Company IT Policy - Urgent
Discussion
I am currently in a fight withmy IT support department, and i am currently arguing about the current IT policy and how this policy has been broken continuously by the IT Team, to such an extect my department now classify this policy as Void.
What are the rights of the employees when it comes down to the IT section Reseting passwords to gain access to a users email account, No suspicious activity has happened. But a member of staff has recently recieved a written warning for breaking the policy from the IT service manager for a trivial offence to be honest. And I am not happy being the IT Manager for the office that this has happened. Now my team have stuck up for him including me.
But i am trying to get this off his record, We have logged many calls with IT regarding mail migration from Novell to Exchange. This has led to an influx of requests fromthe IT team for us to provide Usernames and passwords so to gain access to our accounts. Some of us are not willing to do this as some are director level, and are concerned aout confidentiality. What are the Privacy laws that prevent the IT team from reseting our password and logging in as us? Either giving them access to our account or them reseting the account is a breach of the IT policy. But are there any privacy laws in place to prevent them accessing our emails and hence stop them from reseting our passwords?
Sorry for the long post but i have a member of staff threatening to leave and would like to keep him as a member of the team.
Advice Appreciated.
What are the rights of the employees when it comes down to the IT section Reseting passwords to gain access to a users email account, No suspicious activity has happened. But a member of staff has recently recieved a written warning for breaking the policy from the IT service manager for a trivial offence to be honest. And I am not happy being the IT Manager for the office that this has happened. Now my team have stuck up for him including me.
But i am trying to get this off his record, We have logged many calls with IT regarding mail migration from Novell to Exchange. This has led to an influx of requests fromthe IT team for us to provide Usernames and passwords so to gain access to our accounts. Some of us are not willing to do this as some are director level, and are concerned aout confidentiality. What are the Privacy laws that prevent the IT team from reseting our password and logging in as us? Either giving them access to our account or them reseting the account is a breach of the IT policy. But are there any privacy laws in place to prevent them accessing our emails and hence stop them from reseting our passwords?
Sorry for the long post but i have a member of staff threatening to leave and would like to keep him as a member of the team.
Advice Appreciated.
TonyToniTone said:
What directory are you using NDS or AD?
They are currently moving from Novell to Microsoft if i have interpreted that correctly. But the passwords for this processa re not an issue this is purely down to access to email account profiles.
Edited by stevieb on Wednesday 1st November 14:12
I'm systems admin, and we're not allowed to even ask users for passwords - they have to be present. the audit dept keep an eye on us too (quite rightly IMO).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
Podie said:
I'm systems admin, and we're not allowed to even ask users for passwords - they have to be present. the audit dept keep an eye on us too (quite rightly IMO).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
Thanks for that Podie. Its the sort of thing i want to here. But is this covered in the DPA or Human Rights Act?
I am formulating a document detailsing the IT departments violations of this policy (1st Line IT Support) which are to be presented at the Director meeting tomorrow.
I am looking at the DPA and found some guidance which states
"The employer should not intrude on the privacy of the employee" - this is from a third party site and not fromt he official DPA, is this a correct statement?
Thanks
Steve
Edited by stevieb on Wednesday 1st November 14:27
jimothy said:
IIRC - its company hardware, company software and you have no privacy rights whatsoever. They can monitor everything, read all your emails, check your browser history, change passwords, the lot.
Probably not what you want to hear.
Probably not what you want to hear.
If that was the case i would not agree tot he IT policy, there needs to be some mechanism to protect my privacy as an employee.
Podie said:
I'm systems admin, and we're not allowed to even ask users for passwords - they have to be present. the audit dept keep an eye on us too (quite rightly IMO).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
It's similar here - only person who can get official access to someone else's account is their line manager and that needs countersigning by HR to confirm it is a reasonable request.
We have had IT sys admins who have been nosey and indiscreet - they are no longer with us.
As to whether DPA rules cover this I don't know. Our contract refer to a email usage document that states:
"Email is a very insecure form of communication, which is easily opened and read by people other than the intended recipient, and/or forwarded to others. You should only put information in an email that you would put on a postcard. This means that confidential information about you, your staff, or anyone else should not be transmitted by email."
whether this is allowed in law to supersede your DPA rights I don't know.
If the user is logging into AD-Exchange and they forget password you just reset the password in Active Directory Users and Computers to whatever you want and tick the box so they have to change or create new password..
For NDS-Groupwise there is something similar in consoleone (ages since I used it but its there)
Either way no passwords are given out and the user creates a new password.
For NDS-Groupwise there is something similar in consoleone (ages since I used it but its there)
Either way no passwords are given out and the user creates a new password.
Edited by TonyToniTone on Wednesday 1st November 14:34
stevieb said:
jimothy said:
IIRC - its company hardware, company software and you have no privacy rights whatsoever. They can monitor everything, read all your emails, check your browser history, change passwords, the lot.
Probably not what you want to hear.
Probably not what you want to hear.
If that was the case i would not agree tot he IT policy, there needs to be some mechanism to protect my privacy as an employee.
this is our policy re: monitoring:
"XXXXXX reserves the right to monitor staff internet and email use. Your usage is monitored by your login name, so you are again reminded never to give your password to anyone else. You may be called upon to justify the amount of time you have spent on the internet or the sites that you have visited. The XXXXXXXX considers the following to be valid reasons for investigating an individual's email or internet use:
*
If the XXXXXXX suspects that an individual has been viewing offensive or illegal material, such as material containing racist terminology or nudity (the XXXXX understands that it is possible for employees inadvertently to view such material and they will have the opportunity to explain if this is the case).
