Company IT Policy - Urgent
Discussion
Don said:
You might not agree to it. This is, however, the legal situation. There is no legal defence - never use Company e-mail for any purposes other than what you are happy for the Company to read. Use a web-based e-mail account elsewhere for other stuff.
A Company can, of course, set any policy it likes. So your Company could adopt a situation like puggits. But it doesn't have to. That's the bottom line.
I am Director. In my firm Corporate e-mail may be used personally. But is NOT private.
Don,
I see whatyou are saying but this is a very grey area and to be honest i couldnt really give a toss if they erad my emails or not really. But the Government produced the Lawful Business Practice Legislation that clarified what leeway companies have to monitor staff. which in summary - The business practice regulations give companies permission to listen to employee phone calls and open personal e-mails to help them comply with regulatory demands, stop computer viruses spreading, covering for key staff who are on holiday or to protect the reputation of the company.
This does not give them the right to full access to the email account etc, and in a way our HR department have now caught wind of this and are concerned of action from a tribunal! As it is not clear legally which party is right or wrong and are trying to mediate the conflict. We have recieved confirmation that the employee was not under investigation for any activity.
So we are stickingup for each other throgh this as we do not want this to take presedence of what IT can and Cannot do.
These view are my own views and are not related to the company which i am employed, i take resposibilty for any actions as a result of my posting on this forum.
Edited by stevieb on Wednesday 1st November 15:55
This tends to flip both ways, yes it the company policy and as such you do not have privacy rights on company equipment.
HOWEVER all companies also have a seperate section about keeping informaion private and secure, now for your IT Dept to be able to open mail, they have to have permisson from someone or this is potentially a very serious offence as far as your auditors will be concerened.
For example here, the IT bods can open mail but have to be instructed by the HR director to do so and its her call. Even though we state you are being monitored. Recently an IT bod opened a mail and spilled the beans on a directors account. Needless to say he is long gone.
Personally I would drop a mail to your HR dept CC the IT service manager and request a copy of the authorisation to do this and the justification behind it? Or if they state it is automated monitoring which flagged it then as for a copy of the log from the service that flagged this up. If they can provide neither than ask how this came to the attention of the IT Service Manager and what would stop this happening for senior staff higher than said IT manager.
Generally as soon as a Director / VP gets to know his mail is not secure and being read by the IT bods it tends to stop sharpish.
HOWEVER all companies also have a seperate section about keeping informaion private and secure, now for your IT Dept to be able to open mail, they have to have permisson from someone or this is potentially a very serious offence as far as your auditors will be concerened.
For example here, the IT bods can open mail but have to be instructed by the HR director to do so and its her call. Even though we state you are being monitored. Recently an IT bod opened a mail and spilled the beans on a directors account. Needless to say he is long gone.
Personally I would drop a mail to your HR dept CC the IT service manager and request a copy of the authorisation to do this and the justification behind it? Or if they state it is automated monitoring which flagged it then as for a copy of the log from the service that flagged this up. If they can provide neither than ask how this came to the attention of the IT Service Manager and what would stop this happening for senior staff higher than said IT manager.
Generally as soon as a Director / VP gets to know his mail is not secure and being read by the IT bods it tends to stop sharpish.
recalluk said:
Just for the record the buck stops with HR not IT, they are not allowed to ride roughshod over policy. Too many companies let IT set IT policies and thats where trouble starts. HR all the way to protect your a55
yeah what he said.
How the fing hell does an IT bod think he can issue written warnings.
Its a formal process and needs HR involved.
On a connected note..
may years ago I liased with the security team at a large German bank and I was part of the email infrastructure team.
We had access to everyones email, and incoming and outgoing stuff was scanned for keywords, those emails were then dumped into a special place for us to investigate.... the legality is cloudy i believe on this sort of thing.
rich1231 said:
recalluk said:
Just for the record the buck stops with HR not IT, they are not allowed to ride roughshod over policy. Too many companies let IT set IT policies and thats where trouble starts. HR all the way to protect your a55
yeah what he said.
