Introduction
In 2013, Edward Snowden leaked over 200,000 classified National Security Agency documents concerning widespread government surveillance practices. This propelled a debate on declining privacy in exchange for heightened provision of security into the mainstream media. The global conversation sparked by Snowden over the extent to which governments surveil their citizens is still ongoing today. States face increasingly diverse threats and thus implement increasingly complex and powerful intelligence collection capabilities. This has made it a troublesome task to strike a balance between the provision of security and the invasion of individuals’ privacy.
Adapting the Debate
Whilst this political debate spans much broader, with various academic scholars, politicians and media outlets voicing their opinion on the matter, it is easy to overlook the realities faced by private and public organisations internally which Snowden’s revelations shun upon. After all, Snowden represents one of the most recognised cases of an insider incident. In the same vein in which Snowden revealed how nation-states vastly surveille their own citizens, organisations are increasingly turning to solutions geared towards monitoring their own employees in an effort to increase their security and resilience.
In fact, organisations too, not just nation-states, find themselves at a crossroads, compelled to safeguard their digital and physical assets and expertise from a growing and rapidly changing threat landscape, but needing to protect employee privacy. The internal threats organisations seek to protect themselves from can include declining productivity, property theft, fraud, and workplace violence. However, the question remains how far is too far, and when do security safeguards begin infringing upon individuals’ privacy?
Security, Monitoring, and Privacy
Privacy may be understood as how you engage with sensitive information, including the ensurance that the personal information of employees is appropriately protected under specific legislations, which we will return to later. To maintain high productivity and protect their most sensitive assets, employers are harnessing technology and personal data to monitor and assess employees. It is widely acknowledged that employers have the right to log and monitor employees’ digital activities and to internally share personal employee data within strict boundaries with the goal of bolstering security. However, it is indeed when the specific safeguarding processes rely on personal data and information, that security and privacy come into contrast.
A process that falls under this, is the screening process. Designed to assess the risk posed by potential employees, necessarily requiring the collection of personal information, such as one’s criminal record history, or social media handles. Another situation where privacy concerns conflict with security objectives is in the deployment of User Entity Behaviour Analytics. Modern technology has equipped organisations with the ability to monitor the physical and digital activities of employees, including access and behaviour. In addition, mobile device management applications can track employee location and log phone calls. Whilst this data could prove decisive in insider risk investigations, helping to protect sensitive assets, it can also compromise individuals privacy. These are only a few of the examples of the various safeguards that can be taken throughout an insider risk management programme where privacy can be compromised. Whilst these efforts are legitimate, two key elements are needed to ensure that these processes do not constitute an invasion of employee privacy.
Calm Waters Ahead
First and foremost is the implementation of robust policies and procedures that outline the scope of monitoring activities. These policies should comprise key core principles such as proportionality, consistency, and transparency. Indeed, the concise and consistent value-led communication of these policies and procedures, alongside the strict adherence to them, ensures employees are aware of and consenting to the monitoring activities. Communication can also inform employees why they are being monitored, and train and educate employees on the benefits monitoring and compliance brings to the organisation, whilst creating a security aware environment. This also ensures that an organisational culture founded upon trust and cooperation can be fostered.
However, the above principles discussed cannot ensure that policies are privacy-compliant. Organisations must stay up to date with evolving privacy regulations, tailoring their monitoring practices to ensure compliance with these legal frameworks. The diversity of privacy regulations make it hard for a uniform approach to be implemented. In Europe however, employee privacy is protected under strict regulations through the General Data Protection Regulations. These regulations outline key elements such as what is employee privacy, who can access personal data, and for how long data on employees (and customers) can be retained.
As such, the challenges of balancing privacy and security in employee monitoring are complex but not insurmountable. In an era where data and employees are both a prized possession and a potential liability, organisations must tread carefully to safeguard their interests without compromising the privacy of their workforce. The Snowden revelations serve as a stark reminder that the ethical considerations surrounding surveillance are integral to the activities of all organisations, not just states. By adopting transparent communication, obtaining informed consent, and adhering to legal frameworks, organisations can navigate the rogue waves of privacy and security, fostering an environment where both can coexist harmoniously.
Take the Next Step in Insider Threat Mitigation
Concerned about insider threats within your organisation?
Book a meeting with our experts today to develop a tailored strategy that safeguards your organisation's integrity and intellectual property
Book a Meeting