The STFC employs monitoring techniques on its communications systems, including e-mail and Internet access, to enable usage trends to be identified and to ensure that these facilities are not being misused.
Monitoring is limited, as far as practicable, to the recording and analysis of network traffic data. To this end, the STFC keeps logs of calls made on each telephone and fax machine, of e-mails sent by e-mail address and of internet sites visited by computer system address.
These logs are not routinely monitored on a continuous basis but spot-checks are carried out from time to time to help ensure compliance with this policy. Further investigations may be necessary where there is reasonable suspicion of misuse of facilities.
Since the STFC owns and is liable for data held on its communications equipment and systems, it reserves the right, as part of such investigations, to inspect the contents of any e-mails that are sent or received, and of Internet sites accessed, for compliance with this policy. This will only be done where the volume of traffic or the amount of material being downloaded is excessive, or there are grounds to suspect that use is for ‘unacceptable’ or ‘forbidden’ purposes. Exceptionally, where there is a defined and valid reason for doing so, the inspection of e-mail contents may include items marked ‘private’ or ‘personal’. Employees’ e-mail and voicemail accounts may also be accessed by management when they are absent from work to ensure official business matters can be effectively dealt with.
Monitoring/investigations of employees’ use of the STFC communications systems may also happen in the following circumstances.
· To detect or prevent crime e.g. detecting unauthorised use of systems, protecting against viruses and hackers, fraud investigation.
· As part of occasional training and quality control exercises e.g. how incoming calls are handled.
· To assist in maintaining the security, performance, integrity and availability of the IT systems which support the e-mail system and provide connection to the Internet.
· To provide evidence e.g. of a commercial transaction, to establish regulatory compliance, audit, debt recovery, dispute resolution.
Where monitoring is used, only staff trained in data protection compliance will investigate the recorded data. Confidentiality will be ensured for all investigations involving personal data, except to the extent that wider disclosure is required to follow up breaches, to comply with court orders or to facilitate criminal investigation. Logged data will not be retained for more than one year.
In addition, the STFC Computer and Network Security Group conducts regular audits on the security of the Council’s computer systems. These audits include examination of a small, randomly selected set of desktop and server systems. The audit checks that these systems have correctly licensed software, do not contain inappropriate material and have not been used to access or view inappropriate material on the Internet.
Where monitoring reveals instances of suspected misuse of the STFC communication systems (e.g. where pornography or other inappropriate material is found, or where substantial time-wasting or other unacceptable/forbidden use is found), they will be investigated through the disciplinary procedures and may lead to summary dismissal.
Personal files, documents and e-mails
To help safeguard their privacy it is suggested that employees mark any personal e-mails they send with the word ‘Personal’ or ‘Private’ in the “subject” line and to ask those they correspond with to similarly mark any personal e-mails being sent into the STFC.
Personal files, documents and e-mails should be stored in a folder clearly marked as ‘Personal’ or ‘Private’ – they should not be stored in the STFC’s corporate electronic document or record management facilities (ERMS).
Where possible, staff monitoring or inspecting the STFC IT and communications systems will respect e-mails and folders which are marked ‘Personal’ or ‘Private’.