To begin this post, it seems appropriate to take a very interesting and clear definition of privacy from the book CISSP All-in-One Exam Guide:
Privacy is the ability of an individual or group to control who has certain types of information about them. Privacy is an individual’s right to determine what data they would like others to know about themselves, which people are permitted to know that data and when those people can access it. Security is used to enforce these privacy rights.
Privacy is a really broad topic, and a single post would never be enough to cover it completely. That is why this post will address privacy inside organizations, specifically the privacy that each employee expects to have regarding the monitoring of their activities and the importance of this expectation in the legal framework.
One of the main privacy-related problems organizations face has to do with the monitoring of staff. This monitoring takes place, for example, when eavesdropping happens on phone calls, security videos are recorded or employees’ browsing history is saved.
Objectives for these types of actions often involves increasing employee performance, improving customer satisfaction, deterring employees from performing prohibited actions, etc.
Before starting to observe the activity of its employees, an organization should investigate exactly what it can and can not monitor before doing so, according to the privacy laws that apply in its country.
It should also be clarified that monitoring must always be related to work. If a manager has the right to listen to the conversations of his subordinates with his suppliers, it doesn’t mean that he also has the right to listen personal conversations.
Monitoring should be consistent, with all employees in the organization subject to the same supervision and actions.
The Expectation of Privacy
With what has been presented so far, it my seem that any organization can start its monitoring processes without problems. But we are not taking into account the main actor in this story: the person who is going to be monitored.
In short, the organization should raise awareness among its employees about what kind of monitoring can occur during their work. This is the best way for an organization to protect itself legally, if necessary, and avoid surprising its employees.
If an organization believes it is necessary to monitor the emails of its employees, this must be explained to staff – first, through a security policy and then through constant reminders, such newsletters or regular training.
In the same way, each person should not only know to what type of monitoring he/she may be subject to, but also should know exactly what are considered acceptable behaviors and the consequences of not complying with such behaviors. This, in addition to helping the organization legally, can reduce the levels of stress, distrust and dissatisfaction that monitoring can cause to employees.
Finally, the organization must have a record signed by the employee that supports the awareness actions that have been carried out to educate them on this issue. This type of record is known as a waiver of the reasonable expectation of privacy (REP) and can be treated as a legally admissible document.
If this does not happen, when monitoring takes place, employees may claim that their privacy rights have been violated and file a civil lawsuit against the organization.
Ultimately, security and privacy awareness training can go beyond the creation of safe habits for users, serving in this case as an indispensable tool when dealing with the expectation of privacy for the people within an organization.
About the Author
Nicolás Bruna is an information systems engineer specialized in information security.
Currently, he is a product manager at SMARTFENSE, an online platform for raising awareness in information security.
Among his tasks, he leads the generation team of training contents and simulation of social engineering traps and manages the correct development of the whole platform.
Nicolás also maintains the SMARTFENSE blog and is one of its primary authors. Among his publications is a whitepaper on “how to develop a security layer oriented to the user“. Within this scope, he is currently working on the development of an OWASP guide on ransomware.