Dept FAQ What if I have an AUP policy regarding illegal images should I still communicate the introduction of auditing and monitoring software?
While such software products are tools for detecting the presence of obscene or illegal images, their long term value lies in their potential as a preventative mechanism deterring employees from storing, downloading, viewing such images in the first place.
In order for this potential to be realised, the communication and education of employees is essential. Employees need to understand the policies, the rationale or values behind the policies, the legal implications/ obligations and the consequences of breach of such policies. Therefore, continuous education and ongoing communication are vital if such monitoring is to serve as an ongoing deterrent. Appendix C provides a sample communication informing employees about the introduction of auditing and monitoring software.
Is this an invasion of the employee's right to privacy?
In most countries, all content on Company IT/Communication systems is considered the property of the Company to which such resources belong. From the time an employee joins a Company they should be clear that they should have no expectations with regard to privacy in their use of any of the company's IT or communication resources. This should be clearly stated in the company's Acceptable Use Policy and communicated as part of the initial induction. Where an Acceptable Use Policy may allow for some personal use of the company's IT / Communication resources, employees still need to understand that ultimately all information contained on such system is accessible on the part of the Company.
What if images are sent to an individual unsolicited? How can it be ensured that an employee's reputation is not damaged unfairly?
To prevent this kind of situation a company's AUP policy should state what an employee needs to do in the event of finding or receiving obscene material either visual or auditory. Typically, employees should report the receipt of such material to IT or HR immediately, this will prevent them being implicated in the solicitation of such information. The employee should also inform the sender that such material is offensive and that they should refrain from sending these in future. At the same time, employees need to be aware that the continuous "unsolicited" receipt of offensive material may require further investigation.
How does a company decide what action needs to be taken if pornographic or illegal images are discovered?
The Case Management section of this document provides guidelines on the type of action that should be taken following the discovery of offensive images. Images are considered illegal if they involve a minor. In such cases, clients are advised to seek legal counsel which most likely will result in contacting the police.
However, ultimately the discovery of any potentially illicit image material needs to be treated extremely seriously, since what one employee construes as mildly upsetting may be viewed as extremely offensive by another.
I am concerned about the impact that viewing such images might have on the employee managing the system. What can be done to minimize the impact?
The selection of who monitors the system is a key issue and needs to be given due consideration. The administrator must be someone who has both the IT capability and emotional maturity to deal with potentially objectionable material. IT and HR should work together to select individuals with the right mix of skills and maturity.
Many companies decide to keep the monitoring of such information at a management or senior administration level until the monitoring system is widely implemented and its use and capability is communicated and understood throughout the organisation. This communication and education should act as a deterrent, serving to reduce or eliminate the presence of such obscene material.
However, the HR/ IT Manager needs to be continuously cognisant of the number and type of images viewed and consider the impact on the administrator. Where necessary, the provision of an Employee Assistance Programme (EAP) may ensure that that impact on the employee is minimal. While the impact on the employee administrating the system may be upsetting, it is happening in a controlled environment, where the individual has expectations of what they are going to see. Contrast this to a situation where no such monitoring is taking place and as a result such information is sent to an employee unsolicited by another employee.
About the Author:
This article was written by Colm Doherty of Pixalert - http://www.pixalert.com Data Loss Prevention | Email Monitoring Solution. PixAlert is the market leader in products and services that provide detection of critical data for corporations.