How the fing hell does an IT bod think he can issue written warnings.
Its a formal process and needs HR involved.
On a connected note..
may years ago I liased with the security team at a large German bank and I was part of the email infrastructure team.
We had access to everyones email, and incoming and outgoing stuff was scanned for keywords, those emails were then dumped into a special place for us to investigate.... the legality is cloudy i believe on this sort of thing.
Totally agree that HR have responsibility, but I guess that you'll find that the IT policy was set by IT as HR couldnt be bothered Googling for a pre-written one. I suspect that the "written warning" from the IT guy was simply an extension of this, either the chap thinking its within his remit to action contraventions of policy (i.e. protecting the company's reputation (a lovely one, similar in scope to "actions unbecoming" or "breach of the peace"
or because he is a jumped up little geek who lives in the basement. Pays your money, takes your choice. Personally, I think that them asking for your passwords is a far worse act than sending a warning. It smacks of the most appalling working practices, and will inevitably cloud any disciplinary action that anyone may want to consider, as they have just fouled the evidentiary trail. So crack on and surf for pr0n as much as you like...
While Germany and the Netherlands have pretty clear definitions of user rights, IMHO, the consensus in the UK is that they are corporate systems, so the information belongs to the company. That doesnt mean the IT department, however, so make sure that the policy reflects the need for oversight, i.e. the HR director having to authorise a mailbox opening by a human.
stevieb said:
TonyToniTone said:
What directory are you using NDS or AD?
They are currently moving from Novell to Microsoft if i have interpreted that correctly. But the passwords for this processa re not an issue this is purely down to access to email account profiles.
Edited by stevieb on Wednesday 1st November 14:12
It is an issue really as the helpdesk etc should not have access to the mailboxes but should be able to reset passwords as outlined earlier..
TonyToniTone said:
It is an issue really as the helpdesk etc should not have access to the mailboxes but should be able to reset passwords as outlined earlier..
It seems to me this isn't actually an IT issue at all, rather a procedural one.
The IT manager has sent a written warning to a staff member - is s/he empowered to do this? Seems unlikely. If this person does have this authority, but selectively punishes transgressions, that's a different issue. In a large enough company (sounds like this applies) all this procedural stuff should be set in stone as should an appeals process.
The fact that it's IT, involving passwords etc seems irrelevant to me.
For what it's worth, my understanding of the law is that firms can monitor employee email but must inform employees in writing that this may occur. Staff handbooks and employment contracts often contain this kind of clause.
The IT manager has sent a written warning to a staff member - is s/he empowered to do this? Seems unlikely. If this person does have this authority, but selectively punishes transgressions, that's a different issue. In a large enough company (sounds like this applies) all this procedural stuff should be set in stone as should an appeals process.
The fact that it's IT, involving passwords etc seems irrelevant to me.
For what it's worth, my understanding of the law is that firms can monitor employee email but must inform employees in writing that this may occur. Staff handbooks and employment contracts often contain this kind of clause.
If it is a written warning then, I believe and I am not a layer but had to listen to the dull meeting on the change in employment laws, that you can't just beat someone up. There has to be a defined process. Something along the lines of:
Employee gets told "we think you have done something naughty and we are investigating. This will lead to a formal meeting where you may bring a colleague or suitable representitive"
The out come could be:
No action,
an informal warning,
a formal verbal, (which is noted so is surely a written?)
a written warning,
a final written warning,
or dismissal.
There must be an appeal process in place and there are time lines involved.
If any of this has not been followed then a grievance may be filed and that is similar in that it is now covered by law.
Now would be a good time to review your IT policy because most say using someone else logon or attempted use is a gross misconduct offence, which usualy ends in dismissal.
This could be turned around and said to be bullying by the it manager which is another big no no.
Have a look at the CAB site as that has been useful to me in the past in setting people straight in what they can and can't do in the name of company policy
Employee gets told "we think you have done something naughty and we are investigating. This will lead to a formal meeting where you may bring a colleague or suitable representitive"
The out come could be:
No action,
an informal warning,
a formal verbal, (which is noted so is surely a written?)
a written warning,
a final written warning,
or dismissal.
