The Lower Merion School District in Pennsylvania is getting a crash course--trial-by-fire style--on the limits of what is acceptable when monitoring computer activity. The facts are still being worked out, and investigations and lawsuits are still pending, but there are some lessons to be learned here for conducting an effective--and legal--monitoring program.
1. Disclosure. One of the most important steps in separating "monitoring" from "spying" is to establish what is acceptable, and provide some advanced notice that computer activity and communications could be monitored.
In general, there is no need to specify how or when the monitoring might be done. A disclaimer that the company reserves the right to monitor activity is more or less standard. However, the ability to enable the webcam on a laptop in the individual's home without their knowledge or consent is outside of the gray area--it crosses from diligent monitoring to creepy spying real quick.
2. Discretion. Even if monitoring has been disclosed as a possibility, some controls should be in place regarding how and when monitoring is conducted (especially for equipment like laptops that are also used in the home), as well as which individuals have the authority to conduct monitoring, or access data gathered through monitoring.
While the company may be within its legal rights in monitoring network and computer activity of employees, the privacy rights of employees engaged in illicit or questionable activities could still be violated if those actions are broadly disclosed to peers, managers from other departments, or other parties that have no stake or interest in the employee's productivity.
3. Personal Use. The jury, or in this case the Supreme Court of the United States, is still out on this issue, but based on the case of Ontario, CA police officers suing the Ontario police department, the company's right to monitor its network and equipment could be superseded by an implied expectation of privacy when personal use is also authorized.
Essentially, the company does have the right to monitor the communications and activities on its network and company-issued equipment. However, when the company also specifies that employees are allowed to conduct personal business and communications using company-issued equipment it gets a little murky whether or not that permission comes with an expectation of privacy.
4. Don't Go Dutch. In the case of the Ontario police department, one of the other factors clouding the issue is that officers were given a base plan and asked to pay for any overages resulting from excessive personal use. The fact that the officers were asked to pay a portion of the service charges also includes some degree of implied expectation of privacy. Similarly, as is the case with the students of Lower Merion School District, or employees using company-issued laptops from home, the individual is actually paying for the Internet service, therefore the company (or school district) may be overstepping its authority by monitoring that activity.
5. Automation. Using monitoring software can automate the process of monitoring, and provide an aggregate view of the correlated data--the "big picture"--without exposing the identity or violating the privacy of any specific individual. Excessive usage or indications of suspicious or unauthorized activity can then be drilled down for further investigation, but there should be established guidelines or thresholds and clearly-defined policies covering those actions to prevent any impropriety --real or perceived--on the part of the employer.
IT administrators must strike a balance between diligent monitoring to maintain productivity, prevent legal liability, and meet compliance requirements, and violating employee privacy. The line between monitoring and spying can be thin at times, and the cases of the Ontario police department and the Lower Merion school district could both have repercussions affecting the ethics and legality of monitoring.