh about employee privacy and company security in the “cloud age”, according to expert warnings in the wake of a significant ruling by the Privacy Commissioner.
In the recently released case, the Commissioner reprimanded an employer for using key stroke monitoring software to obtain an employee's password and access their personal email account. The Commissioner found that the employer's actions amounted to collecting personal information about the employee and breached the Privacy Act.
We have seen exponential growth in the use of cloud computing in the workplace, Tim Clarke from Bell Gully wrote in the firm’s latest employment newsletter. However, information hosted through cloud computing was generally "out of bounds" for employers collecting information about their employees, unless the employee had given their consent, or another exception under the Privacy Act applied, he continued.
The Commissioner’s decision had significant implications for employers, he said. “Not only does it clarify the requirements for compliance with the Act, but it also highlights the importance of collecting and using personal information in a fair and reasonable manner where an employer wishes to use collated information in support of disciplinary proceedings or an investigation.”
Clarke said that, before collecting and monitoring information from work devices, employers would be well advised include the following in employee employment agreements and any applicable policies:
What information the employer may collect and types of monitoring (including key stroke monitoring) the employer may conduct;
The purpose for collecting the information; and
The employee's rights of access to, and to request correction of, personal information.
Employees should be made aware of the circumstances in which their personal account or application could be accessed via a work device, he said. “Otherwise, the employee would have a legitimate expectation of privacy in relation to their personal account. A possible exception to this expectation might be where compliance would prejudice the purpose of collection – for example, to detect suspected theft.”
Collection of personal employee information should only be necessary for (and not go beyond) the stated purpose for collection, and should not be by unfair or unreasonably intrusive means, Clarke said. “Therefore, before accessing an individual's personal account, a prudent employer would want to consider whether the ‘ends’ reasonably justify the ‘means’.”
Meanwhile, many New Zealand companies could be exposed to serious IT breaches because they had failed to update their remote access systems after employees left, Richard Cheeseman from Lume Managed Service Integration warned. "We find that many ex-employees and suppliers can still access the networks of companies – either via virtual private networks (VPN) or through the cloud – long after their association has ended.”
Updating remote access security protocols should be a part of business policies and procedures manual and somebody within the company should be given direct responsibility for ensuring it happened, Cheeseman said.