Is employee monitoring ethical or not?

By Andrew Walls When overseeing employees, monitor and receive feedback while providing full transparency in order to maintain consistency and coherence in the enterprise. As new forms of technology bring accessibility to the hands of individuals, employee monitoring becomes crucial in the development of security risk management objectives. Andrew Walls, managing vice president at Gartner and conference chairman of the recent Gartner Security & Risk Management Summit, explained how fundamentally when overseeing employees you need to monitor and receive feedback while providing full transparency in order to maintain consistency and coherence in the enterprise. [caption id=“attachment_2106091” align=“alignleft” width=“380”]  Representational image: Reuters[/caption] There’s value in monitoring structures despite the invasive notion people may have towards it. Some of the most popular things being monitored are phone calls, physical actions via video, endpoint and network use and location/motion tracking. Gartner predicts that through 2018, organisations that monitor at least three key employee security behaviors will recognise 50 percent improved employee security performance compared with organisations that do not. Reasons why monitoring is implemented within the enterprise are: • Performance – the primary objective. We monitor employees to ensure a certain level of performance in the workplace. Organisations want to monitor behavior in terms of moving business objectives as a way to correct poor performing units and reward high performing units. • Security – Allows for breach containment, early mitigation of risky behaviours and increased accuracy in planning. • Reputation – Assess the reputation and image associated with certain entities via actions like social media monitoring and perusing websites to see what people are saying for proactive containment of PR issues. • Discover/Curiosity – The realm of big data. Monitor everything to find new ways to achieve productivity. Enables new opportunities/pathways. As invaluable as this can all be, is it ethical? Walls explained that it’s all about the jurisdiction you’re in because that trumps all – there are things that can be done in the U.S. that are prohibited in Canada or elsewhere. “When looking at laws, we see that they’re not prescriptive as they tell you what you cannot do and what you have to do in terms of consent, but they don’t bar you from doing anything specific as long as you go through the right hoops for approval,” Walls said. “Since the laws don’t provide sufficient guidance, and are way behind of the advancements in technology, it becomes an ethical choice.” Within an organisation, executive stake holders and security teams develop the business cases for monitoring within an enterprise, and it’s essential that they’re aligned in the decisions to have a sound ethical base for taking the proposed action. Everyone needs to be involved in answering these six questions: 1. For what purpose is the undocumented personal knowledge sought? 2. Is this purpose a legitimate and important one? 3. Is the knowledge sought through invasion of privacy relevant to its justifying purpose? 4. Is invasion of privacy the only or the least offensive means of obtaining the knowledge? 5. What restrictions or procedural restraints have been placed on the privacy-invading techniques? 6. How will the personal knowledge be protected once it has been acquired? “Ethics brings business value to you,” Walls said. He urged IT and security leaders to take a stand because they will be judging the ethical frameworks being used. “If you are pursuing employee monitoring, it is critical that you provide full transparency to everyone about what you are doing,” Walls said. “Build a business case that identifies, costs, benefits, risks and all potential problems that are social in nature. In order to be successful you need to develop clear and consistent governance.” (The author is managing VP at Gartner)