When you think about the concept of electronic monitoring, you might imagine draconian measures of so-called “tracking software” that counts your mouse clicks, takes screen captures of your desktop on a regular basis, or logs your idle time. Employers that have not deployed such programs may be tempted to conclude that this new Ontario Electronic Monitoring Policy does not apply to them.
However, electronic monitoring happens continuously at just about every organization, which means that ignoring this new policy requirement would put you in a risk position. How, you might wonder, is my company monitoring employees without actively trying? There are many tools that passively monitor your employees, which therefore should be included in your policy.
Examples of Passive Electronic Monitoring
Routers/Firewalls: These networking devices typically keep logs of internet activity. This means that the browsing history of each workstation/user is being tracked.
Email Message Trace: There is a feature in Office 365 which allows an administrator to see all messages sent or received by addresses within your corporate domain.
Email Client: An Office 365 administrator can provide access to users’ Outlook, meaning that you can view all email history and calendar items.
Workstation Logs: A built-in Windows feature called Event Viewer tracks installations and even logins/logouts on a workstation.
Antivirus: In order to perform its function, antivirus software must continuously monitor programs and downloads to scan for malicious content. An administrator may have access to a central portal which provides visibility of each workstation’s activity in this regard.
Remote Monitoring and Management Software (RMM): This background program monitors diagnostic information such as RAM usage, operating system, IP address, and online status.
Remote Connection Software: Typically used by IT to provide remote support, this program makes it possible to connect remotely to a system and provide full access.
Mobile Device Management (MDM): This keeps track of installed applications, settings, internet traffic, and physical location of a mobile device.
CCTV/Video Camera Systems: Records video footage and photo snapshots of specific areas which may be stored digitally.
A Word of Caution
Ensure that your policy does not contain specific names of the software/hardware that your organization is using. There are two reasons for this:
1.) It’s a maintenance nightmare. Anytime you make a change to your IT infrastructure you will need to revise your policy and re-distribute it across the organization. Someone will need to constantly monitor changes and update the policy – don’t be surprised if hands don’t go shooting up to volunteer for this chore.
2.) It’s a business risk. Creating and sharing a list of your software/hardware basically provides a roadmap to a potential attacker. They could target specific vulnerabilities to bypass your security or send targeted phishing emails to dupe your employees. Even if you distribute this list internally, there is always a risk that it will get into the wrong hands.
Putting Pen To Paper
With very few exceptions, every organization with 25 or more employees in Ontario should have an electronic monitoring policy to comply with these new Employment Standards Act requirements. While this initiative should be spearheaded by HR, there is obviously a heavy reliance on IT. The examples provided in this article are a solid starting point but you should have your IT team engaged when creating this policy. If you don’t have a dedicated IT team that can fill this role, feel free to contact us and we can steer you in the right direction.