All e-mail boxes within the organisation are individually encrypted and
password protected with only the individual owner having access to them in
normal circumstances. The main use of e-mail is within the organisation on
a private secure LAN/WAN. Very little INTERNET e-mail. That is why there
is no statement regarding encryption.
The auditing elements in the policy are included to allow the organisation,
if necessary, to conduct investigations into reported abuse of its policies.
Accepting this may be possible under the Section 29 exemptions where crime
is involved, but bearing in mind the nature of the organisation (police) and
the difficulties sometimes in determining the difference between a crime and
breach of policy this 'cover all' seems appropriate.
For information, implementation of the policy was relatively painless with
only 4 current users at the time (out of over 1,000) disputing only one
statement in the policy (the one on audit without reference back to them).
In hindsight it would have been better to have worded that part in a
slightly different way, but at the time of compilation and circulation it
was necessary to stir up thought in the e-mail users.
It has been necessary to access mail boxes under the policy; That has
caused both the production of e-mails to prove abuse and refusal to produce
items in order to protect the privacy of the individual. Any knowledge of
generic guidance or policy on that issue would be very gratefully received.
Ian
----- Original Message -----
From: Terry Street <[log in to unmask]>
To: Ian Welton <[log in to unmask]>; <[log in to unmask]>
Sent: Saturday, May 13, 2000 4:06 PM
Subject: Re: personal mail - encryption and monitoring
> Ian many thanks for the policy however it make no reference to staff
> using encryption (as recommended by DPC for email containing personal
> information) which is at the heart of my query regarding monitoring.
>
> Can I ask again if anyone has looked at implementing DPC advice re using
> encryption?
>
> Terry
>
> In message <[log in to unmask]>, Ian Welton
> <[log in to unmask]> writes
> >----- Original Message -----
> >From: Terry Street <[log in to unmask]>
> >Sent: Thursday, May 04, 2000 11:10 PM
> >Subject: personal mail - encryption and monitoring
> >
> >
> >> Can anyone advise if I've got the DPC guidance right regarding e-mail.
> >>
> >> It suggests that data controllers and users should use available
> >> technology (e.g. encryption) to protect personal details sent via e-
> >> mail, (see extract below)
> >>
> >>
> >> It is also recommended best practice for organisations to monitor use
of
> >> e-mail for cases of mis-use. (this mail list discussed the need for
> >> emplloyees' consent etc..)
> >>
> >> There seems to be a potential problem here:
> >> If an organisation is to monitor e-mail does this imply whoever
monitors
> >> the e-mail needs to have the keys so they can inspect encrypted mail to
> >> see if it is appropriate use of the system?
> >>
> >> Can employers legitimately de-crypt staff mail, or if it contained
> >> personal sensitive information would doing so be a breach of Data
> >> Protection Act?
> >>
> >> ......... has anyone considered this and set an appropriate policy?
> >>
> >
> >Terry,
> >
> >Have gone through this process. Attached policy is a compilation of many
> >e.mail policies obtained from within the public sector and commerce which
> >were then amalgamated and tailored to my organisation. You are welcome
to
> >adapt it as you find necessary if it answers your needs.
> >
> >With the levels of damages being paid for e-mail abuse you certainly need
at
> >the minimum a policy and then some way of, from time to time or upon
> >complaint, checking for compliance.
> >
> >You will note I have done a search and replace, replacing my
organisations
> >name with a string of ............. and also done this replace in the
> >header. The document is otherwise as it is implemented.
> >
> >Sally,
> >
> >You are welcome to publish this policy (as a starter draft) on the site
if
> >you consider it to be of use.
> >
> >Ian Welton
> >
> >
> >[ A MIME application / msword part was included here. ]
> >
>
> --
> Terry Street
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|