There must be an appeal process in place and there are time lines involved.
If any of this has not been followed then a grievance may be filed and that is similar in that it is now covered by law.
Now would be a good time to review your IT policy because most say using someone else logon or attempted use is a gross misconduct offence, which usualy ends in dismissal.
This could be turned around and said to be bullying by the it manager which is another big no no.
Have a look at the CAB site as that has been useful to me in the past in setting people straight in what they can and can't do in the name of company policy
Thanks for the Advice,
I have been reading the IT policy over night to digest all of it 50 pages in all!!! I/we do not have a problem assisting in the senior IT people monitoring our emails that part of it. But what we object to is now that we are migrated to AD, that we have to call our IT service desk to change passwords, when anything os wrong on our system (LoginScript/Email acount etc) we have to provide our username and password for them to fix the problem.
I/we do not want to be held accountable for any emails sent/recieved if we do not have complete indipendence to change our login passwords.
Thanks for the advice so far. The saga continues
I have been reading the IT policy over night to digest all of it 50 pages in all!!! I/we do not have a problem assisting in the senior IT people monitoring our emails that part of it. But what we object to is now that we are migrated to AD, that we have to call our IT service desk to change passwords, when anything os wrong on our system (LoginScript/Email acount etc) we have to provide our username and password for them to fix the problem.
I/we do not want to be held accountable for any emails sent/recieved if we do not have complete indipendence to change our login passwords.
Thanks for the advice so far. The saga continues
recalluk said:
Just for the record the buck stops with HR not IT, they are not allowed to ride roughshod over policy. Too many companies let IT set IT policies and thats where trouble starts. HR all the way to protect your a55
If you believe that HR have anyone's interests at heart other than the company's, I have a bridge you might like to buy.
I'd be looking closely at Sarbannes-Oxley in respect to this.
There are many things that you would not want IT staff to have access to, and if they are dong their jobs properly thay should not need access to end users passwords. Access to data on the systems should be protected and given only to people when have need to see it, otherwise there is a security risk. Just because they are IT does not, and should not, give them the right to access data.
Systems should be set up so that IT can administer and safeguard company data without needing to, or being able to, see the content.
I've had to set up systems in this way in the past, and I've had to demonstrate to auditors that I cannot access live data on systems.
There are many things that you would not want IT staff to have access to, and if they are dong their jobs properly thay should not need access to end users passwords. Access to data on the systems should be protected and given only to people when have need to see it, otherwise there is a security risk. Just because they are IT does not, and should not, give them the right to access data.
Systems should be set up so that IT can administer and safeguard company data without needing to, or being able to, see the content.
I've had to set up systems in this way in the past, and I've had to demonstrate to auditors that I cannot access live data on systems.
stevieb said:
I/we do not want to be held accountable for any emails sent/recieved if we do not have complete indipendence to change our login passwords.
Just to be absolutely clear, are you saying you can't change your own passwords without involving your IT support and telling them what you want the new password to be?Victor is 100% coorect.
However, they can monitor your email at will, no question, only your company policy can prevent this, but if the company want to do it, fine.
As far as using your password to access email, or changing your password without your knowledge - dodgy.
I would say that this is an issue of IT doing their job properly, also being over-zealous (and a bunch of nobs) also of correct processes - it is possible that you have a policy that HR / senior management don't understand, also communication is clearly bad.
I'd get together with the IT manager and senior management and get a solution to this.
However, they can monitor your email at will, no question, only your company policy can prevent this, but if the company want to do it, fine.
As far as using your password to access email, or changing your password without your knowledge - dodgy.
I would say that this is an issue of IT doing their job properly, also being over-zealous (and a bunch of nobs) also of correct processes - it is possible that you have a policy that HR / senior management don't understand, also communication is clearly bad.
I'd get together with the IT manager and senior management and get a solution to this.
ATG said:
stevieb said:
I/we do not want to be held accountable for any emails sent/recieved if we do not have complete indipendence to change our login passwords.