*
If the XXXXXX suspects that an individual has been spending an excessive amount of time viewing websites or handling emails that are not work related.
Monitoring will be carried out on all staff usage using monitoring software. The monitoring software can flag misuse or inappropriate content and if this happens the member of staff involved will be identified and informed of any investigation that will need to take place. The XXXXXX reserves the right to retain information that it has gathered on staff use of the internet for a period of one year."
In reality we don't monitor anymore as the SessionWall server died and has yet to be replaced
FunkyGibbon said:
Podie said:
I'm systems admin, and we're not allowed to even ask users for passwords - they have to be present. the audit dept keep an eye on us too (quite rightly IMO).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
It's similar here - only person who can get official access to someone else's account is their line manager and that needs countersigning by HR to confirm it is a reasonable request.
We have had IT sys admins who have been nosey and indiscreet - they are no longer with us.
As to whether DPA rules cover this I don't know. Our contract refer to a email usage document that states:
"Email is a very insecure form of communication, which is easily opened and read by people other than the intended recipient, and/or forwarded to others. You should only put information in an email that you would put on a postcard. This means that confidential information about you, your staff, or anyone else should not be transmitted by email."
whether this is allowed in law to supersede your DPA rights I don't know.
Seems that IT policy is identical word for word for the company i work for, i hope it was from a standard usage template brought from a legal stationers!
stevieb said:
If that was the case i would not agree tot he IT policy, there needs to be some mechanism to protect my privacy as an employee.
The company has the right to know about everything you do with the company's services and resources. If there is an issue, it is which employees within the company are entitled to have access to information about other employees. It may not be appropriate for all IT staff to have unrestricted access to all information from other employees. But as I see it no employee has the right to privacy from the company as a whole, with respect to their use of company resources and services.
stevieb said:
FunkyGibbon said:
Podie said:
I'm systems admin, and we're not allowed to even ask users for passwords - they have to be present. the audit dept keep an eye on us too (quite rightly IMO).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
If a user needs a password retrieved a written authorisation has to be sought from their manager, before we can action anything - even then, only a few people have the rights to do this (division of duties).
It's similar here - only person who can get official access to someone else's account is their line manager and that needs countersigning by HR to confirm it is a reasonable request.
We have had IT sys admins who have been nosey and indiscreet - they are no longer with us.
As to whether DPA rules cover this I don't know. Our contract refer to a email usage document that states:
"Email is a very insecure form of communication, which is easily opened and read by people other than the intended recipient, and/or forwarded to others. You should only put information in an email that you would put on a postcard. This means that confidential information about you, your staff, or anyone else should not be transmitted by email."
whether this is allowed in law to supersede your DPA rights I don't know.
Seems that IT policy is identical word for word for the company i work for, i hope it was from a standard usage template brought from a legal stationers!
Is it part of Word?
GreenV8S said:
stevieb said:
If that was the case i would not agree tot he IT policy, there needs to be some mechanism to protect my privacy as an employee.
The company has the right to know about everything you do with the company's services and resources. If there is an issue, it is which employees within the company are entitled to have access to information about other employees. It may not be appropriate for all IT staff to have unrestricted access to all information from other employees. But as I see it no employee has the right to privacy from the company as a whole, with respect to their use of company resources and services.
Sounds about right.
stevieb said:
We have logged many calls with IT regarding mail migration from Novell to Exchange. This has led to an influx of requests fromthe IT team for us to provide Usernames and passwords so to gain access to our accounts.
I would suggest that if they need your user names and passwords to perform this migration then they are doing it wrong.
Not that that answers your question. Sorry.
. Its nearly my last week anyway so what the hell...stevieb said:
Seems that IT policy is identical word for word for the company i work for, i hope it was from a standard usage template brought from a legal stationers!
Don't work for a charity in Cambridge do you?
(erm, cough, I am posting this from home if we do appear to work for the same company
)FunkyGibbon said:
stevieb said:
Seems that IT policy is identical word for word for the company i work for, i hope it was from a standard usage template brought from a legal stationers!
Don't work for a charity in Cambridge do you?
(erm, cough, I am posting this from home if we do appear to work for the same company
)No i am stuck in a small cottage office in surrey over loking some woodland with dears at the moment!!!
Hello ny local IT people if you are monitoring this! it is work related...
stevieb said:
jimothy said:
IIRC - its company hardware, company software and you have no privacy rights whatsoever. They can monitor everything, read all your emails, check your browser history, change passwords, the lot.
Probably not what you want to hear.
Probably not what you want to hear.
If that was the case i would not agree tot he IT policy, there needs to be some mechanism to protect my privacy as an employee.
You might not agree to it. This is, however, the legal situation. There is no legal defence - never use Company e-mail for any purposes other than what you are happy for the Company to read. Use a web-based e-mail account elsewhere for other stuff.
A Company can, of course, set any policy it likes. So your Company could adopt a situation like puggits. But it doesn't have to. That's the bottom line.
I am Director. In my firm Corporate e-mail may be used personally. But is NOT private.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff