A firm’s IT manager is often the one stuck suggesting which sites to block, as they can tell — via the monitoring software — which are the most popular non-work sites. But he says he tries not to be Draconian about it: “We block some of those sites that have consequences for the firm in terms of the threat of malicious code or viruses, but personal banking and stuff like that, that’s at their discretion. If they are using it during their break times, we can evaluate that and say, yes, you are using it for 15 minutes, and so be it.”
Spy vs. Spy(ee)
He says employees are often curious as to whether IT has the technology to view what’s happening on their screen, but often what they don’t know can’t hurt them. “I talk to a lot of users, and people always get paranoid, so I really don’t mention it to them. It’s in their release when they get hired and they sign off on it,” he says. He typically tells them that if they aren’t doing anything wrong, they have nothing to worry about.
When it came to choosing the software, the firm’s IT manager had a major say in the decision. This is important, but, he adds, formulating policy should be a group decision.
Perrier-Knox argues that IT managers already have too much responsibility in this area.
“It’s a technologically dependent form of monitoring, but, in reality, and in terms of best practices, IT managers should not be dictating these policies,” she says.
Instead, it should be coming from the business side and HR — they can take privacy issues into account, and inform current and new employees about what’s being monitored and to what extent. In addition, says Perrier-Knox, anyone with the authority to carry out monitoring should also observe a strict code of conduct. They should only be monitoring things and people that they have been tasked with monitoring. This is meant to eliminate situations where an IT staffer might, for some reason, start paying special attention to an individual, in effect spying on them.
And, if individuals in the IT department are being asked to monitor usage, they should definitely not be the ones carrying out any disciplinary action. There should be a “fairly straightforward escalation procedure” in place whereby the authorized individuals can report violations either to supervisory staff, management staff or HR, and there should be very clear handoff lines, according to Perrier-Knox.