Monitoring Policy

Purpose

This policy describes how we will monitor the use of our computer systems.

Scope

This policy applies to users of the following Opus Works systems:

• Networks
• Laptops and desktop computers

Policy

• Opus Works systems and networks are intended for ‘business’ use. However, we also recognise that there are benefits to be gained by allowing personal use of our services. All usage of our computing services should be consistent with our Acceptable Use Policy.

• We reserve the right to monitor the use of our network and services, and access any information stored on our infrastructure, but will do so in ways that are consistent with relevant legislation and guidance provided by the office of the UK Information Commissioner. We will undertake such monitoring to:

  • Comply with our regulatory and statutory obligations
  • Assess compliance with our Information Security and Acceptable Use Policies
  • Evaluate staff training
  • Monitor system performance

• Such monitoring may include email, internet, telephone, mobile telephone and electronic file storage usage. Such monitoring is not, in general, person specific but your personal data may be accessed as part of this policy, but only in ways that are consistent with relevant legislation.

• The existence or otherwise of monitoring procedures does not diminish the responsibility on staff and contractors to comply with the Acceptable Use Policy.

Privacy

• Our policy aims to provide an appropriate balance between respecting your privacy, whilst allowing the necessary monitoring required to meet our business needs and legal obligations.

• We recognise that staff have legitimate expectations that they should be able to keep their personal lives private and that they are entitled to a degree of privacy in the work environment. Our monitoring policy will therefore be undertaken in ways that are consistent with relevant legislation, including the Data Protection Act 1998, the UK Information Commissioner’s Office (ICO) Employment Practices Code, and The Human Rights Act 1998.

• We will also act in accordance with our obligations under the Telecommunications (Lawful Business Practice) (Interpretation of Communications) Regulations 2000.

Monitoring definitions

• This policy makes a distinction between:
  • Usage logging: collecting data, usually from log files, about how and when a person used our systems
  • Content inspection: viewing information held within, for example, business or personal files or emails, or viewing of information on a screen or monitor

Usage logging

• We log usage of our devices and networks, this data may be utilised when investigating compliance of users to our network policies.

• None of this data contains the content of the communication or the file – only information about the electronic activity. The ‘usage logging’ does not therefore allow Opus Works monitor or record ‘sensitive personal data’ as defined by the Data Protection Act 1998.

Content inspection and authorised access

• Opus Works has the right to inspect the content in their systems:
  • To fulfil business, when a user is unexpectedly absent or is on leave
  • To satisfy Data Protection subject access requests
  • Where we have reason to believe that a breach of our acceptable usage, email and internet, computing and social networking policies is occurring, or has occurred (e.g. where a complaint or concern has been raised)
  • At the request of law enforcement officers if required to comply with UK law
• Content inspection involves viewing information contained within:
  • Business files and documents
  • Business-related email messages, telephone calls, videoconference sessions, chat sessions or any other computer based communications including internet usage logs
  • Business information displayed on a screen

• We will only carry out content inspection after permission has been granted by the ISMS Committee.

• Requests for access to the email account or restricted folders of a member of staff must be made in writing to the ISMS Committee, detailing the reason for the request and the information to be viewed.

• The request should only be approved providing it meets the criteria set out above

• Upon receipt of the request, a member of the ISMS Committee or delegate will undertake a content inspection. Following the inspection, the ISMS Committee member or delegate will record:
  • What information was inspected
  • The computer on which the monitoring took place
  • The start and end date and time of the monitoring
  • The identity of the person(s) performing the inspection

• This record will be kept securely. In order to respond to the criteria above, the record may be shared with the account manager, advocate, leadership guild, ISMS Committee or board members.

• In certain circumstances, investigation of prohibited use may require taking a copy of material which would normally be prohibited from being stored on our systems: for example, pornographic images. As well as requiring the above approval, the investigating person must record and inform the ISMS Committee where this material is being stored and why. As soon as the process is complete, this material must be destroyed. The date of the destruction should be recorded. Destruction will be delayed if the material is illegal and Opus Works is requested to retain the material by law enforcement officers.

• We will regard any attempt to conduct a content inspection that is not in accordance with this policy as gross misconduct.

Prohibited use

• Where we have good reason to suspect that a member of staff is engaging in a prohibited use of our systems – as set out in the Acceptable Use Policy – we may, in very exceptional circumstances, introduce covert monitoring of the individual.

• We will only undertake such covert monitoring where there are strong grounds for suspecting criminal activity or equivalent malpractice, and where notifying an individual about the monitoring would prejudice its prevention or detection. Covert monitoring will be strictly targeted at obtaining evidence within a set time-frame and will not continue after an investigation has been completed.

• Covert monitoring may only be authorised by the ISMS Committee. The record of the monitoring may only be viewed by the ISMS Committee.

Policy Compliance

Compliance Measurement

The ISMS Committee team verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.

Exceptions

Any exception to the policy must be approved by the ISMS Committee team in advance. Should have to use any of this legislation in response to an incident. The incident should be logged and reviewed by the ISMS Committee.

Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Related Standards, Policies and Processes

• Acceptable Usage Policy
• Information Sensitivity Policy
• Data Protection Policy
• Social Networking Policy
• Access Control Policy
• Password Policy

back