Just to be absolutely clear, are you saying you can't change your own passwords without involving your IT support and telling them what you want the new password to be?Correct which why a lot of us are getting abit jittery over access to email accounts etc, as I have taken responibilty recently for 5 company directors which has raised these concerns more.
guydw said:
I'd get together with the IT manager and senior management and get a solution to this.
I am the IT manager for the section, taken over from someone else for many reason.
I have opened up a communications with the overall IT manager for my division but he is completely unsure of what the score is at the IT department are currenlty in meltdown.
stevieb said:
ATG said:
stevieb said:
I/we do not want to be held accountable for any emails sent/recieved if we do not have complete indipendence to change our login passwords.
Just to be absolutely clear, are you saying you can't change your own passwords without involving your IT support and telling them what you want the new password to be?Correct which why a lot of us are getting abit jittery over access to email accounts etc, as I have taken responibilty recently for 5 company directors which has raised these concerns more.
Seems to me there are a whole lot of things going badly wrong at your company. You've got some technical ones like the password insanity above, but most of them sound like a managerial meltdown. As an outsider, when you hear someone saying they want legal advice about what a manager in another part of the IT dept can do, it sets off alarm bells the size of Big Ben. That smacks of a complete and utter collapse of trust, communication, etc. To be frank, although I can well understand why one's natural reaction would be to fight a rearguard to try to protect yourself and your team from the corporate insanity, flexibility and pragamatism from all sides is the only way firms recover from in-fighting and chaos. If you have meetings to try to deal with these problems, (a) for the sake of the company and (b) for the sake of looking like a good bloke, don't be the person listing greivances and issuing ultimatums. Be the person who lists the problems frankly and clearly, but matches them with a bunch of suggestions about how they can be solved.
ATG thanks for the advice.
I wish i could provide solutions to some of th problems, but with the comapny being on both NDS and AD, i can not provide and ideas or possibles ways to resolve the NDS problems. i know my round AD & Exchange reasonably well.
Above all this is far from my day job, i am not a IT expert by profession no more i got out 3 years ago. But i was put forward because of my IT contracting experience to resolve the ongoing issues within the section. wish i never took the role on now.
I wish i could provide solutions to some of th problems, but with the comapny being on both NDS and AD, i can not provide and ideas or possibles ways to resolve the NDS problems. i know my round AD & Exchange reasonably well.
Above all this is far from my day job, i am not a IT expert by profession no more i got out 3 years ago. But i was put forward because of my IT contracting experience to resolve the ongoing issues within the section. wish i never took the role on now.
randlemarcus said:
TonyToniTone said:
It is an issue really as the helpdesk etc should not have access to the mailboxes but should be able to reset passwords as outlined earlier..
If you're moving off Groupwise and onto Exchange, the tools MS supply for moving mailboxes need to be able to read the user's mail. Each one has to give proxy access to a central "migrate" user so that it can be read. With our migration, if someone hasn't done that by the time their account is to be moved, they'll get their password reset and we go in and grant that access ourselves. And yes, archives have to be read by the account that owns them.
Unlike Exchange, Groupwise is very trustworthy - if you've got a password set, there's no way for anyone else to read the mailbox unless you explicitly give them rights through proxy access, or if someone with enough authority changes the password (and you'd know about that next time you log in). There's no way someone can just tick a box in the account's security and grant themselves rights to read it.
Asking users for passwords is VERY dodgy though. I don't ask for passwords and never have - if I need to test something as a particular user, I'll reset their password (with their, or IT manager/HR's permission if absent), do what I need to do, and expire it so they have to change it on next login. Using their actual password implies either lazy IT staff (or that don't have sufficient rights to do their jobs) or lazy users (who find changing their own password far too taxing).
Last place I worked at permission were set up so only the user, delegates and security team could read exchange mail boxes and not the exchange admins.. the exchange admins could get around this if they wanted but they would get fired as the audit log is parsed and sent to security team daily..
In some ways this is better as you can monitor staff without alerting them.
In some ways this is better as you can monitor staff without alerting them.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff